Ransomware Recovery Firms Who Secretly Pay Hackers

ProPublica is reporting on companies that pretend to recover data locked up by ransomware, but just secretly pay the hackers and then mark up the cost to the victims.

Posted on July 8, 2019 at 7:08 AM • 15 Comments

Comments

wumpusJuly 8, 2019 9:23 AM

“Behavior like this is what keeps ransomware running.” Also behavior like this also keeps ransomware authors capable of decrypting the data once the ransom has been paid. Ransomware is a great example of a lemon market, but having such firms exist that presumably know when they are looking at a ransom that won't unlock (at least the second time they see it), they will presumably update their ransomware to allow decryption (of course it isn't like the old stuff suddenly disappears).

408wijJuly 8, 2019 11:42 AM

in addition to @wumpus's point, this may be the most economical approach, and it keeps the hands clean of those who are ransomed.

Alyer Babtu July 8, 2019 12:22 PM

Shouldn’t the usual risk and insurance ideas apply here also ? This might drive improvement in security standards too.

parabarbarianJuly 8, 2019 1:16 PM

Companies that provide kidnapping and ransom insurance use negotiators to deal with the extortionists. Hiring a consultant to provide the same service in dealing with ransomware criminals is really no different. The sin that Red Mosquito committed was that they lied about it. Ultimately the only real asset a business that buffers between honest folk and criminals has is that the client can trust you.

Wilhelm TellJuly 8, 2019 4:27 PM

Protection is today's magic word.

The case is similar to Google's mail filters: They efficiently protect from spam but actually just replace the "outside spam" with Google's own advertisements.

RibamarJuly 8, 2019 4:50 PM

`The case is similar to Google's mail filters: They efficiently protect from spam but actually just replace the "outside spam" with Google's own advertisements.` => Excellent comment.

RachelJuly 8, 2019 5:54 PM

Willhelm Tell & Ribamar
+1 + 1

Kidnapping/Ransom. Little tangential but for considering permutations of this security dynamic, the excellent film ' A Hijacking' (Denmark) deals with exactly the issues raised in this blog post.
It's about pirates siezing a vessel and the negotiations via Sat comms.

It also features crew that had personally undergone a pirate hijacking, on a ship that had suffered the same. The negotiator is a real one, who didn't have a script but responded live. The actors and ship crew were actually out at sea for the filming, undergoing negotiations in real time

exponentially superior to the revisionist, poorly US 'Captain Phillips' dealing with similar situation

JoeJuly 8, 2019 8:55 PM

It's not uncommon some of these "negotiators" are hijackers themselves in a double role. This is much like the legal industry where the perpetrators and the "negotiators" may work hand-in-hand to make money in either direction.

fddhddJuly 9, 2019 12:38 AM

Braking "don't pay terrorist" rule is a profitable strategy. Paying ransom = more ransomware attacks = more "customers".

65535July 9, 2019 4:09 AM

@ Wilhelm Tell

"Protection is today's magic word."

I see your point. The White hats and the Black hats can switch places making "protection" a Racketeer type industry.

@ Rachel

"Willhelm Tell & Ribamar +1 + 1... "

I agree.

This fake security company is a good example of a bad example. These fake "security" firms are riding on the coattails of honest security firms. This hurts the reputation of honest security firms by association with dishonest security firms. I think these fake "security" firms are very problematic the digital security sector in a dangerous way.

I know of one security guy who is also a professor that now is afraid to go to various security conferences [defcon] for fear profiled by the FBI or other TLA because of the bad apples in the honest digital security firms. That fear is real. Who wants to be hunted by the FBI? No one I know.

There must be some sanctions against these fake security firms. But, how to do so?

To anyone in the UK or Clive R., do you know of this Firm and of its reputation? I believe they are in the north part of the UK. How would you deal with them? Is the only way legal regulation?

Or, is it best to set up honey pots or stings for the sleazy operators? Both methods could have negative repercussions.

Say, if someone like Clive R. [or anybody else on this board] was an active security researcher making good money - would anybody including Clive R enjoy being regulated? How about Antivirus companies who use SSL stripping to look for hidden ransomware - would said AV companies like being regulated? I doubt it.

Next, is a related question of if the digital security was regulated by say the UK or USA how far would it go? Could the TLAs in the UK or USA influence said researchers? Maybe and maybe not. There are a lot of questions to this problem.

This fits into Krebs on security new investigation in to a 2 billion USD ransom strain operator. This ransomware went through several revisions. They made a large bundle and moved on. The malefactors seem to be from Russia - but that could be a ruse.

