peshkov - stock.adobe.com
Avast releases decryptors for multiple ransomware strains
Victims of three separate ransomware families can now recover data using tools developed by the antivirus vendor with help from a malware analyst and an alleged Babuk developer.
Avast Threat Labs has released decryptors for three ransomware families, enabling victims to recover for free.
Working off weaknesses discovered in AtomSilo, LockFile and Babuk ransomware variants, the Czech antivirus vendor developed tools to recover data without paying the ransom. AtomSilo and LockFile are newer strains, uncovered in the last few months, while Babuk has been observed in the wild since January.
Though they are not as high-profile as the BlackMatter or REvil ransomware variants, Babuk operators were responsible for an attack involving double extortion tactics against government services provider Serco Group Plc, a company with 50,000 employees in 20 countries. More notably, LockFile utilized ProxyShell, one of three vulnerabilities recently found in Microsoft Exchange.
In a blog post Wednesday, Avast's security intelligence team credited malware analyst Jiří Vinopal for publishing information and analysis on AtomSilo and LockFile, which led to the proof-of-concept decryptors. While they were successful in creating the tool, there are limitations.
"During the decryption process, the Avast AtomSilo decryptor relies on a known file format in order to verify that the file was successfully decrypted," the blog post said. "For that reason, some files may not be decrypted. This can include files with proprietary or unknown format, or with no format at all, such as text files."
Additionally, during one of the final installation steps, Avast recommends backing up encrypted files in case "anything goes wrong during the decryption process."
For the third strain, Avast used source code leaked by an alleged teenage Babuk operator in September. The public leak included some of the decryption keys.
This is the fourth decryptor revealed over the past week. On Sunday, Emsisoft published a tool to help victims of BlackMatter ransomware recover without giving into demands. Though the security vendor discovered the bug earlier this year, it privately assisted victims as not to tip off BlackMatter operators to the critical flaw.