Published on April 13th, 2016 📆 | 7127 Views ⚑0
Coder makes a tool for identifying which ransomware has infected you
Developer makes a free online tool for victims to identify with which ransomware they are infected
Ransomware is the latest buzzword in cyber security circles. After a ransomware infection made a Los Angeles hospital pay $17,000, it has been noted that hospitals are particularly vulnerable to ransomware attack.
With hundreds of ransomware doing rounds, it is important to identify which ransomware has infected you. This helps because security researchers have been able to decrypt some top ransomware infected files.
Now a code, Michael Gillespie has created ID Ransomware, a free online tool for victims to identify with which particular ransomware they’ve been hit. Gillespie’s tool detects and identifies 52 different ransomware types based on the ransom note displayed and/or on a file that has been encrypted. The victims must simply upload the files to the site and wait for the answer.
If it recognizes the ransomware, and the ransomware is decryptable, the user will be directed towards a decryption tool:
If there is no known way of decrypting the data at that time, he or she will be will be advised to backup the encrypted files in the hope that a decryption method will be discovered/created in the future, and pointed to a forum support thread for the malware in question.
List of identified ransomware
The list of ransomware that the tool currently identifies is as follows: 7ev3n, Booyah, Brazilian Ransomware, BuyUnlockCode, Cerber, CoinVault, Coverton, Crypt0L0cker, CryptoFortress, CryptoHasYou, CryptoJoker, CryptoTorLocker, CryptoWall 2.0, CryptoWall 3.0, CryptoWall 4.0, CrySiS, CTB-Locker, DMA Locker, ECLR Ransomware, EnCiPhErEd, Hi Buddy!, HOW TO DECRYPT FILES, HydraCrypt, Jigsaw, JobCrypter, KeRanger, LeChiffre, Locky, Lortok, Magic, Maktub Locker, MireWare, NanoLocker, Nemucod, OMG! Ransomcrypt, PadCrypt, PClock, PowerWare, Radamant, Rokku, Samas, Sanction, Shade, SuperCrypt, Surprise, TeslaCrypt 0.x, TeslaCrypt 2.x, TeslaCrypt 3.0, TeslaCrypt 4.0, UmbreCrypt, Unknown, VaultCrypt.
Gillispie has also created a password generator for unlocking the files stashed in a password-protected archive by the CryptoHost ransomware. Meanwhile another coder has put up a password generator tool for the dreaded Petya ransomware.
The developer who goes by the Twitter handle @leostone has devised a tool that generates the password Petya requires to decrypt the master boot file. To use the password generator, victims must remove the startup drive from the infected computer and connect it to a separate Windows computer that’s not infected. The victim then extracts data from the hard drive, specifically
(1) the base-64-encoded 512 bytes starting at sector 55 (0x37h) with an offset of 0 and
(2) the 64-bit-encoded 8-byte nonce from sector 54 (0x36) offset 33 (0x21).
By inputting the data into this Web app created by @leostone, the victim can retrieve the password Petya used to decrypt the crucial file.
With these tools you will be able to fight the ransomware menace effectively.