2016 was certainly a tumultuous year in many aspects – political, environmental, cultural – and even the Internet wasn’t spared of its effects. Ransomware, malicious programs created to encrypt files and demand money from users for an ability to use them again, saw the rise and started attacking companies, as well as home computers. Many fell victim to it and sent payments to cybercriminals, which were sometimes in the realm of hundreds of thousands of dollars. New ransomware was constantly released – there were more than 200 new variants found during 2016 – but the work was also being done to combat those threats. And, luckily, there are now new, powerful decryption tools for three ransomware programs that were considered to be especially dangerous – HiddenTear, Jigsaw and Stampado (also known as Philadelphia).
Those were developed and released by Avast, who explain it by wanting to stay on top of the situation and offer users a fighting chance against the ever-changing encryption keys of those threats. They also point out that their tools work much faster and, in some cases, can decrypt files in a few minutes instead of days, especially when the decryption process is executed on the infected computer.
A few words need to be said about the threats themselves. HiddenTear was first discovered in August 2015 and it was one of the first open-sourced ransomware projects. Cybercriminals use this code very often, as it’s not difficult to implement and brings concrete results. An AES algorithm is used to affect files and, once everything is finished, they get one of the following extensions appended to them (note that it’s not even a complete list) – .locked, .34xxx, .bloccato, .BUGSECCCC, .Hollycrypt, .lock, .saeid, .unlockit, .razy, .mecpt, .monstro, .lok, .암호화됨, .8lock8, .fucked, .flyper, .kratos, .krypted, .CAZZO, or .doomed. The ransom note named READ_IT.txt, MSG_FROM_SITULA.txt, or DECRYPT_YOUR_FILES.HTML is then placed on the Desktop. Keep in mind that some of the threats that use HiddenTear as its foundation may also lock you out of the computer and give you a fake message from a Windows support team.
Jigsaw first appeared in March of 2016 and takes its name after the character named The Jigsaw Killer. Some modifications of this ransomware use his picture to drive the point home. Extensions of the affected files could be changed to one of the following – .kkk, .btc, .gws, .J, .encrypted, .porno, .payransom, .pornoransom, .epic, .xyz, .versiegelt, .encrypted, .payb, .pays, .payms, .paymds, .paymts, .paymst, .payrms, .payrmts, .paymrts, .paybtcs, .fun, or .hush. Jigsaw has one trait that makes it especially dangerous – it deletes one file every hour until the payment is made, so you need to be especially quick with removing it.
Last, but not least – Stampado. It was released in August 2016 and it’s far from being abandoned – new versions are arriving to this day. It’s written with the Autolt script tool, and it either adds the “.locked” extension to affected data, or encrypts the entire name of the file, so it turns to, for example, 85451F3CCCE348256B549378804965CD8564065FC3F8.locked.
Full list of Avast ransomware decrypters
As you can see, those are not the threats that should be taken lightly and Avast should definitely be commended for their efforts. What’s more, they were successful in developing decryption tools for even more ransomware programs, for example Bart, Alcatraz Locker, Globe, and BadBlock. The entire list can be found at https://www.avast.com/ransomware-decryption-tools, and you should always remember to stay away from spam emails. File-sharing services can carry ransomware as well, so be extremely careful while going to those, and make sure to avoid corrupted links and advertisements.