Stung By File-Encrypting Malware, Researchers Fight Back

itwbennett (1594911) writes "When Jose Vildoza's father became the victim of ransomware, he launched his own investigation. Diving into CryptoDefense's code, he found its developers had made a crucial mistake: CryptoDefense used Microsoft's Data Protection API (application programming interface), a tool in the Windows operating system to encrypt a user's data, which stored a copy of the encryption keys on the affected computer. Vildoza and researcher Fabian Wosar of the Austrian security company Emsisoft collaborated on a utility called the Emsisoft Decrypter that could recover the encrypted keys. In mid-March Vildoza had launched a blog chronicling his investigation, purposely not revealing the mistake CryptoDefense's authors had made. But Symantec then published a blog post on March 31 detailing the error."

Of course Symantec did that...

[Last_Available_Usern]

It's in Symantec's interest that the authors mitigate the weakness in their malware so the threat will permeate through media and people will continue to be terrified into buying copious amounts of security software that in most cases won't even mitigate the risk.

Symansuck

[callmetheraven]

Symantec are the dumbest bunch of dumbfucks ever.

Combine that with shit software and the worst customer support in the business and the only conclusion is that Symantec can't die fast enough. Die Symantec, Die.

Re:Wich only serves to further

[v1]

WHY is it okay for Symantec to do this?

The more relevant question to ask is "Why DID Symantec do this?" A more interesting question would be "Why did Symantec break the law?" They didn't do that, but the answer to all three is the same.

"because it helps them make money".

In this particular case, the fear of ransomware helps Symantec sell their product. So a researcher doing something to combat ransomware hurts Symantec's business. So they do what they can do, to protect their profits. In this case, it's even legal for them to do it. So it's a no-brainer.

You simply have to expect this sort of behavior from any big business. There's no point in being confused or shocked by it.

A month from now they will be able to make a new press release, "Two months ago security researchers dealt a blow to ransomware, protecting users and devaluating our product. Today, we're pleased to announce the ransomware developers have made the necessary fixes to their code outlined in our recent publication, and once again, Symantec is your only defense against ransomware!"

Paging file?

[Dwedit]

Okay, stupid question time...
If someone took a disk image during the time when the virus was in the process of encrypting files, would it be possible to find the key in the paging file?

Re:Wich only serves to further

[Darinbob]

How about the question "why should they not do this?" The ransomware makers know that there's a recovery tool, so it's a short period of time before they figure out what their flaw is. There's no gain to be benefited by keeping the details secret. Do we want the situation where some security professionals know what the flaw is, the malware authors know what the flaw is, but the general public is kept in the dark?

Security through obscurity does not work. Similarly, keeping security protection details limited to a select few is also a bad idea.