Ever since it launched in April 2016, the ID Ransomware service has been slowly, but surely, becoming the default destination for victims looking for information to aid them in solving their ransomware infections.
If you haven't heard of it by now, ID Ransomware, sometimes referred to just as IDR, allows ransomware victims to upload a copy of their ransom note along with an encrypted file to a specialized website.
After the portal's backend analyzes the submitted data, it will try to identify the ransomware that has locked the user's computer by looking at several clues such as the ransom note text, the Bitcoin address used, email addresses found in the ransom note, and more.
The service has been immensely useful, and according to Michael Gillespie, the man that has put it together, has received 158,577 submissions from 81,965 unique IPs.
Gillespie says that the most frequent detections on IDR were Locky, Crypt0L0cker, CryptXXX, and Cerber. CrySiS, who recently became decryptable, is also high up there, he said.
In mid-October, IDR has surpassed an important milestone, when Gillespie announced the service was able to distinguish between 200 different ransomware families.
At the time of writing, this tally is up to 238. When it launched, IDR could only tell apart 51 ransomware families, which speaks to the work he and other researchers have put in the service, but also about the large number of ransomware families that came out this year.
Without the backing of big-time security firms such as Kaspersky or Intel McAfee, who run their own similar portal named No More Ransom, ID Ransomware has continued to evolve and grow.
Speaking to Bleeping Computer, Gillespie has provided a few insights on how IDR has grown.
"Since launch, I've added new detection features regarding the ransom note, including email addresses, BTC addresses, BitMessage addresses, and in some cases, even Tor links," Gillespie said.
"I've also added several integrations that work closely with our team's communications platform, with VirusTotal, and even an automated sandbox environment for the occasional executable that is uploaded. Many other enhancements have also been added, including a private-access API, and several tools for us to use in analyzing the data on the backend easier."
All these integrations allow IDR to be more accurate when classifying files submitted by ransomware victims and providing the correct result to victims.
IDR doesn't just blurt out a ransomware's name, but also lists links to support forums and decrypters, when available. But IDR hasn't helped only users.
"IDR has definitely helped us [researchers] with identifying many new threats, and seeing how spread many variants are, as input is given from live victims," Gillespie said.
"A few very trusted researchers do have access to the data on IDR now, including some of our friends at Emsisoft. This allows them to help us check out the new submissions, stats, and possibly gather samples of encrypted files from victims for testing with their decrypters."
"It is also interesting to see what countries the submissions are coming from. One of the better features I have incorporated is an 'early warning system' - if a text-looking file (such as a ransom note) goes unidentified, IDR will check for key words, addresses, etc., to determine if it may be a new ransom note. If a positive match is found and the text looks suspicious, it sends our team a notification with the note contents."
"We have actually discovered a few new variants this way, and were able to start hunting for the malware before even having contact with a victim," the researcher adds. "I used to do this manually by just spot-checking uploads, but with the submission volume now, I couldn't keep up - now we get automated alerts."
Any follower of infosec news can tell by now that ransomware has become one of today's top malware threats. In recent years, ransomware has evolved from annoying screen lockers to file encryptors that affect businesses and government agencies alike, not just home users.
Since the enterprise sector is where the money is, security firms have been paying a lot more attention to ransomware threats in recent months. While Kaspersky and McAfee have created their own lookalike portal, it is surprising that no security firm has tried to buy IDR.
"I haven't had any security firms approach me for acquisition - which I'm glad, because I have no intentions of ever 'selling out' anyways," Gillespie tells Bleeping Computer. "The closest thing to that perhaps is an open affiliation with Emsisoft; I receive a small commission if someone makes a purchase from their store after clicking a non-obtrusive ad on the website, and it is very openly disclosed as being an affiliate link."
On No More Ransom, a project that appeared a few months after IDR, Gillespie doesn't view as competition. At all actually.
"NoMoreRansom is definitely a great program for Law Enforcement involvement," he says, "they have been doing a great job of bringing that cooperation between the antivirus vendors."
"We are actually currently working with them more and more to help victims and fight the good fight. I haven't honestly played with their CryptoSheriff site in awhile, but I've been told ID Ransomware is a bit more comprehensive in what it detects currently."
As IDR's future, Gillespie has a few plans. "A 'lite' version of ID Ransomware that allows input of email addresses and Bitcoin addresses," he said. "I have been actually gearing towards doing such a thing. We have an integration that our team is allowed access to that does just that, so the backend is [in] place already. It should be a very near future addition to the public site."