Dr.Web quietly decrypting TorrentLocker for paid customers or distributors

I wonder if they found a weakness in the encryption, but it's one that is easily fixable by the malware makers, so they're trying to do this quietly so the malware makers don't fix the weakness.

You can disclose you fix without disclosing the weakness.

Regardless, why ignore emails. Makes no sense.

This is a bit of a paradox really; I'd expect an AV company to invest in blocking this type of infection in the first place (you want to be able to tell your customers "yes, we do prevent torrentlocker from infecting your computer"). The fact that they fix this for their paying customers, but not for others who do not have a license can lead to two conclusions, neither of them good IMO: 

1) DrWeb can recover keys, whatever their method is, but their product can't prevent Torrentlocker from infecting a computer and they offer this fix as part of their customer support >> worrisome because what when they can't decrypt the next popular file encoder?

2) And if the above is not the case, then the only possible reason for this offer is a shortcut to get new customers. But that doesn't make sense either, because then they would have been better served if they made a bit more noise.

 

It is possible that the decryption method costs significant resources, but still that doesn't explain the lack of reaction....

I don't really agree with that assesment..

I don't think that offering decryption services imply you can't protect from that infection. There are many other AV companies that also offer decryption services, most of them can effectively block such infections as well. Offering decryption does not imply you can not prevent infection.  And since they never advertised that they can decrypt, it's a highly ineffective shortcut to new customers too.

 

I would suspect that it is more along the lines mentioned before: They've found a weakness either in the server configuration or the encryption and in order to best serve their customers they tried to draw no attention to the fact that they can decrypt.

Emsisoft showed quite effectively that if you decrypt in large quantitites, the malware author will go through the trouble of fixing whatever weakness is causing the decryption to take place: http://blog.emsisoft.com/2015/05/05/pclock-uses-malicious-plugin-to-turn-wordpress-blogs-into-command-and-control-servers/

In that regard, I think DrWeb did make the choice that will server their customers best. Not the one that will bring them the most PR or the one that will get them the most new subscriptions.

If this was the correct ethical choice to make, is a different question and probably not one I would answer with yes.

I don't say they should have advertised it, I perfectly understand they don't want it widely known for the reasons you pointed out. However the fact that its paid customers only AND they do not react on inquiries from the anti-malware community (not even to give a "sorry, we can't provide any further information about this" statement) makes me wonder (so the combination of these two and not either fact separately). 

 

As grinler said, there were people who would have gladly become a DrWeb customer (without publicly drawing much attention to this) in order to decrypt their files and this is perfectly ethical IMO, nobody asks them to provide services for free which in the end cost them resources and manpower. However if that is the case then it seems reasonable to me that they would react to an inquiry from, for example, grinler, especially since BC is pretty much on top of most file-encryption malware.  

Let's also remember that their partners have been opening up sites (as shown by the article) promoting these decryption services by ESET. So its not like they have told people not to publicize it. Why not respond to inquiries? Just strange.

BTW, apparently this policy is not new (this page names "encoder" not what variant it is):

Due to the huge influx of requests from users of other anti-virus products, effective June 19, 2013, Doctor Web's support service is providing its free decryption service only to commercial users of Dr.Web products.

 

https://support.drweb.com/new/free_unlocker/?keyno=&for_decode=1&lng=en

BTW, apparently this policy is not new (this page names "encoder" not what variant it is):

Yes, I never said I agreed that this was a good approach. I just wanted to point out that, to me, the conclusion that they only fix this because they can't prevent it, is a bit far fetched:

1) DrWeb can recover keys, whatever their method is, but their product can't prevent Torrentlocker from infecting a computer and they offer this fix as part of their customer support

From what you just posted it would seem that their decision to provide decryption only to paying customers long pre-dates TorrentLocker. So the conclusion that this is correlated with them being unable to prevent the infection seems unlikely.

Maybe DrWeb support only speaks russian and that's why nobody answered. (I'm kidding of course.. We'll probably never know why they didn't answer and will just have to assume that they simply didn't want to.)

regards
myrti

This is an interesting development.  I don't know anything about Dr. Web aside from what I've read in this thread but it seems like they're not disclosing any information regarding how they are decrypting torrentlocker because they want to maximize the amount of revenue they can generate from this fix before someone else figures out how to do it too.

 

Maybe they are giving a percentage of their revenue to third parties so that it won't appear that they are actively trying to attract new customers who are infected by torrentlocker.  These third parties could advertise this service and generate business for Dr. Web.  It's my understanding that when an antivirus company discovers a new vulnerability, they publish detailed information about it.  Shouldn't Dr. Web do this or do companies sometimes keep this information to themselves?

Edited by Ted Striker, 25 August 2015 - 08:16 PM.

Yes, actually they should keep this information to themselves. If they publish this info, the first party to take interest, is the malware author who'll make sure their vulnerability will be fixed (see for example here).

 

Since this is a two-year old rule of them (decryption only for paid customers) I think it might just be related to trying to limit people with other security products wanting to use their decryption service for free. Again, that I can understand, providing a decryptor is considerable work and may in certain cases be required to be done separately for each infected machine. 

 

To me it just would make more sense if they'd communicated this (it's 1 minute work to reply with a link to that article, show that it is from 2013 and that is it). I still think offering decryption to paying customers sends the wrong message (a paying customer ideally shouldn't be infected with ransomware in the first place), Saying: if you're a customer its free, but otherwise you can purchase our decryption service for a small fee seems more logical to me, is not unethical and would have made quite a number of people happy.

Of course it is possible they simply don't have the manpower to cover the increase of requests this would generate, in which case I doubt they're very happy themselves with the pages set up by local resellers.

I used to live in the former Soviet State. That's all I have to say. When the wall came down, fishy was the name of the game and it's only become refigned.

"There is one thing to say that we can decrypt it and another to explain how they are doing it. It was only those times that the companies actually released the flaw that the flaw was fixed. Those that just fixed without disclosing how, were not. "

 

Good point, Lawrence, but whether a company chooses to broadcast or keep the fact on the DL is really a question of what is more likely to result in the 

problem being fixed. Certainly, we can't rule out the idea that once a developer is aware that there is a flaw in his code that he might start looking for it on his own.

IF Doc Web has found a flaw, quietly fixing the problem seems to  increase the odds of them continuing to make money off their ability to fix the problem. They may simply be playing the odds. Attract more customers and make some cash. Once someone knows their horses are out of the barn, they tend to start looking for them.

I have read so much about this type of malware and still cannot explain to my self why Microsoft still not removing the cryptic module ??
Why they shall release every version of Windows with the module included, if they place this on demand will solve so many problems.
Regarding Dr.Web can say they just play turtle as they are Russians is the mentality they have, I don`t think there is something fishy and most definitely can confirm they will not develop malware.
To the end Dr.Web is one of the oldest AV on the market I believe after F-Prot they was the only working solution.
Also we shall bear in mind they was the first AV releasing free cleaner long way before Panda and ESET online.
 

Because this Windows component is necessary for a lot of security related functions in Windows and third party software. The fact that it is abused by malware does not mean it is redundant. 

 

As for Dr. Web,nobody was implying they developed the malware themselves or are in any way involved with malware.

Thank you for your answer.