In July 2016 the Dutch National Police, Europol, Kaspersky Lab and Intel Security launched the No More Ransom project and website. A primary purpose is to help victims of ransomware recover encrypted files without having to pay the criminals.
In October, the alliance expanded with the addition of law enforcement agencies from 13 additional countries. At that time Europol told SecurityWeek that public and private interest in the project had been greater than anticipated, and expansion had subsequently been ascribed to two separate phases. This was Phase 1: LEAs. Phase 2, already in progress, would see the arrival of private industry.
Yesterday, in Phase 2, Europol announced further expansion with the inclusion of four new ‘Associated’ partners: Bitdefender, Check Point, Emsisoft and Trend Micro. Associated partners comprise those partners able to provide additional decryption keys or tools, sign a legal agreement and become fully involved with the project. These new partners have brought with them 32 additional decryption tools to bolster the previous 8 tools.
Organizations unable, for whatever reason, to sign a legal agreement but who still wish to support the project can do so as ‘Supporting’ partners. Yesterday, more than 20 new Supporting partners were also announced, including Anubis Networks, Cylance, ESET, G-Data, Heimdal Security, S21Sec, Smartfense and others. Law enforcement involvement also increased with Austrian, Croatian, Danish, Finnish, Maltese, Romanian, Singaporean and Slovenian police joining — making a total of 22 countries’ LEA involvement.
Ransomware has been the scourge of 2016. Victim losses to ransoms totaled $24 million in 2015. This year predictions put the total amount closer to $1 billion. This puts the 6000 people and $2 million saved so far by No More Ransom into perspective — which does not belittle the benefit to those 6000 people.
Recent surveys from both IBM X-Force and Sophos show that most end users and consumers still have little understanding of the threat. The IBM report noted, “The results show a lack of [consumer] awareness about ransomware, which may be resulting in little or no action taken to protect devices and data.” Furthermore, there seems little understanding of what to do if infected. “Friends and family members consistently rank among the top two go-to sources.”
These figures are corroborated by a separate survey, detailed in a blog post yesterday, by Sophos. “The survey confirmed,” it says, “that out of all the people who took part over half give IT advice to family and friends. Yet, 14% of these people admitted to feeling unsure about whether they had properly backed up the data on someone else’s computer or if they have the ability to recover that data if it was hacked, 18% didn’t know either way and 11% are not even sure that the computers they look after are protected from hackers and viruses.”
There can be little doubt that having a professional source to turn to will help consumers. It’s not so clear what benefit will accrue to enterprises. Enterprises already have professional IT expertise in-house; but are currently still forced to pay up. The IBM survey reports, “Almost one in two executives (46 percent) has some experience with ransomware attacks in the workplace, and 70 percent of that 46 percent have paid to get data back.”
Nevertheless, the existence of the No More Ransom website is considered a valuable addition in the fight against extortion. “I think there’s something to be said for having collected decryptors from several sources in one place,” security researcher David Harley told SecurityWeek. “And, of course, it’s a good thing that 6,000 people who might otherwise not have found help were able to do so — and I welcome anything the site can do to lessen the impact of extortionists and cybercriminals.”
But he added, “I suspect that individuals are benefiting more than organizations, since a company of any size is more likely to have access to other reliable sources of help and information. But I don’t know: that’s the sort of information that the site could usefully share,” he suggests.
Harley would also like to see an expansion of the data the site already provides. “It does seem to me that the addition of tools and information from sources lower down the partner hierarchy (or not represented there at all) could add greatly to its usefulness. I’d certainly like to see more comprehensive information made available or linked from there as well as decryptors. After all, there are a lot of cases that current decryption tools can’t fix.”
Unsurprisingly, Kaspersky Lab (one of the project’s original founders) has greater confidence. “Nearly a quarter of ransomware attacks affected businesses this year,” principal security researcher David Emm told SecurityWeek; “this included all sectors, including education, telecoms, entertainment and healthcare. So No More Ransom (which has so far helped 6,000 people to save around $2 million) is of help to businesses as well as consumers.”