The malware infected the victim’s systems, encrypting “important” files and demanding payment to unlock them.
The root cause was a bug in the encryption payload used by the Hazard ransomware.
“A race-condition occurred when the threat actor executed multiple encryptors on the same system,” GuidePoint determined.
Since the IV was pseudo-randomly generated by the encryption payload, retrieving the missing bytes initially seemed impossible.
The ransomware creators were likely unaware of this bug in their malware.
However, the threat actors merely provided the same decrypting tool under a different name before disappearing.
As the encrypted files were valuable, GuidePoint was tasked with developing a working solution.
After dealing with a faulty decryption tool, GuidePoint emphasized that ransom payments should never be made.
