Back to Top

Friday, January 08, 2010

A missed opportunity

3024043706_46c08dc0f5_o The theory of capitalism (and I’m greatly oversimplifying here, I know) says that, even is we all follow just our own self interest, a global “good” will somehow emerge. This is what F-Secure is doing in their blogpost where they write about a specific ransomware which – if you get infected with - encrypts your data and asks you a certain amount of money to decrypt it.

Trouble is that their only recommendation is to “remind everyone to backup their important files regularly” (coincidentally – sarcasm, sarcasm – they have an online backup component in their suite). They could have at least mentioned that Sunbelt provides a tool which may decrypt the files (I say may, because I didn’t actually try the tool). This is even more inexplicable given the fact that they got the samples from Sunbelt (“Many thanks to Adam Thomas from Sunbelt for providing samples of the dropper”).

Shame on you F-Secure for putting a (possible) financial interest before the interest of your users!

So I don’t know about you, but instead of claiming that pure self-interest is the solution, I will go with:

Everything in moderation - including moderation.

Picture taken from d3stiny_sm4sher's photostream with permission.

PS. Who wants to bet that – if these claims are bought to F-Secure’s attention – they will claim that they didn’t know about the removal tool?

Update: I'm not singling out F-Secure here, Zarestel Ferrer from CA just made a very similar blogpost: here are the facts (he did include some more technical detail, which is nice for us, security geeks), you should have used a security product to keep it out:

CA advises to keep your security products signature updated to prevent this kind of ransomware.

The plus side: he doesn't pimp his company's product necessarily. The minus: he doesn't link to the Sunbelt decryption tool either. On the plus side, there is a comment facility on their website which could be used by visitors to mention the tool and thus help out people who lost data, but on the negative side: it doesn't work, not even with IE!.


  1. with all due respect, a decryption tool is a sub-optimal solution to ransome-ware. prevention and/or restoring from backups if prevention fails really is the ideal solution here. decryption is the 3rd and worst option of the bunch and it should be a last resort.

  2. I completely agree that the decryption tool is a very suboptimal solution (probably the day when ransomware authors finally figure out how to use the dozens of PKI libraries available properly isn't far either - which would make decryption very unfeasible). I also agree that proper backup is key and prevention is better than cure.

    Then again, what percent of computers are backed up regularly? From my personal experience I would say 0% :-). If there is the chance that the link would help but one person, I feel that it is their moral obligation to mention it.