The security researcher from Emsisoft Fabian Wosar managed to crack the encryption algorithms of numerous ransomware thus making many hackers angry. Nevertheless, Wosar is not going to stop, but on the contrary – recently, he has managed to decipher the ransomware families HydraCrypt and UmbreCrypt and has released a new decrypter.
HydraCrypt and UmbreCrypt are new ransomware families initially detected in 2016. At their core, both stem from CrypBoss ransomware which was leaked and put by the unknown authors on PasteBin last year. Since the source code was out in the open, Wosar’s task of cracking turned out to be much easier.
“Unfortunately the changes made by the HydraCrypt and UmbreCrypt authors cause up to 15 bites at the end of the file to be damaged irrecoverably”, the expert explained in his blog.
But, apparently, the new ransomware authors who took the source code CrypBoss as a basis, did not pay much efforts here – there are very few modifications to the original source. The good news is that in most cases, these additional 15 bites are useless at all, and the files can be recovered. Wosar found out that these additional bites are not dangerous for all types of files but just for a few. Moreover, these additional 15 bites are quite often added as buffer data, so the encryption can be “cured” by simple opening and saving of the file.
The expert has also released a special tool for data recovery to be used in those cases where simple techniques are not that helpful. This decrypter will be able to tackle both HydraCrypt and UmbreCrypt.