Sergey Nivens - Fotolia

Ransomware decryption framework now available

McAfee has released a decryption framework to boost the production of decryption tools to help victims of ranswomware attacks

Victims of ransomware attacks typically have few options if they have failed to make backups of the data encrypted and are being held to ransom

Victims can either pay up or lose their data, but the No More Ransom cross-industry initiative is aimed at providing a third option by providing free decryption tools.

No More Ransom started in July 2016 as a joint initiative by the Dutch National Police, Europol, Kaspersky and McAfee – then known as Intel Security.

Since then, the number of partners working together on No More Ransom has risen to 119, including 37 law enforcement agencies, which means command and control centres for ransomware can be taken down within 24 hours.

No More Ransom currently offers 52 decryption tools that work on 84 ransomware families, but now McAfee has released a framework to enable others to grow the number of decryption tools. Announced and named by audience vote at the MPOWER Cybersecurity Summit in Las Vegas, the McAfee Ransomware Recover (Mr2) framework is free to use for the security community.

“Developing these tools invariably involve significant effort to identify the decryption keys, but also create a tool that can be tested, hosted and then made freely available to help victims of ransomware,” said Raj Samani, chief scientist at McAfee.

“If you are an individual researcher, and you have access to these keys, you will have to spend a lot of time developing a tool that enables people to decrypt their computers, so with the help of [McAfee senior director of future innovation] Lynda Grindstaff and her team, we have created a free ransomware decryption framework,” he said.

Read more about ransomware

The framework will allow for the rapid incorporation of decryption keys and custom decryption logic when they become available, said Samani, and get help to victims of ransomware a lot quicker. “It enables anyone in industry to create more tools to ensure a safer society.”

Announcing the availability of the Mr2 framework, Samani said if security researchers have identified decryption keys and custom decryption logic for a ransomware variant, the framework will enable the rapid development of a decryption tool using those keys and logic.

“Over the course of the next few weeks, we will produce more guidance on the tool, including webcasts by the development team. Also, we will remain committed to working with our public and private sector partners to get our hands on as many decryption keys as possible,” he said.

Samani also acknowledged Kunal Mehta and Charles McFarland for their assistance in developing the Mr2 framework.

According to official figures, Samani said No More Ransom has been responsible for decrypting data on 29,000 computers hit by ransomware in the past year.

“This represents an estimated $9m that did not go to operators of ransomware campaigns, but unofficially, we believe this figure is somewhere around $30m,” he said.

Read more on Hackers and cybercrime prevention