Bottom line: Victims of ransomware attacks are typically advised not to pay the ransom demanded by cybercriminals. Paying up offers no guarantee that the attackers will uphold their end of the deal, like providing access to encrypted files.
GuidePoint Security recently acted as a “negotiator” between an unnamed company and the group behind the Hazard ransomware. The malware infected the victim’s systems, encrypting “important” files and demanding payment to unlock them. The company reportedly felt compelled to pay, but the “decryptor” provided by the Hazard creators didn’t work as expected.
While dealing with unreliable decryptors isn’t common, GuidePoint explained, things in the malware world can sometimes behave unpredictably. After negotiating with the cybercriminals, the researchers were tasked with investigating why the newly acquired decryption tool was unable to restore the encrypted files.
The root cause was a bug in the encryption payload used by the Hazard ransomware. “A race-condition occurred when the threat actor executed multiple encryptors on the same system,” GuidePoint determined. Each file was encrypted a second time before being renamed with a new extension, resulting in missing bytes within a chunk of data appended to the original file.
The appended data was required to recover the encryption initialization vector (IV), but the last three bytes were missing after encryption. Since the IV was pseudo-randomly generated by the encryption payload, retrieving the missing bytes initially seemed impossible.
The ransomware creators were likely unaware of this bug in their malware. After identifying why the decryptor wasn’t functioning, GuidePoint attempted to escalate the issue with the Hazard “technical support” team. However, the threat actors merely provided the same decrypting tool under a different name before disappearing.
As the encrypted files were valuable, GuidePoint was tasked with developing a working solution. The researchers succeeded by adopting a brute-force approach, testing all possible combinations for the missing bytes in the IV, ultimately recovering the clean files.
Costs associated with ransomware incidents are on the rise, and even “zombie” malware operations like LockBit 3.0 continue to claim victims. After dealing with a faulty decryption tool, GuidePoint emphasized that ransom payments should never be made. Adopting best practices for data backups is crucial, and even backing up encrypted data can be helpful in unique situations like the recently disclosed Hazard incident.