Ransomware attacks are nothing new, but two recent hits have received a lot of attention, and in both cases, the decryptor was too slow to do any good. Essentially, victims often resort to backups or find a different solution, even after paying a ransom for the decryptor key.
A new report from BleepingComputer goes into detail about the entire situation. Explaining that the highly publicized Colonial Pipeline hack resulted in a $4.4 million ransom payment for a decryptor. Unfortunately, the Darkside decryptor was so slow the company restored everything from backups instead of using the key, even though it paid up.
In another situation, HSE, the healthcare system of Ireland, was hit by a Conti attack yet refused to pay a ransom. The Conti ransomware group eventually released the decryptor key for free, likely after realizing they hit a government agency. Similar to the Colonial situation, this key was too slow. In the end, HSE worked with a New Zealand cybersecurity firm named Emsisoft, whose decryptor is twice as fast.
Now, we’re not saying these companies should or shouldn’t pay. That’s a tough thing to discuss when it’s a hospital or, ya know, a pipeline as large as Colonial’s that the entire country relies on. That said, it looks like even when they do pay, the hackers’ own recovery tool is barely worth it.
During BleepingComputer’s testing, using a custom decryptor tool like one from Emsisoft helped restore a hacked system up to 41% faster than the tool provided by any specific ransomware group. That might not sound like a lot, but when you’re decrypting thousands of devices and terabytes of data, this could make the process days, or even weeks, faster.
When it comes to restoring something like the Colonial Pipeline or a healthcare system, time is money, or more importantly, time can save lives.
Emsisoft charges for their restoration services, too, but at least that’s not enabling or incentivizing ransomware groups to keep doing this.