For C-suite executives and security leaders, learning that your organisation has been infiltrated by network attackers, critical systems have been locked down, and data has been compromised, followed by a ransom demand, could be the worst day of their professional life.
But, as some executives recently discovered who had contracted the Hazard ransomware, things can go far worse. The decryptor that was provided in exchange for paying the ransom to unlock the encrypted files did not function.
Security researchers did not talk to the victim organization in this case – its executives declined to be interviewed about their experience – hence the specifics remain unknown.
Still, researchers believe that deciding that paying the criminals was the best way out of the scenario - for concerns regarding customer and employee data privacy, to bring business operations back online, to minimise reputational damage, or simply because there were no backups (oops) - was a painful decision in and of itself. But what if you pay the extortionists and still are unable to recover the files? That's excruciating.
"Ransomware as a whole is extremely stressful for the victim," stated Mark Lance, ransomware negotiator with GuidePoint Security. "Now in this circumstance, specifically, where they've made the payment and the decryption tools don't work," the stress levels ratcheted up several notches.
"In this, and in a lot of situations like this one, they're relying heavily on those decryption capabilities working on certain systems so that they can recover operations," Lance added. "So the stress substantially increases because they're like, 'Hey, we made this large ransom payment amount with established terms that said if we paid we're going to get access.'”
Following their initial failure to decrypt their files, the compromised organisation acquired a new decryptor version from the hackers; however, this was also not functioning. Following a call from a third party participating in the ransomware discussions, GuidePoint attempted to contact the perpetrators' "technical support" desk but was informed that a new version of the decryptor was required on behalf of the victim.
Whatever the reason, the organisation was unable to access the encrypted files, and the Hazard ransomware gang vanished. Eventually, GuidePoint was able to patch the decryptor binary and then brute-force 16,777,216 potential values until some critical missing bytes in the cryptographic process were discovered, resulting in a functional tool for decrypting the files. It's a good reminder, though, that paying a ransom does not ensure data recovery.