Security vendors ready ransomware decryption tools to help hospitals under cyberattack

Kaspersky, Trend Micro, Symantec, Cisco and Emsisoft have tools that can decrypt health data after cybercriminals encrypt it. The hitch? The technology won’t work on all ransomware strains.
By Jessica Davis
07:08 AM

As ransomware’s assault on the healthcare industry continues get worse and attackers put patient records up for sale on the dark web, security vendors are fighting back with software tools that can enable victims to essentially unlock data without having to pay the ransom.

Security companies including Kaspersky Labs, Symantec, McAfee, Trend Micro, Symantec, Cisco Systems and Emsisoft are scouring ransomware strains to find mistakes. And when they uncover an error, analysts create decryptors that enable organizations to regain files – but not all ransomware can be decrypted.

For the decryptor approach to be successful, in fact, there must be a weakness in the ransomware strain, according to Fabian Wosar, chief technology officer for anti-malware vendor Emsisoft.

[Also: Cybersecurity special report: Ransomware will get worse, hackers targeting whales, medical devices and IoT trigger new vulnerabilities]

“The only way we can write decryptors is if the author has made a mistake,” Wosar said.

In instances like Stampado, which was aggressively sold on the dark web for $39 in Bitcoin, the analysts cracked the code pretty quickly, Wosar added, noting that one of the biggest flaws these cybercriminals make in constructing ransomware begins with the cryptographic code.

There are pseudo-random number generators that are relatively hard to break, but the hacker needs to initialize them properly to fully utilize the entire possible key space and to generate a maximum number of potential keys, he said.

“It’s surprisingly hard to generate random keys: There’s no randomness with computers,” Wosar said. “Accidental reduction of key space is a very common mistake in ransomware these days because they don’t understand how random key generating works.”

Some cybercriminals have gotten it right. And the largest threats – Locky, Cryptolocker and Petra – have all of the right encryption algorithms and are currently incapable of being cracked. Wosar explained that even if it was possible to decrypt these ransomware strains, it wouldn’t matter, as the analysts would still need the keys. And these keys can only be accessed by law enforcement.

Cameron Camp, a researcher at IT security specialist ESET, echoed the sentiment that breaking excellent encryption widely used in ransomware is never a simple task.

“Experts have spent years making a digital equivalent of an ‘unbreakable crypto lock,’ and it's freely and widely available so people can use it to keep their information safe,” Camp said.

That also means any decryptor has a very tough task: Camp likened it to the job of picking an almost unbreakable lock.


Precision medicine: Analytics, data science and EHRs in the new age


While decryptors are effective, the tools rely on many pieces being in place so victims can get encrypted files back, Camp explained. Once the ransomware is decrypted, analysts feed the intelligence to the community to determine if the master key works. But there’s no guarantee.

“Ransomware is just a large puzzle,” Wosar said. “The more intelligent people are working on these puzzles, the more likely they can find a solution for ransomware victims.”

Decryption tools, in the end, are more akin to a Band-aid for ransomware than an information security silver bullet. But hospitals under attack would be wise to quickly determine whether a decryptor can be used to thwart the particular strain cybercriminals used against them, or not. 

Sign up for the Healthcare IT News Privacy & Security Update newsletter.

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com


Like Healthcare IT News on Facebook and LinkedIn

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.