California-based Nubeva is building technology to recover encrypted data without making ransomware payments
A San Jose, Calif-based ransomware data recovery firm has announced the successful recovery of encrypted data without requiring any ransom payment. The firm takes a novel approach: it intercepts the encryption process and extracts the keys used by the ransomware. With these, it can recover data without recourse to paying the ransom.
Nubeva Technologies gave two examples in June 2022. SecurityWeek talked to CMO Steve Perkins. The first victim was a firm in the architectural, engineering and construction (AEC) sector that had been hit by a new version of REvil. This firm had been ransomed three times in the last few years before it turned to Nubeva. The second firm was an insurance processing firm in the healthcare sector, and was not a customer of Nubeva when its files were encrypted.
The Nubeva solution involves a small agent that operates in the background on each endpoint and server. Using patented technology that the firm calls session key intercept (ski), the process is automatically initiated at the first sign of anomalous or mass encryption. Ski listens in real time to the encryption process and extracts the encryption keys. It stores them in a secret location on the system, with copies in the customer’s cloud account.
“Literally within 48 hours we provide a decryptor. It’s usually shorter than that, if we have a decryptor. If it’s something new and we don’t have a decryptor, we’ll build one. Forty-eight hours is our SLA, and you’re decrypting on the spot.”
In practice, it is not an instant decryption – that would likely rebuild files onto an infected system. There must be an intervening forensics stage where an incident response team assesses the systems to ensure that recovery goes to clean computers. Nubeva helps here. It has collected, time-stamped, and stored all the encryption processes. It can give the forensics team a complete fingerprint of the extent of the damage from ground zero – which would normally take days to assess manually.
Many companies decide to pay a ransom because they believe it will be the quickest way to recover operations and avoid a lengthy downtime. But this process still involves the time it takes to negotiate with the attackers, obtain the decryptor, and start the rebuild. This period will normally take the best part of three weeks, and there is no guarantee that the decryption will work. Nubeva can dramatically shorten the downtime without paying the ransom, and can recover the files efficiently.
In this instance, the victim was able to recover its data files despite being attacked by REvil, and without paying the ransom.
Some companies decline to pay a ransom because of their own backups. “If you’ve got a simple backup,” said Perkins, “just do it. The problem is that over 50% of the time people still end up paying a ransom because their backups have been corrupted.” And all the time, the downtime clock is ticking.
This problem with backups was illustrated in the second recovery example given by Nubeva. This victim had a good backup process in place when the ransomware struck, but no relationship with Nubeva. The attackers had been resident in the network for several weeks, and the incident response firm warned the victim it would have to restore from backup to a state at least four weeks prior to the encryption to be sure of eliminating the original infection.
This was unacceptable. The company is a healthcare insurance transaction processing firm. All transactions undertaken during the roll back would be lost, and could only be recovered by submitting duplicate transactions leaving the firm open to charges of fraud. The only alternative would be to lose millions of dollars and all track of accounting during the period. The firm told the incident responders that it had to restore to no earlier than the day before the encryption.
The incident response team called in Nubeva, which was installed ahead of the backup recovery. The recovery process to the day prior to encryption was undertaken; and as expected, the infection was reintroduced. This time, however, Nubeva caught the encryption keys and gave the responders the infection process fingerprint. As a result, the systems could be rapidly cleaned, and the data restored again through the keys captured by Nubeva.
Nubeva does not consider itself to be a traditional ransomware prevention product. It is a data recovery product. It does not detect ransomware, nor does it prevent ransomware. There are many other products that promise to do this with varying degrees of success and failure. Nubeva is a data recovery tool for ransomware-encrypted data. It acts like a safety-net for when ransomware succeeds, as it so often does. Nubeva captures the encryption keys, and in conjunction with a forensic response team can restore encrypted data back onto clean systems. It does this in a shorter time than it would take to pay and restore, but without having to pay.