NuRR is a product that claims to intercept and capture the encryption keys at the start of a ransomware’s encryption process. With the keys caught, any successful encryption can be rapidly decrypted without paying a ransom.
These claims were tested at MISI’s DreamPort facility in Columbia, MD. MISI is a non-profit organization purposed with driving discovery, education, collaboration, and innovation in cybersecurity. The DreamPort facility was created in partnership with US Cyber Command (USCYBERCOM) but is neither owned nor operated by the government. One of the key pillars of MISI’s operation is to provide independent validation of product claims for government.
NuRR (Nubeva Ransomware Reversal) was developed by San Jose, California-based Nubeva. The technology involves a small agent operating in the background on each endpoint. It is automatically activated by the first signs of anomalous or mass encryption. It listens to the process and captures and extracts the encryption keys. These keys can be used to decrypt any files successfully encrypted by the ransomware.
It is worth noting that NuRR is not a ransomware prevention system. Companies still require ransomware prevention; but NuRR can be considered a fail-safe solution for when prevention fails.
The claims were tested at DreamPort over a four week period. Popular ransomware variants were detonated on Windows endpoints with NuRR installed (99% of ransomware is performed on a Windows OS). Nubeva had no relationship or connection with MISI during this process.
The primary purpose of the testing was to analyze NuRR’s ability to capture ransomware cryptographic keys, and to test whether Nubeva’s decryptors could then restore the encrypted data. The ransomware variants used in this testing included Lockbit 3, Blackcat/ALPHV, CL0P, PLAY, Black Basta, Ragnar Locker, Conti, REvil, and others amounting to a high percentage of real attacks over the last year.
The results of the testing were made available in July 2023 (summary). NuRR succeeded in all 17 of MISI’s tests, with zero failures. It demonstrated 100% success in capturing keys. MISI also noted that the product is simple and secure: it is “trivial to implement and use for a junior engineer,” and “did not introduce observed system instabilities during test. NURR does not open network ports or introduce vulnerabilities into an endpoint as measured by Nmap and BitDefender Total Security.”
The MISI report concludes, “MISI is excited about this product and believes it shows real promise. Decryption is arguably one of the fastest and lowest data-loss means to recover data from a ransomware attack and, as such, represents a new potential layer of defense. Given these testing results and the simplicity of the NuRR decryption solution, we feel NuRR represents a very real potential safety-net for organizations to consider.”
“We knew obtaining third-party validation was crucial to prove the viability of our technology for the broader audience. With this validation, we have proof to support our claims,” Steve Perkins, CMO and head of product at Nubeva told SecurityWeek. “We can help organizations. We can help people. We can decrypt ransomware.”