Paid Ransom for Your Ransomware Attack? Do Not Run their Decryption Tool Blindly

Why?

Here is a piece of free advice from Fabian Wosar (@fwosar), CTO of Emisoft.

Click the link to see the whole thread. Or read along here.


Here is free advice for all the ransomware threat actors out there: Do not obfuscate your decryption tools. Contrary to what you think, victims who paid the ransom will not blindly run the tool they got from you.

Most victims will hand the tool they got from you to their DFIR contractor or a company like us to ensure the utility is safe to use and free of backdoors. We even provide that particular service for free to victims.

Only after the decryptor has been cleared can it be used by the victim to recover their data. So even though most obfuscators are trivial to reverse, the usage of any obfuscation raises red flags and delays the vetting process.

The only reasons you may want to hide your code behind obfuscation are either you are ashamed of how bad your code is (which most of you should be, honestly), or you think it would compromise your ransomware's security.

However, the security of proper cryptography does not depend on its implementation being kept secret. Instead, it solely depends on the keys involved being kept secret.

You like to see your victims as your "clients" or your "customers". Unfortunately, obfuscating the decryptor tool is nothing short of bad "customer service". So just drop it.

Originally tweeted by Fabian Wosar (@fwosar) on August 4, 2021.

Leave a Reply

Your email address will not be published. Required fields are marked *