Beware of Dishonest Ransomware Recovery firms

Last week Checkpoint software published the results of a ransomware data recovery sting operation against a Russian company called Dr. Shifro. Dr. Shifro advertised Dharma ransomware decryption, among others. However, Dr. Shifro was lying to his customers. He was actually just paying hackers bitcoin for decryption keys without client consent or knowledge.

The security researchers were posing as both customer and hacker, so they confirmed both sides of Dr. Shifro’s scam.

Dr. Shifro Ransomware Sting

Ransomware Payment Mills Prey on the Emotion of a Ransomware Attack

Dr. Shifro was a small firm in a surprisingly large global market of predatory data recovery firms. These ransomware payment mills demonstrate how easily intermediaries can prey on the emotions of a ransomware victim. They advertise guaranteed decryption without having to pay the hacker.

Although it might not be illegal to obfuscate how encrypted data is recovered, it is certainly dishonest and predatory. Moreover, the excessive fees charged by the payment mills sap the victim of critical budget needed to harden security post incident.  

Competition to Acquire Unsuspecting Victims of Ransomware

Ransomware Payment MIlls come in several shapes and sizes. Some groups don’t even have a website, and stalk ransomware chat forums promising the ability to decrypt files for a fee.

There are also data recovery firms that have large international footprints in traditional data recovery that claim to be able to decrypt ransomware. These firms spend between $20-25 million dollars on Google Adwords paid search. The top ransomware recovery search terms are expensive auctions to compete in.

To bolster conversion, some Ransomware Payment Mills flaunt the ability to reverse engineer ransomware through doctored youtube videos, even though RSA-1024 asymmetric encryption is impossible to break.

Informational and Transactional Arbitrage...Fraud or Worse?

The Checkpoint researchers further discovered that Dr. Shifro was requesting a ransom amount from their victim persona that far exceeded the amount demanded by the hacker...  

GranCrab Data Recovery Code

While misleading advertising may be a ‘gray area’, lying to a customer about the cost of goods and services crosses a line. This dishonest behavior is further enabled by ransomware payment TOR sites. GandCrab’s payment TOR site has two such enabling features. The first is the ability to enter a discount code. The discount codes are advertised to data recovery firms and offer immediate discounts to the ransom amount when entered.

The second enabling feature is the ability to have a private chat after entering a discount code, a chat not visible to others that may login to the same site (like the victim company).  Victims unaware of this discount could easily pay more than what is required to release the decryption tool.

These features were clearly built to enable communication between the hacker and regularly paying intermediaries (ie - ‘data recovery’ payment mills). The liquidity that ransomware payment mills create for the hackers clearly makes the development of these features worthwhile for the developers.  (For full disclosure, Coveware possesses a GandCrab discount code but passes 100% of the discount on to our clients)

What Is a Victim of Ransomware to Do?

First and foremost, victims of ransomware should do their research and know their rights.  Resources like NoMoreRansomware and ID-Ransomware are good places to start.

Additionally, victims should ask a data recovery firm to plainly explain how their methods and pricing work. Negotiating and paying a ransom on a victims behalf and guiding them through the decryption process can be a valuable service to a business immobilized by ransomware, but the service should be explained in simple and transparent terms.

Ransomware victims have the right to know how much they are paying and to whom. Given the recent OFAC sanctions against two SamSam ransomware hackers, they should also be appraised of the risks they are taking by paying.  

Sunlight is the best disinfectant, and thanks to Checkpoint’s research the light is starting to shine into the corners of the data recovery industry.