Ransomware is a serious threat but also a lucrative business for crooks and scammers posing as IT professionals promising successful decryption services for the right price.
Security researchers have found a company in Russia that guarantees decryption of files touched by the Dharma/Crisis ransomware strain, an operation known to be successful only by paying for the unlock key from the malware maker.
Huge markup added
The intriguing claim comes from a company called Dr. Shifro that pretends to be an IT consultancy firm. Its line of business, though, it brokering the file decryption for a hefty bill for the victim and a discount negotiated with the cybercriminals.
Check Point says that Dr. Shifro intermediates these deals since 2015 and has added to its account at least 100 BTC from 300 "contracts." The company advertises decryption services for multiple ransomware variants, including Cryakl, Scarab, Bomber, and Dharma.
An undercover investigation from Check Point revealed that the faux consultant contacts the ransomware creator and asks for a discounted price for the decryption key, which in the case of the researchers was $1,300.
The cost of the unlock key would be incurred by the victim, along with a fee of $1,000 for delivering a decryption tool.
An email to the threat actor makes clear Dr. Shifro's business model:
"I’m an intermediary. We redeem keys for clients since 2015 on a regular basis. Send bitcoins tight, don’t ask dumb questions. Clients frequently addressed under recommendation. Could you give a discount to 0.15 btc?"
The researchers say that the revenue from this type of activity rises to at least $300,000, calculated at an average BTC price of $3,000 recorded during their investigation. However, it is unclear if all victims were billed the same.
The general recommendation is not to pay the ransom in order to make the ransomware business unprofitable. So turning to a company that can decrypt files is a way to get the data back without endorsing criminal activity.
Ransomware victims should be aware that a legitimate company offering file decryption services does not make bold claims regarding the success of their efforts because there is a good chance of failure, especially with data locked by strong encryption. Only the availability of the decryption keys can give the confidence of recovery.
Data recovery companies are nothing new on the ransomware scene. Coveware, a company that handles ransomware incidents, is upfront about its business, but many of them hide the fact that all they do is negotiate with the malware developer to get an unlock key.
This activity is not without restrictions, though, and these companies should be more careful about who they negotiate with. At the end of November, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) imposed sanctions for two Iran-based individuals associated with SamSam ransomware, banning any business with them. This means that transactions to their cryptocurrency wallets are in violation with the imposed sanctions.
Comments
GT500 - 5 years ago
Where did CheckPoint announce this? I'm finding this news all over the place... except for CheckPoint's website.
Amigo-A - 5 years ago
You're right. There is no reference, no proof to CheckPoint. I looked a lot of publications - there is no direct link. Publication news without prooflinks is lie (deception). A lie written many times in the Media becomes true. Only believe this truth is problematic.
It has long been known that many decrypto-businessmen have business along with extortionists. In the criminal codex, collusion with criminals to extort money from victims is a crime and it is necessary to judge their equally.
ilaion - 5 years ago
Check Point made the report available to various media outlets. The company today made it available to the public. We have updated the article with a link to Check Point's report.
thgro - 5 years ago
"Where did CheckPoint announce this? I'm finding this news all over the place... except for CheckPoint's website."
https://research.checkpoint.com/the-ransomware-doctor-without-a-cure/
ComputerBits - 5 years ago
Interesting, we had a client attacked by Dharma nearly 2 years ago, as part of our research we found two companies who were offering "recovery", one in Columbia and one in Scotland.
We talked to the Scottish business who asked for sample locked files, then came back with a price for unlocking, this was around twice the price that we would have paid from the ransomers, so we surmised that they were simply paying the bad guys and hoping that enough times they got working unlock keys to make a profit.
It was at a point in time where Bitcoinn was skyrocketing from around GBP 800 to GBP 1600, in the couple of weeks from initial attack to the point where we had all the locked files on one clean disk and the client up and running without that data, so the likey ransom fee went up
The client ( a care home business), didn't have the money available to gamble on unlocking (plus strong Police pressure not too - not that it was their livelihood at risk) and so we never approched the ransomers (merely observed via Bleeping).
Happy ending - when keys to the variant they had, were supplied via Bleeping a couple of months later we were able to decrypt that data and supplied the MD with an unlocked copy of the spreadsheet he used to track his business over the 17 years he had operated.