How Can Ransomware Files Be Unlocked?

No More Ransom is a project that aims to help people rescue their data from ransomware. See what happened when we took it for a ride.

Ransomware is not going anywhere. It’s still successful and milking money from enterprises, small and medium-sized businesses, and individuals who find that one day all their memories, photos and documents have been encrypted by extortionists.

For enterprise, there are solutions that can fight effectively against this epidemic, like SentinelOne. But the battle against ransomware is far from over. Spreading ransomware is a low-risk, high return endeavour for criminals, and with ransomware-for-sale on the Dark Net, it hardly requires any technical skill either.

No More Ransom! Versus Negozl Ransomware

The severity and indiscriminate nature of the threat – ransomware doesn’t care if you’re on welfare or you’re a multinational corporation – has resulted in new initiatives to mitigate the problem. It’s heartening to see cooperation between public and private entities, such as the worthy No More Ransom project, which includes private security vendors, the Netherlands police force and the European Union’s law enforcement agency, Europol, among others.

The “No More Ransom” project aims to help victims of ransomware retrieve their encrypted data without paying – and thereby without incentivizing – the criminals. The project also aims to explain how ransomware works and what can be done to prevent infection.

Victims of ransomware can go to the organization’s website and upload samples of their encrypted files along with text from the ransom note.

A screenshot of Crypto Sheriff

The service is entirely free and provides a link to download the decryption solution, if one is available. Currently almost 100 decryptors are listed on the site with pdf instructions for each.

Unlocking Ransomware Files

We were interested to see how the project would fare in a live test. For this demo, we took a ransomware sample from the Negozl Campaign and decided to see both how SentinelOne’s solution and No More Ransom handled the problem. To make it more interesting, we obfuscated the sample to eliminate the option of a reputation discovery by the security software. This technique is also used by malware authors to bypass legacy AV – if you add a byte of information at the end of a file, you change its entire signature.

For an extra challenge, we disconnected the network so that any detection by our next-gen AV software could not benefit from access to cloud services. While some vendors tout cloud-based detection, the reality is that malware acts faster on the local machine and can prevent cloud-based AV software from communicating with the sensor on the local device.

The video below shows how both the SentinelOne agent and No More Ransom performed.

Unfortunately, we encountered three different, but probably related, difficulties with the free service. First, connection to the site repeatedly timed-out as we tried to upload our samples. Further tests suggested the sample-size was too large:

Screenshot of Request Entity Too Large

We then tried uploading the ransom note alone, and finally got a response that No More Ransom didn’t yet have a decryption for this particular strain of ransomware.

Screenshot of Crypto Sheriff's Bad News

Meanwhile, the SentinelOne agent both detected the ransomware and – after we allowed the test machine to execute the ransomware for the purpose of the test – was able to rollback the encrypted files to their normal state within seconds.

Rollback Ransomware with SentinelOne


Despite the difficulties we had in our test of No More Ransom, we fully support this endeavour and trust that tests like this will help to improve the service. In this post we hope to have brought attention to the project to a few more people and maybe help some affected user to recover their data through awareness of the project’s existence.

Ransomware is a plague that is set to continue blighting the cyber lives of users around the world for a long time to come. If projects like No More Ransom can help innocent people recover their data at the same time as depriving criminals of ill-gotten gains, then they are certainly deserving of both our support, and our mention.

For enterprise users, as our demonstration video shows, SentinelOne’s superior detection and rollback facilities mean that protection against ransomware is guaranteed. Indeed, only SentinelOne offers up to $1 million in warranty protection against ransomware attacks.

Like this article? Follow us on LinkedInTwitter, YouTube or Facebook to see the content we post.

Read more about Windows Security

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *