Ransomware is a serious threat but also a lucrative business for crooks and scammers posing as IT professionals promising successful decryption services for the right price.
Security researchers have found a company in Russia that guarantees decryption of files touched by the Dharma/Crisis ransomware strain, an operation known to be successful only by paying for the unlock key from the malware maker.
The intriguing claim comes from a company called Dr. Shifro that pretends to be an IT consultancy firm. Its line of business, though, it brokering the file decryption for a hefty bill for the victim and a discount negotiated with the cybercriminals.
Check Point says that Dr. Shifro intermediates these deals since 2015 and has added to its account at least 100 BTC from 300 "contracts." The company advertises decryption services for multiple ransomware variants, including Cryakl, Scarab, Bomber, and Dharma.
An undercover investigation from Check Point revealed that the faux consultant contacts the ransomware creator and asks for a discounted price for the decryption key, which in the case of the researchers was $1,300.
The cost of the unlock key would be incurred by the victim, along with a fee of $1,000 for delivering a decryption tool.
An email to the threat actor makes clear Dr. Shifro's business model:
"I’m an intermediary. We redeem keys for clients since 2015 on a regular basis. Send bitcoins tight, don’t ask dumb questions. Clients frequently addressed under recommendation. Could you give a discount to 0.15 btc?"
The researchers say that the revenue from this type of activity rises to at least $300,000, calculated at an average BTC price of $3,000 recorded during their investigation. However, it is unclear if all victims were billed the same.
The general recommendation is not to pay the ransom in order to make the ransomware business unprofitable. So turning to a company that can decrypt files is a way to get the data back without endorsing criminal activity.
Ransomware victims should be aware that a legitimate company offering file decryption services does not make bold claims regarding the success of their efforts because there is a good chance of failure, especially with data locked by strong encryption. Only the availability of the decryption keys can give the confidence of recovery.
Data recovery companies are nothing new on the ransomware scene. Coveware, a company that handles ransomware incidents, is upfront about its business, but many of them hide the fact that all they do is negotiate with the malware developer to get an unlock key.
This activity is not without restrictions, though, and these companies should be more careful about who they negotiate with. At the end of November, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) imposed sanctions for two Iran-based individuals associated with SamSam ransomware, banning any business with them. This means that transactions to their cryptocurrency wallets are in violation with the imposed sanctions.