A joint operation by Europol, the Dutch National High Tech Crime Unit, Intel, and Kaspersky has seized the command and control servers for the Shade ransomware strain and published code that allows anyone hit by the malware to decrypt their files.
Shade has been in circulation since 2014, and has predominantly targeted European computer users. Once downloaded via an email attachment or unpatched browser, the malware encrypts the computer's files using a 256-bit AES (advanced encryption standard) key, and a second to encrypt the file names themselves.
The command and control servers were identified and raided by police, and Intel and Kaspersky have worked to develop tools to disable the encryption system used and allow users to take back control of their data. Many thousands of computers are thought to be infected by the ransomware.
"We, the Dutch police, cannot fight against cybercrime, and ransomware in particular, alone. This is a joint responsibility of the police, the justice department, Europol, and ICT companies, and requires a joint effort," said Wilbert Paulissen, director of the national criminal investigation division of the National Police of the Netherlands.
"This is why I am very happy about the police's collaboration with Intel Security and Kaspersky Lab. Together we will do everything in our power to disturb criminals' money-making schemes and return files to their rightful owners without the latter having to pay loads of money."
The announcement was made to kick off a new initiative between police and tech firms to fight the increasing scourge of ransomware. Dubbed the No More Ransom initiative, the participants want to focus on attacking the control systems for ransomware infections and limit the ability of criminals to extort money via malware.
"For a few years now, ransomware has become a dominant concern for EU law enforcement. It is a problem affecting citizens and business alike, computers and mobile devices, with criminals developing more sophisticated techniques to cause the highest impact on the victim's data," said Wil van Gemert, deputy director of Europol's operations department.
"Initiatives like the No More Ransom project show that linking expertise and joining forces is the way to go in the successful fight against cybercrime. We expect to help many people to recover control over their files, while raising awareness and educating the population on how to maintain their devices clean from malware."
The initiative is asking those infected by ransomware to get in contact with the police before paying any funds to the infectors. They will then work with victims to try and retrieve files and trace down the source of the infection before shutting it down.
"The biggest problem with crypto-ransomware today is that when users have precious data locked down, they readily pay criminals to get it back," said Jornt van der Wiel, security researcher at Kaspersky Lab.
"That boosts the underground economy, and we are facing an increase in the number of new players and the number of attacks as a result. We can only change the situation if we coordinate our efforts to fight against ransomware. The appearance of decryption tools is just the first step on this road."
The group is now looking for other tech companies to get involved. Microsoft would be a logical choice; given Redmond's campaign against botnet, which has had some success. ®