Ransomware families: response and recovery actions

Posted date 04/01/2024
Ransomware families: response and recovery actions

Ransomware  is one of the most common and damaging cyberthreats in the current landscape. It is a type of  malicious software designed to encrypt files and extort money from victims in order to recover data.

The first ransomware cataloged was the AIDS Trojan, also known as PC Cyborg. Created in 1989, it encrypted the names of files on  the C: drive, rendering the system unusable and demanding payment of $189 to a P.O. Box in Panama to obtain the decryption tool. This malware inaugurated simple extortion cyberattacks. Over time, in double extortion attacks, such as the one in Maze in 2019, criminals not only encrypted data, but also threatened to reveal sensitive information. Triple extortion attacks incorporate the threat of denial-of-service attacks, thereby intensifying coercion, such as Avaddon in 2021, while quadruple extortion attacks add external pressures, involving victims' customers and partners.

Ransomware Extortion Levels

- Ransomware Extortion Levels. Source -

Ransomware  has been introduced into market models, becoming a profitable business for cybercriminals, which also allows it to be in constant innovation, presenting high risks and challenges for global digital security.

Its rise can be attributed, in part, to the ease with which it can spread, the diversity of infection vectors available, and the availability of dark web platforms  that allow the cybercrime industry to operate under highly structured business models, such as Ransomware-as-a-Service  (RaaS). In it, malicious actors offer ransomware services to  subscribers, allowing cybercriminals with less technical knowledge to launch effective attacks. In this model, developers focus on creating malware that is more advanced and adaptable to different technologies and needs of their customers, as seen in the case of Hive, a  cross-platform ransomware.

Creators are even investing in bug bounty programs, paying substantial sums to individuals who help them identify and fix flaws in their code to keep their  malware safe and effective, as seen recently with LockBit. This investment in securing their systems highlights the paradox of these cybercriminal groups that, while compromising and exploiting the security of organizations and users, strive to optimize and protect their own illicit operations.

Ransomware Features 

Infection and spread:

Over the past few years, hundreds of existing families and variants have exploited a variety of methods to infect and spread, using increasingly sophisticated and diversified tactics. Here is a summary of how some of the most notorious ones mainly propagated, though these categories are not mutually exclusive, and many adapted, refined, and combined different methods as they progressed through time:

  • Email (Phishing): TeslaCrypt, CERBER, Nemucod, LECHIFFRE, MirCop, or Stampado became notorious for phishing campaigns     , using deceptive emails with malicious links or attachments. 
  • Exploit kits: CryptXXX, SNSLocker, XORIST, or DXXD exploited exploit kits to compromise websites and thereby infect visitors. 
  • Malicious software downloads and updates: BadBlock, 777, DemoTool, Crysis, or TeleCrypt infiltrated through  contaminated software downloads and  malicious updates, corrupting unsuspecting systems. 
  • Malicious macros in documents: AutoLocky or XORBAT were disseminated through documents with malicious macros, tricking users into enabling harmful features.
  • Exploitation of network vulnerabilities: WannaCry, Petya, Chimera, Jigsaw, Globe/Purge, or Teamxrat/Xpan    stood out for exploiting network vulnerabilities,   spreading autonomously through local networks and the Internet, and, in some cases, directly affecting servers and file systems to encrypt most of the data. Amount of data possible.

Detection Evasion and Persistence:

Generally, before proceeding with encryption, these malicious programs disable and alter services and processes related to system security and recovery, neutralizing security tools and deleting backups. In addition, they modify system logs and configurations to maintain their presence and continuous operation, and erase traces of their malicious activity to hinder forensic and post-infection analysis.


WannaCry, Petya, and others have been characterized by the use of sophisticated encryption algorithms, seeking to optimize the efficiency of their attacks and ensure that victims are forced to pay the ransom. Many of these families implement robust and recognized encryption algorithms, such as RSA and AES, to ensure the irreversibility of encryption without the proper key. Some, such as XORIST, XORBAT, and Stampado, chose to develop their own encryption algorithms or modify existing algorithms to complicate the decryption process.

Response & Disinfection

The high degree of sophistication in the development and deployment of ransomware is forcing organizations, cybersecurity vendors, governments, and law enforcement agencies to redouble their cybersecurity efforts to anticipate and counter these attacks.

Recovery of encrypted files can be achieved in two main ways. The first occurs when, due to police collaboration, the cybercriminal groups are arrested and, as a result, the necessary decryption keys are obtained and published to  free the affected systems, with which it is easy to create tools to automate the decryption of computers. This situation allows victims to restore their systems without having to pay the ransom demanded by the attackers. However, other groups tend to emerge quickly, taking up and perfecting the codes and tactics of their predecessors. These new groups often restart criminal activities with higher levels of sophistication and evasion.

