The firms that piggyback on ransomware attacks for profit

Don't want to pay the ransom? Pay us, and we'll pay it for you!

The firms that piggyback on ransomware attacks for profit

Being hit by ransomware must be bad enough when you don’t have a secure backup of your critical data that you can turn to. Just imagine how it feels to then be ripped off a second time by the data recovery firm you turn to for help in your moment of panic.

It seems there are firms out there who are charging ransomware victims a hefty premium for the safe return of your data - when all that’s actually happening is they are paying the ransom on your behalf.

The DMA Locker ransomware has been doing the rounds since early 2016, spreading to victims’ computers by exploiting installations of Windows Remote Desktop with weak passwords. The FBI has been actively investigating who might be behind the DMA Locker ransomware for the last two years, after it was contacted by a victim - Alaska-based real estate agency Herrington & Company.

DMA Locker typically requests a ransom of between three and 10 bitcoins if you want to decrypt the files on your hard drive that it has garbled. In the case of the attack on Herrington & Company, the ransomware requested four bitcoins, which at the time of the attack in April 2016 was equivalent to about US $1700.

Simon Schroeder, an IT consultant hired by Herrington & Company to remediate the ransomware problem, had reached out to an email address supplied by DMA Locker’s authors to confirm that they would be able to recover the encrypted files.

At about the same time, the owner of Herrington & Company contacted a New York-based firm called Proven Data Recovery to see if they could possibly help. Proven Data Recovery quoted a price of US $6,000 to restore access to the encrypted files.

As part of its investigation, the FBI has applied for a search warrant to examine email accounts at a US ISP, and it’s that document which shares some details as to what happened next between Herrington & Company and Proven Data Recovery (PDR):

Following a consultation with a client manager from PDR, Schroeder provided PDR with a sample file for evaluation. PDR then scheduled an appointment a couple days later. During the appointment, Schroeder first moved the encrypted files to a backup computer system. Schroeder then granted remote access to PDR so it could access the infected computer system, which contained a subset of the encrypted files. Schroeder observed PDR work on Herrington & Company’s computer system using the command prompt for approximately 45 minutes, after which the tiles were decrypted. Schroeder later provided PDR remote access to the computer workstation at Herrington & Company that contained the remainder of the encrypted files. PDR then decrypted those files using a similar process.”

Schroeder says he was unable to determine how Proven Data Recovery had recovered the files, but believed that they had simply paid the original four Bitcoin ransom.

The FBI says that its investigation confirms that Proven Data Recovery can have only decrypted the victim’s files by paying the ransom demand, and obtaining an official decryption key from the criminals.

When questioned, one of the owners of Proven Data Recovery confirmed that they had contacted DMA Locker’s author. And, in fact, had had “several hundred” email exchanges related to 200 or more client cases of DMA Locker attacks. And it’s this information which has led to the FBI seeking information from the ISP, which might - potentially - help shed some light on who is behind the attacks.

This isn’t the first time that Proven Data Recovery has found themselves in the spotlight for charging a pretty penny by paying a ransom on their client’s behalf.

Back in 2015, for instance, the Dinbits blog published a transcript of a conversation it had had with a Proven Data Recovery support technician who was asking them to pay US $5,000 to restore data on a ransomware-hit drive where the extortionists were only asking US $300. And, as the transcript showed, Proven Data Recovery weren’t revealing that they would simply pay the extortionists.

Such practices by data recovery firms may not be illegal, but they certainly don’t feel entirely ethical. Maybe there are reasons why a company would not want to play a blackmailer directly, and would prefer for a proxy payment to be made on their behalf, but if the only way to recover data after a ransomware attack is to pay the extortionists, well… then that’s what victims should be told.

I don’t think it’s right to dress up the truth of what you’re going to do, and add such a handsome mark-up. That, it feels to me, is just further extorting panicking victims of ransomware attacks.

Hat-tip: @SeamusHughes

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:

, ,

4 Responses

  1. BaliRob

    April 26, 2018 at 10:59 am #

    Of course it is a criminal matter to assist the perpertrators to extort money from the victim - wake
    up FBI and go back to your law books - aiding and abetting most crimes is punishable before the courts in most developed countries. These agents are facilitating payment.

  2. BaliRob

    April 26, 2018 at 11:01 am #

    erratum - most crimes ARE punishable

  3. Cap'n Dave

    April 26, 2018 at 2:10 pm #

    Bitcoin - Bitcoin - Bitcoin.…all I ever see Bitcoins used for are illegal transactions for drugs, pirated goods, ransomware payments, etc. Time to banish all types of cryptocurrency by world governments.

  4. Victor Congionti

    April 27, 2018 at 5:54 am #

    Dear Graham,

    Thank you for your reporting and being on top of the news. I wanted to reply to your thread on Twitter Monday, but waited before I had all the facts as I was sick to my stomach and just as shocked as you were! The document was supposed to be sealed due to an ongoing investigation on the hacker. As you can see from the link you posted, the document no longer exists to confirm this. It is also very easy to take the document out of context. We are a small business that does not have the resources to go through countless records, so the best alternative decided on after meeting with the FBI, was to give them access to our servers through the appropriate legal channels. Regarding our ransomware policy - Our website & terms of service state that we may pay the ransom as a last resort attempt to recover our client’s data in order to restore business functionality as soon as possible. We are transparent and freely admit if a ransom is paid on behalf of our client and offer a guarantee on the service regardless of receiving the decryption keys or not from the hacker (think of it as an insurance policy). Whether you’re a hospital that has patients’ lives on the line, a company that relies on their data to run their business, or someone who has their life’s memories on a device that has ransomware…paying the ransom is the unfortunate last resort if you cannot restore from backups or reverse engineer the malware.

    Warm Regards,

    Victor Congionti
    CEO at Proven Data

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.