The "Sheriff" has helped 2500 victims rid themselves of ransomware
The "Sheriff" has helped 2500 victims rid themselves of ransomware

Thirteen countries have signed up to an international anti-ransomware programme that was launched in Europe just a few months ago.

No More Ransom is an initiative of the National High Tech Crime Unit of the Netherlands' police, Europol's European Cybercrime Centre, Intel Security and Kaspersky Lab. Launched in July 2016, it enjoys the support of Eurojust – which promotes judicial cooperation in criminal matters across the EU – and the European Commission.

One of the main tools of the initiative is the No More Ransom website which hosts several tools for helping victims recover from ransom attacks.

Recovery tools include CoinVault, WildFire, Shade, WildfireDecryptor, RannohDecryptor (updated with a decryptor for the ransomware MarsJoke aka Polyglot) and RakhniDecryptor (updated with Chimera).

In its first two months, the website helped 2500 victims recover their files and devices without having to pay the ransomers. Europol estimates this saved over €1.35m which would otherwise have been paid in ransoms.

The site also hosts advice on preventing ransomware and tips on how to report it to authorities.

The site language is currently English only, but there are plans to make it multilingual.

The 13 countries which recently joined are: Bosnia and Herzegovina, Bulgaria, Colombia, France, Hungary, Ireland, Italy, Latvia, Lithuania, Portugal, Spain, Switzerland and the United Kingdom. More countries are expected to join soon.

“Europol is fully committed to supporting the enlargement of the No More Ransom project within the EU and internationally to respond to ransomware in an effective and concerted manner,” said Steven Wilson, head of the European Cybercrime Centre. “Despite the increasing challenges, the initiative has demonstrated that a coordinated approach by EU law enforcement that includes all relevant partners can result in significant successes in fighting this type of crime, focusing on the important areas of prevention and awareness. I am confident that the online portal will continue to improve in the months to come. All police forces are warmly encouraged to join the fight.”


No More Ransom launch in July: From right to left: Jornt van der Wiel, Kaspersky Lab; Steve Wilson, EC3; Raj Samani, Intel Security; Wilbert Paulissen, Dutch Police

Jornt van der Wiel, security researcher at the Global Research and Analysis Team at Kaspersky Lab, said fighting ransomware requires a joint effort between law enforcement agencies and the private sector. “Researchers can offer broader malware analysis and services like internet scanning, helping to find connections between different items of data. This enables the police to locate and seize the servers used to manage the attack,” he said.

“In some cases, the researchers' insight can also help to track down and arrest the criminals responsible. The seized servers can contain decryption keys, and, when shared with private sector companies this can be turned into decryption tools that help victims to unlock their data without paying the ransom.”

Raj Samani, CTO EMEA at Intel Security, told SC that there weren't enough examples of successful public-private partnerships. “This initiative demonstrates a true practical example of this approach, and what can be achieved when we work together. Not only in terms of making tools available to make data held hostage available, but raising awareness of ransomware by providing proactive measures to prevent infections,” he said.

“Progress has been impressive, because since July the number of tools have doubled to over eight ransomware families. These tools have successfully decrypted over 2,500 infections in such a short time.

“Now to put this into context, this means that there were over 2000 instances in which people did not have to pay criminals in order to get their data back.”