What company recovers ransomware?

by
What company recovers ransomware

Ransomware attacks have become an increasing threat to businesses and individuals in recent years. Ransomware is a form of malicious software that encrypts files on a device or network, preventing access until a ransom is paid. Recovering from a ransomware attack often requires specialized assistance.

How does ransomware work?

Ransomware is usually delivered through phishing emails containing malicious attachments or links. Once activated, it encrypts files and displays a ransom note demanding payment, often in cryptocurrency like Bitcoin. Newer strains are even able to encrypt backups and connected devices.

Some key things to know about ransomware attacks:

  • Encryption uses complex algorithms that make decryption difficult without the right key
  • Payment does not guarantee files will be recovered – around 20% are not decrypted even after ransom is paid
  • Attackers often have remote access to the infected system
  • Damage can be extensive with encryption happening within minutes

Should you pay the ransom?

Paying the ransom is controversial. On one hand, it may allow you to regain access to your files. On the other, there are serious downsides:

  • No guarantee files will be recovered
  • Paying encourages more attacks
  • May be illegal if funds go towards criminal enterprises
  • Does not prevent another attack

Many security experts advise against paying the ransom for these reasons. The FBI, Europol, and other agencies also discourage payment.

Recovering without paying the ransom

There are techniques that may allow you to regain access to encrypted files without paying the ransom:

  • Restore from backups – If unaffected backups are available, systems can be restored to remove the infection.
  • Decryption tools – For some ransomware strains, decryption tools have been developed and released either by security researchers or law enforcement.
  • Attack the encryption – In some cases, flaws in the encryption algorithms may allow recovery of files. This requires cybersecurity expertise.

Unfortunately, these options don’t work in every case. Newer ransomware often deletes backups and uses strong, tested encryption algorithms without known flaws.

Should you hire a ransomware recovery company?

With limited options, many victims turn to professional ransomware recovery firms for assistance. These companies offer various services, such as:

  • Monitoring and negotiation – Experts communicate with attackers to potentially negotiate the ransom down or buy time to explore other recovery options.
  • Forensic investigation – Analysis of how the ransomware works and where backups are stored that may contain unaffected data.
  • Data recovery – Direct techniques to restore data from encrypted files or backups.
  • Vulnerability assessment – Evaluation of security practices to prevent future attacks.

The advantage of hiring a ransomware recovery firm is that they have dedicated expertise for responding to these types of incidents. The downside is the often high costs involved.

How much does ransomware recovery cost?

Costs for professional ransomware recovery can vary widely depending on the scope of services. Some typical costs may include:

  • Initial evaluation – $5,000-$10,000
  • Forensic investigation and analysis – $5,000-$20,000+
  • Data recovery efforts – $10,000-$50,000+
  • Vulnerability assessment and remediation guidance – $15,000-$30,000

Complex cases involving large networks or specialized systems may run even higher. Travel, logistics, third party fees, and legal services may also add to costs. Less extensive services like negotiation support tend to fall on the lower end.

Top ransomware recovery companies

Some of the top professional firms specializing in ransomware recovery include:

Coveware

Coveware is one of the most well-known ransomware recovery firms. They pioneered the “No Win, No Fee” model, only charging if files are successfully recovered. Services include:

  • 24/7 incident response
  • Threat actor negotiations
  • Diagnostic and forensic analysis
  • Custom data decryption solutions
  • Vulnerability corrections

Secureworks

Secureworks leverages counterthreat intelligence and cybersecurity expertise honed protecting large enterprises and governments. Services include:

  • Asset and network analysis
  • Identification of internal and external vulnerabilities
  • Custom decryption tools
  • Strengthening of security posture

FireEye

FireEye offers a comprehensive ransomware recovery solution called Helix. Features include:

  • Malware analysis and reverse engineering
  • Decryption key acquisition
  • Digital forensics
  • Incident response planning

Bitdefender

Bitdefender boasts leading anti-ransomware technologies that underpin its recovery capabilities:

  • Identifies ransomware early to limit damage
  • Cloud analytics uncover decryption opportunities
  • Reduced downtime using restoration tools
  • Hardens security to prevent reinfection

Preparing for potential ransomware attacks

While recovery services may retrieve data post-infection, it’s better to prevent ransomware in the first place. Some best practices include:

  • Back up data regularly and keep copies offline/offline
  • Install and update quality antivirus and anti-ransomware software
  • Enable spam filters and be wary of phishing attempts
  • Patch and update software, especially OS, browsers and reader apps
  • Use least privilege and limit access rights
  • Train employees on ransomware risks and response

Should companies negotiate with ransomware attackers?

Whether to negotiate with attackers is a complex decision with risks either way. Possible benefits of negotiation include:

  • Buy time to explore recovery options
  • Obtain decryption keys if payment is made
  • Gather intelligence on the attack
  • Limit damage from data leakage

However, risks include:

  • No guarantee of file recovery
  • May increase future extortion attempts
  • Payments could fund criminal activity
  • Perpetrators gain insights into victim’s capabilities

Each situation is unique. Working with professional negotiators can help make informed decisions balancing these tradeoffs.

Should ransom payments be made with insurance coverage?

Some organizations have cyber insurance policies that cover ransom payments. Potential benefits include:

  • Ability to pay quickly to recover data
  • Deductible may be less than ransom amount
  • Insurer may negotiate or make payment on victim’s behalf

However, policies differ on ransom coverage with restrictions, caps, and exclusions. Drawbacks may include:

  • Payment still not guaranteed to work
  • Premium increases likely after claim
  • Cyber insurance costs are rising overall

Like direct ransom payments, insurance coverage should be weighed carefully against alternatives like data recovery.

Can ransomware hackers be traced? How?

Tracing ransomware attackers is challenging but possible in some cases using forensic analysis techniques like:

  • Attribution analysis – Comparing code, infrastructure, and other attack details against known threat actors.
  • Email header tracing – Tracking email routing to identify sender location.
  • BTC addresses – Analyzing ransom wallet addresses on the blockchain ledger.
  • Decryptors – Reverse engineering decryption tools can uncover clues.

Law enforcement may also employ legal methods like wiretaps and warrants to trace attackers. However, skilled hackers often cover their tracks using anonymizing tools.

Can you recover files without the decryption key?

With most ransomware, the specific decryption key is needed to recover encrypted files. However, in some cases files can be recovered without it by:

  • Brute forcing – Trying different passwords to crack weak encryption.
  • Exploiting flaws – Finding vulnerabilities in old or poorly implemented ransomware.
  • Backdoors – Keys potentially left in by attackers for debugging purposes.
  • Master keys – Universal keys recovered by researchers or law enforcement.

The viability of these methods depends on the type of ransomware and encryption used. Modern ransomware is often too advanced to crack without the right decryption key.

Should companies report ransomware attacks to law enforcement?

Reporting ransomware attacks to law enforcement like the FBI allows them to potentially:

  • Investigate and prosecute attackers
  • Disrupt cyber criminal operations
  • Obtain intelligence on ransomware strains
  • Recover extorted funds
  • Assist victims with data recovery

However, some downsides exist:

  • Investigations are complex, costly, and lengthy
  • Law enforcement has limited resources
  • May involve scrutiny of company’s security practices
  • Risk of additional data exposure

Companies should weigh benefits against drawbacks for their situation. At minimum, reporting provides data to support broader anti-ransomware efforts.

What are common steps in a ransomware investigation?

Professional ransomware investigations often involve stages like:

  1. Initial response – Secure systems, assess damage, develop incident timeline.
  2. Forensic imaging – Safely copy relevant systems and data for analysis.
  3. Threat analysis – Reverse engineer malware mechanics and origin.
  4. Data recovery testing – Attempt decryption through various methods.
  5. Trace payments – Follow ransom transactions on blockchain.
  6. Vulnerability review – Identify security gaps exploited by attackers.
  7. Remediation guidance – Recommend safeguards against future attacks.

The specific approach depends on the objectives, scale, and complexities involved.

What ransomware variants are most common today?

Some of the major ransomware strains active worldwide as of late 2022 include:

LockBit

Prolific ransomware-as-a-service (RaaS) operation extorting major enterprises worldwide. Known for double extortion tactics.

Conti

Another leading RaaS program. Infamous for targeting healthcare sector. Disrupted but still active after source code leak.

Quantum

Advanced phishing-distributed ransomware gaining ground targeting Windows environments.

Black Basta

Newer ransomware exploiting remote management tools and other access vectors.

AvosLocker

RaaS variant adept at moving laterally across networks after initial infection.

MedusaLocker

Prolific ransomware specifically targeting healthcare providers.

These strains tend to evolve rapidly, using new techniques to evade defenses. Staying up-to-date on threats is key.

How can companies prevent ransomware in the future?

Some top prevention strategies recommended for organizations include:

  • Staff security training and simulated phishing tests
  • Multi-factor authentication for all users
  • Regular offline backups tested for integrity
  • Endpoint and network threat detection
  • Email security with filtering for malicious links/attachments
  • Vulnerability and patch management
  • Privileged access controls and segmentation
  • Incident response playbooks and exercises

Defense-in-depth combining human and technological safeguards provides optimal protection.

How do cyber insurance policies cover ransomware?

Standard cyber insurance policies may cover some costs related to ransomware, while specialty ransomware policies offer enhanced coverage. Potential covered costs can include:

  • Crisis management expenses
  • Business interruption losses
  • Data restoration costs
  • Hardware replacement
  • Reputation harm and PR services
  • Extortion payments (sometimes)

However, coverage limits, deductibles, and exclusions apply. Policies need to be assessed closely regarding ransomware protections.

Conclusion

Recovering from a ransomware attack often poses major challenges for affected organizations. While paying the ransom is an option, many turn to professional incident response firms for assistance recovering data and hardening security against future threats. Careful planning and preparation is still the best defense against the ransomware epidemic facing businesses today.