No More Ransom saves the day

The story of Marion, a computer user in Germany whose files were encrypted by ransomware — and how she got them back without paying ransom.

One day in May 2016, Marion, a computer user in Germany, logged on to her home computer. She had no idea what lay in store for her.

The first sign of trouble was when her computer did not boot up normally, and she couldn’t get to the desktop. Even after a restart, nothing changed. Then she saw the ransomware message on her screen. She didn’t know how she’d been infected. She hadn’t spotted anything suspicious the last time she, or any other member of her family, had used the computer.

But there it was:

The rise of ransomware

Ransomware has been a growing problem for the past few years, and it shows no sign of slowing down. We all know that it’s important to make backups on a regular basis, not to open suspicious e-mails, to use the best security software, and so on. But still, anything can happen, and then you suddenly find yourself with inaccessible data on your PC, network shares, and attached hard drives.

You can’t make your PC 100% safe unless you disconnect it from any network, remove the CD drive, USB connections, and more. This is rarely practical in today’s connected world. So it’s time to get involved in risk management: to find your own personal balance of convenience, safety, and privacy.

And, if you should become a victim of a ransomware attack, you need to know that your decision isn’t a simple binary — to pay or not to pay. You have more options than that.

It may be harder to get your data back than it once was. Attackers are fixing the “bugs” that used to allow companies such as Kaspersky Lab and its partners to develop generic tools to decrypt files hit by various ransomware threats. Today, ever more variants of increasingly sophisticated ransomware exist, and recovery often requires private keys from the criminals.

Getting your data back

As her day got gradually worse, Marion turned off her computer and asked the IT department at work for help. They were able to capture all of the relevant data: the ransomware message, the related files on disk, and even some pictures and PDFs before and after encryption. They tried all available tools to decrypt the files, but none worked.

At that point, the full impact of what had happened to her PC hit Marion. Her hard drive contained an archive with more than a decade’s worth of family pictures on it: years of special occasions, sorted into folders and organized by date. All but a few years’ worth were completely inaccessible.

Marion did not have an external backup, but she was sure of one thing: She was not going to pay any money to the criminals.

Marion contacted people she’d shared her pictures with and asked them to send the files back to her. In this way she got some of them back. But the majority remained lost.

With the help of her employer’s IT department, she looked online but couldn’t find a solution. She then turned to her friends. Finally, as a last resort, she put a post on Facebook asking for help and even offered a €500 reward to anyone who could help her to get her files back without paying the criminals!

Translation: Though I received many hints from various helping hands, my files remain encrypted. Looks like I got hit by a new variant. But I won’t give up the hope and raise the bounty to 500 euros for anyone who can help to decrypt my files.

About 20 people replied to her post and tried to help. However, none of them succeeded.

Time for No More Ransom

That’s when I got involved. A former schoolmate of mine spotted Marion’s post and, knowing that my job is on the GReAT team at Kaspersky Lab, added me to the conversation.

I got in touch with Marion, and she provided all the relevant information so I could check for tools to decrypt her files. But I couldn’t find any for the particular variant that had hit her.

With Marion’s information in hand, I asked our ransomware specialists for help. They quickly confirmed that the malware was a new variant of CryptXXX V3 and that the specific tools to help her decrypt her files were not yet available. I relayed the bad news to Marion but advised her not to pay the ransom — as attackers create new ransomware, we are working with law enforcement and other partners to develop decryption tools or to extract the private keys stored by criminals on their command-and-control servers.

We do this through the No More Ransom project. In the summer of 2016, Europol, Kaspersky Lab, and Intel launched the portal to help ransomware victims recover their files, and to help disrupt the lucrative business model that keeps cybercriminals coming back for more. The project now has more than 40 partners.

On the 20th of December, we added another decryptor for CryptXXX V3 to the No More Ransom page. We offer it free of charge, like all of the ransomware tools you’ll find there.

I still had Marion’s case in my mind, so I contacted her on Facebook and pointed her to the new tool. A few days later she got back to me saying she had been able to recover all the encrypted files! (Naturally, I wouldn’t take the reward.)

Lessons learned

I asked Marion what she had learned from this incident.

Besides doing regular backups of her data to different external hard drives, she’s now even more careful while surfing the Web and always makes sure she has the latest patches installed. And she also stopped letting anyone else use her PC.

This takes the story back to the need for us all to be our own risk managers. Ultimately, it’s up to you to look after your PC, network, privacy, and personal assets. But if things go wrong, remember that your options aren’t just to pay or not to pay. should be the first place to check — you could get your files back without having to pay anyone a cent. Even if the solution for you doesn’t exist yet, give it some time and don’t pay the crooks.

Marion is just one of many beneficiaries of the No More Ransom project, which has so far released seven free decryption tools. Five thousand users have unlocked their files, and saved more than $1.5 million in ransom, with its help.