Kaspersky releases decryption tool for Polyglot ransomware

Ransomware is a particularly nasty kind of malware which has hit the headlines over the past year after targeting victims including businesses, hospitals, and universities. What makes the malware strain particularly devastating — for organizations and the general public alike — is its ability to take away access to files and content stored on a compromised machine.

Once ransomware such as MarsJoke, Cerber, or CTB-Locker is downloaded and executed — often finding its way onto a PC through phishing emails or malicious links — the ransomware encrypts files and in some cases, full hard drives.

Once the victim can no longer access their machine, a holding page informs them that they must pay a “fee” in return for a decryption key which will release their content back to them.

Polyglot infects PCs through spam emails which have malicious RAR archives attached. When infecting a machine, this family of ransomware blocks access to files and then replaces the victim’s desktop wallpaper with the ransom demand, which is made in virtual currency Bitcoin.

Many types of ransomware will simply sit on the machine for the payment to be made. However, Polyglot insists on a payment deadline and if the blackmail fails and no money is sent to the operators, the malware will delete itself — leaving behind a machine with encrypted files and no way to retrieve them.

Until now, at least. Kaspersky’s tool will decrypt these machines and unlock user data.

According to the security firm, although Polyglot looks similar to the severe CTB-Locker ransomware, the malware uses a weak encryption key generator. On a standard home PC, it takes less than a minute to brute-force the full set of possible Polyglot decryption keys — which gives you an idea of actually how weak the malware is.

Source | zdnet