The second way is based on the work of security researchers, who, by studying malicious samples and applying reverse engineering techniques, can find vulnerabilities in the malicious program's code and develop (although not always) methods to decrypt the affected files. For example, the first version of DMA Locker contained the encryption key built into its own code, making it easy to retrieve. However, the crucial problem with this second approach is that once a decryptor (or decryptor)  is discovered and published, the developers of the ransomware can fix the flaw in question and release new versions of  the malware that are no longer susceptible to the same countermeasure. This constant race between the creation of defense measures and the evolution of ransomware underscores the dynamic and adaptive nature of the threat.

In recent years, the cybersecurity ecosystem has begun to provide tools that allow decryption of various families, which makes the recovery work of affected users much easier. One of the most interesting is the one offered by the company  Trend Micro, with its Trend Micro Ransomware File Decryptor, it is currently possible to decrypt files from some of the following families: CryptXXX, TeslaCrypt, SNSLocker, AutoLocky, BadBlock, 777, XORIST, XORBAT, CERBER, Stampado, Nemucod, Chimera, LECHIFFRE, MirCop, Jigsaw, Globe/Purge, DXXD, Teamxrat/Xpan, Crysis, TeleCrypt, DemoTool, WannaCry, Petya. Here is a guide to how to use it:

Descarga e instalación

Installing the tool involves the following simplified steps:

  • Download: Click on the ‘Download’  button  to get the latest version of the tool.
  • Unzip and run:  Once downloaded, you need to unzip the file and then run the included RansomwareFileDecryptor.exe file.
  • Accept the EULA:  When launching the tool, you will be prompted to accept the End User License Agreement (EULA) in order to proceed.


Once these steps are done, you will be able to access the main user interface and follow the instructions provided to start the decryption process of affected files.

  • Select Ransomware: Identifies and selects the specific type that has infected files. 
Screen for selecting ransomware family

- Screen for selecting ransomware family. Source. -

  • File Location: Specifies the  location of the encrypted files that you want to decrypt. 

    Screen to select infected files

    - Screen to select infected files. Source. -

  • Start of Decryption: Start the decryption process by following the on-screen instructions. When decrypting files affected by CyptXXX V1, XORIST, XORBAT, NEMUCOD, or TeleCrypt, another dialog will open in which a couple of files will be requested: an infected file and its corresponding uninfected file in case a backup copy is available. It is preferable to provide larger files as this will make the decryption process easier.

    Screen showing decryption execution

    - Screen showing decryption execution. Source. -

  • Completion of decryption:  Once the decryption process is complete, the interface will display the results and allow access to the decrypted files, which will be in the same folder as the originals, but with modifications in the extensions to indicate that they have been decrypted. The name of the decrypted file will be {original filename} decrypted.{ extension}. To decrypt more files, simply repeat the steps from the main interface of the program.

Additional Considerations and Limitations

In the disinfection of some families, some specific considerations arise:

  • CryptXXX V3 only allows partial decryption of data, and you might need third-party tools for complete recovery of certain files, such as images. 
  • BadBlock, on the other hand, encrypts essential system files, which can cause inconveniences when rebooting the system, and its treatment may vary depending on how it has affected the system. 
  • CERBER needs to run on the infected machine and its decryption process can be lengthy and of varying success, influenced by the capacity of the processor. 
  • Globe/Purge uses brute-force methods to decipher, and its process can be extremely time-consuming, and it has limitations in FAT32 systems. 
  • WannaCry searches for the private key in the memory of the ransomware process, so it is only effective if the process is still active, being more effective on Windows XP systems. 
  • Petya has a special interface and requires specific steps to reboot the operating system to its normal state. Each of these malwares requires a different approach, adjusted to its own characteristics and limitations.


The development of decryption tools is crucial to allow users affected by ransomware to  recover their data without having to accede to the demands of cybercriminals. Not only does this help mitigate the impact of the attack on the affected individual or organization, but it also reduces the profitability  of ransomware for criminals by decreasing the number of victims willing to pay a ransom.

These tools are part of a broader strategy that also includes cybersecurity education and awareness, the promotion of good security practices such as regular updating of software and operating systems, and the  regular backup of important data, all of which are crucial for the prevention and mitigation of these attacks. The availability of these tools and resources is vital, given that malicious actors are continually innovating and developing new, more sophisticated, and harmful ransomware variants.