LockerGoga Victims Get Free Decryptor; Police Recovered KeysRansomware-Wielding Gang Accused of Amassing 1,800 Victims, Including Norsk Hydro
Victims of LockerGoga and MegaCortex ransomware can reclaim their files for free, say Swiss police, courtesy of private encryption keys recovered from a suspected member of a ransomware-wielding gang.
"Numerous" keys were recovered after analyzing data seized as part of an investigation into a now-defunct gang that allegedly used LockerGoga, MegaCortex and Dharma ransomware to infect victims and extort them into paying a ransom in return for a decryption key for their maliciously encrypted data.
The perpetrators are accused of ransomware attacks on over 1,800 people and institutions in 71 countries, Swiss authorities say. Damage caused by the group, including ransoms paid by victims, is estimated to have exceeded $100 million, they say.
One of the largest organizations to be hit with LockerGoga is Norwegian aluminum giant Norsk Hydro, which was attacked in March 2019. The company, which didn't pay a ransom, estimated eight months later that the cost of the attack and required recovery operations could reach $71 million.
As part of a crackdown on the gang's operations, 12 individuals were arrested in Switzerland and Ukraine in October 2021. European authorities say the gang appeared to make use of various ransomware-as-a-service offerings - not just LockerGoga and MegaCortex but also GandCrab and its successor REvil, aka Sodinokibi.
"Their attacks affected many victims throughout the world in both the public and private sectors, including companies, municipalities, hospitals, law enforcement, emergency services, schools, colleges and universities," the EU Agency for Criminal Justice Cooperation, known as Eurojust, reported. "They also targeted the health sector during the COVID-19 pandemic, taking advantage of the global crisis to extort victims."
Private keys seized by Swiss cybercrime investigators from one suspect were shared with Romanian security firm Bitdefender, which on Friday released a decryptor enabling LockerGoga victims to unlock their files for free. "We have a step-by-step tutorial on how to operate the decryptor in both single-computer and network modes," Bitdefender says.
The decryptor can also be downloaded via the No More Ransom portal.
Bitdefender says it will soon release a free decryptor for MegaCortex victims.
International Police Operation
Authorities say that the suspected cybercrime group member was identified thanks to a global operation - coordinated by Eurojust and the EU's law enforcement agency, Europol - which included the participation of law enforcement agencies from France, the Netherlands, Norway, Romania, Switzerland, Ukraine and the U.S.
The Swiss-based suspect was arrested in the canton of Basel-Landschaft in October 2021, with the participation of French police. Authorities accuse him of data theft and money laundering. The suspect, who has not been named, remains in custody in Zurich, where the public prosecutor is continuing criminal proceedings against him.
"Victims who are affected by attacks with the malicious programs mentioned are urgently requested to file a criminal complaint in their respective home country if they have not already done so," Swiss authorities say.
What's not clear is if the free decryptors will work for every LockerGoga and MegaCortex victim. Many gangs procure ransomware from a third-party developer, who will sell it to many different criminals. Reached for comment, the Zurich prosecutor's office declined to share further details, citing its ongoing investigation. An FBI flash alert in 2019 suggested that many attacks involving LockerGoga and MegaCortex were the work of a single gang but did not state if that gang was suspected of being the exclusive user of those two strains of ransomware.
The release of the free decryptor is a reminder that ransomware victims may still have the opportunity to recover forcibly encrypted information that they weren't able to restore from backups, even if they don't pay a ransom.
Paying a ransom remains a business decision - except in cases where ransomware-wielding groups or individuals have been sanctioned by the U.S. Department of the Treasury.
Free decryptors tend to get released long after a strain of ransomware has been used in attacks, oftentimes after police arrest a suspect and recover private keys. This may have been how police obtained the keys needed to release a free decryptor for REvil victims earlier this year.
In other cases, security experts identify flaws in a strain of ransomware that can be used to crack encryption and build a free decryptor to exploit the flaw. Ransomware developers typically react quickly to such moves, updating their crypto-locking malware so they don't see a decline in profits.
Not all flaws and vulnerabilities become public knowledge, which is one reason why security experts urge all ransomware victims to liaise with a reputable incident response firms as part of their recovery operations.
In some cases, experts have obtained keys or identified workarounds that will enable a victim to decrypt their files without having to pay a ransom but have opted to not make that information public so as to not alert attackers. Instead, they'll keep their findings closely guarded, sharing them only with experts or law enforcement, as has happened with strains of such ransomware as GandCrab, DarkSide and BlackMatter (see: Memo to Ransomware Victims: Seeking Help May Save You Money).
Developers will typically discover such flaws either because a security firm eventually publicizes them or because profits are abnormally low and they eventually identify a vulnerability that's likely been exploited. But until they do, victims can have another tool in their attack-recovery arsenal.