Organizations hit by ransomware attacks typically have a difficult decision to make. Do they pay the ransom or not? If they have recent and restorable backups of the files being held hostage, then that question is typically moot. But, if they have no other way to restore the decrypted files, and the data is valuable or sensitive, they may feel little choice but to accede to the financial demands of the attacker.
However, there are clear downsides to paying the ransom. Beyond encouraging criminals to continue to deploy ransomware attacks, there’s no assurance that the files will be decrypted and restored to the owner. A recent ransomware attack mitigated and analyzed by IBM’s threat intelligence group, IBM X-Force, shows how paying the ransom isn’t necessarily the right option.
In a Thursday blog post entitled “X-Force IRIS Overcomes Broken Decryption Mechanism in Jest Ransomware,” IBM X-Force described how it assisted a customer in dealing with a strain of ransomware known as Jest. During its research into the attack, X-Force found evidence that the attacker never intended to decrypt the files and that this particular strain of ransomware may not have been designed to allow the decryption of files, even after the ransom was paid.
Contacted to help the organization recover from this Jest ransomware attack, X-Force found multiple servers belonging to the victim. All encrypted files on the servers were appended with a .jest extension. Each server also displayed a ransom note asking that a 0.3 Bitcoin payment (around $2,900) be sent to the attacker with a specific Bitcoin wallet included. Though that seems like a low sum for a ransom demand, X-Force believes that flaws in the decryption process could have led victims to resubmit payments, thus increasing the overall earnings for the attacker.
X-Force researchers discovered that the Jest ransomware contains modules that allow it to automatically propagate throughout a network. After encrypting the initial files to be held hostage, Jest launches a module designed to extract user credentials. This information is then passed on to other systems on connected subnets.
Following the full encryption process, the ransom note is created and displays as wallpaper on the infected computer. A link on the wallpaper image to view Decryption Notes displays a text file with instructions on how to pay the ransom in Bitcoin. A graphical interface screen also appears with a timer that serves as a type of countdown for payment.
If no payment is received within a certain timeframe, a message pops up indicating that the status is Unpaid and that the victim should try again by paying. If payment is verified, a different message appears indicating that the status is Paid. The message says that the files are being decoded, but prompts the user to try again by paying.
Digging deeper into the code behind the attack, X-Force discovered multiple flaws. The encryption code written in Visual Basic is copied directly from an online resource. Certain errors in this code can actually result in the targeted files not being encrypted, but simply renamed with the .jest file extension.
As for the decryption process, the researchers found decryption code in the ransomware, but uncovered no path that would trigger its execution. This means that the “Payment Successful” path laid out in the code wouldn’t actually lead to any decryption. At this point, X-Force researchers said they became concerned that the attacker never intended to decrypt files or that the Jest ransomware wasn’t even designed to decrypt files. Therefore, paying the ransom would have been for naught.
In the end, the X-Force team was able to reverse engineer the malware to decrypt the files, while IBM’s IRIS Incident Response team was preparing file restores from the servers. As a result, the customer was spared from having to pay any ransom.
“Whether this threat actor was careless, inexperienced, or intended for this to be a destructive attack that would not allow for recovery, our team was able to overcome all of the actor’s failures to decrypt the data safely,” X-Force said in its blog post. “This incident demonstrates how a ransom payment may not guarantee the recovery of encrypted data. Exploring multiple options for resolving a ransomware attack should be implemented as a standard practice.”
How can organizations better protect themselves against ransomware attacks before they occur?
“Protecting against ransomware starts with the fundamentals–basic patching and email monitoring for spearphishing,” Nick Rossmann, Intel Research and Operations lead for IBM X-Force IRIS, said. “Deploying a managed endpoint solution is also one of the most effective steps an organization can take to protect against ransomware.”
What should an organization do if hit by a ransomware attack, especially if it lacks recoverable backups of the files being held hostage?
“If an organization is victimized by an attack, they should call an incident response team with experience in global ransomware attacks to determine the origin, stop the potential spread, and identify what could possibly be reversed,” Rossmann said. “Law enforcement generally does not recommend paying the ransomware. Companies may consider paying if the data is not recoverable, there is a risk to human life, or a substantial risk to business value–though paying does not guarantee decryption.”