Law enforcement agencies from 13 additional countries have signed up to the NoMoreRansom project since it started in July 2016. The project, launched as a collaborative initiative by the Dutch National Police, Europol, Kaspersky Lab and Intel Security, is designed to provide practical help for victims of ransomware.
The NoMoreRansom website provides access to several decryption tools. The first were for CoinVault and Shade. Since its launch, the WildfireDecryptor has been added and two decryption tools updated: RannohDecryptor (updated with a decryptor for the ransomware MarsJoke aka Polyglot) and RakhniDecryptor (updated with Chimera). After the first two months, 2500 ransomware victims have been able to decrypt and recover files without having to pay a ransom — costing the criminals an estimated $1+ million in failed ransoms.
At its launch, Europol told SecurityWeek “It is an open, non-commercial project. We do expect other IT security companies and other law enforcement agencies to join in the future. The more forces join to fight ransomware, the better.”
Yesterday’s new announcement justifies this statement; at least for law enforcement agencies. The thirteen new members of the project come from Bosnia and Herzegovina, Bulgaria, Colombia, France, Hungary, Ireland, Italy, Latvia, Lithuania, Portugal, Spain, Switzerland and the United Kingdom. “Additional law enforcement agencies and private sector organizations are expected to join the program in the coming months,” announced Europol.
As yet there are no new endpoint security vendors. Their involvement will be critical to the long-term success of the project. While law enforcement agencies can do just that — enforce the law — much of their technical knowledge comes from private sector companies working with them in the background.
SecurityWeek approached a number of such vendors, but found little detailed knowledge of the project. Europol told us that this is partly an effect of the success of the project. “The project has grown more and faster than initially foreseen, which is great,” said a spokesperson. “It was born with an initial direction but soon we realized that there was room for even greater public-private cooperation. Therefore we decided to divide the enlargement of the project into two phases, first the law enforcement partners and then the private sector.”
So rather than immediately throw the project open to all interested parties, Europol is expanding NoMoreRansom in a controlled manner. First, said its spokesperson, “We have contacted all our law enforcement partners. So far 13 have joined and discussions with others are ongoing.”
Now phase two is starting — recruiting additional endpoint vendors to the project. “We have now created two levels of partnership.” The first is ‘Associated’ comprising those vendors that contribute decryption keys or tools, sign a legal agreement, and become fully involved. “Not all those who approached us are able to do this,” notes Europol. The second level is ‘Supporting’: comprising those private sector companies “that promote the portal, translate the website, or contribute in any other way. They only need to sign a consent form.”
Europol claims that this process has already commenced. “We have sent out invitations to all our partners but it’s not possible for us to proactively reach every IT security company in the world.” Since it is ‘an open, non-commercial project’, that sounds like an unwritten invitation for interested private sector companies who do not receive a direct invitation to proactively approach Europol themselves.
Europol is currently assessing the approaches it has already received. It promises to make a new announcement when this is complete. At that time it will be interesting to see how many new vendors have joined the project. For now, the NoMoreRansom project is a promising but nascent initiative. 2500 victims and $1 million saved, while vital to those victims, is a drop in the ocean of the ransomware threat. Massive private sector support could make this a far more valuable exercise.