Two billion US dollars is a fairly large amount for one group. If many groups enter the ransomeware market whith high quality code this would be huge a problem.

ht tps://krebsonsecurity[.]com/2019/07/whos-behind-the-gandcrab-ransomware/

[link broken to hinder bots]

Clive RobinsonJuly 9, 2019 8:42 AM

@ All,

From the article,

    Wosar said. “There is also no shame for a data recovery company in paying the ransom, as long as they are open and transparent about it.”

That is very bad advise, and there could ba a lot of shame as people go to jail for making paymrnt.

Two points can hit you,

1, Aiding in a criminal enterprise.
2, Making payment to terrorist organisations.

Both of which carry considerable tarrifs. In fact the legislation about the paying of "ransoms" are not specific to "humans" or "pets" because of the taking of ships around Somalia and other areas of the globe...

Make no mistake if you pay a ransom you are committing a crime for which you can be prosecuted in quite a number of different ways.

If you are not convinced look at the legislation for receiving stolen goods. The "theft"[1] creates the stolen item making payment to obtain something that you have reason to believe has been obtained by theft is "receiving".

So there is plenty of legislation to stop this behaviour dead, if the authorities wanted to fill jails with victims of crime. Which as it only creates bad press they generally try to avoid.

@ 65535, Rachel,

To anyone in the UK or Clive R., do you know of this Firm and of its reputation?

I've not come across them they are obviously not in the same league as Kroll for instance.

That said I've been expecting such companies to appear.

Due to the failings of financial institutions and regulation there have been one heck of a load of "middle men" companies taking hugh sums of money for effectively doing nothing. Search for "PPI Scams" if you want to see them.

It's in line with the UK's knew economy paradigm where the only growth sector is "rent seeking".

I would also expect a few of these "faux Microsoft Support Call" operators to start moving into the "Ransomware Market" to play both sides. That is under their phoney support the "drop a RAT" into your system, and at a later time assess which way to extract further money out of you as you are clearly gulable (think behaviour of Nigerian Prince letters, Pump and Dump stocks etc etc). After all they can probably get further info to attach on to your credit card info so making that data more valuable, as just a start, going through a series of steps milking you bit by bit untill they hit you with a ransomware attack.

Thus if you do get hit by ransomware the first questions you should be asking companies is not "Can you recover my data?" but "How did they get in?" and "How do I stop it from happening again?". If they can answer those questions for a nominal price, then they might just be reputable.

Thr usuall "guru advice" that's all to often given out in a glib fashion is "backup your data". It's actually not an easy thing to do for a whole heap of reasons you might have found out when upgrading a PC to a new one that has different hardware and OS, as it's not just data it's data in propriatary formates specific to an application that may nolonger be available or won't run on a newer hardware or OS.

In short it takes a lot of planning and preperation and only a very lucky few ever get it totally right without actually doing a few dry runs.

Which is why "backup and backup often" is glib, because there is no "test it works reliably" statment in there.

But there is another aspect, backups are only even remotely of use if they are still under your control and have been tested properly...

As I've mentioned in the past if I was going to commit a crime it would be large and then I would disapear to a prearanged new life and live quietly and very very law abidingly from then on. Thus if I was going to do it by ransomware I would think it through carefully and almost my first thought would be "how to deal with the backup issue".

And actually in oversight it's easy (practice is another thing all together). First you work out what the backup cycle time depth is. That is how often do they do a full "grandfather backup" and when you thus are looking at starting the process two or three times befor that. So you would then "get at" their backup software in some way so that it transparrntly encrypts all the backups. As the backup software is almost certainly going to get updated at some point, you would be unwise to attack that. Thus you would attack at a lower level such as the device drivers for the backup tape device[2]. You would then start encrypting all the backups. Provided they tested them on the same system then the driver would transparently encrypt/decrypt on the fly. For other reasons you would also only encrypt the older files untill just before "Doom-Day" when you switch to encrypt everything. Come D-Day you deleate the encryption keys for the backup system then compleatly barf the file systems with "one way algorithms".

Thus the file systems can not be recovered in any way, so that's a dead end, and those carefully kept and even tested backups are now effectively just random magnetic domains and of no use without the keys only you have and have done for half a year or more... That way the carefully selected victim has to pay or go under.

Which brings up a couple of questions, the first is how as a potential victim you avoid this fate. The second is how you as an attacker select your target so you have "surviability".

The first question of how you avoid such a fate is a little subtle, and the answer is not "test backups" but rather "how" you test backups, which is where the "consultant money is".

The second is more interesting. Obviously the target has to be able to pay the money you are going to need for a very comftable but quite life for the next fifty years or so without having to negotiate you down (they will try so build that into the plan). But also they must not be so large that they will have sufficient spare capital to employ twenty or thirty people to hunt you down and dispose of you in some way... Because you don't want to feel the pin prick of a fine rhodium needle going in your backside to drop a dose of Suxamethonium chloride in to take your breath away[3] for good... Or some other drug so they can "crate you up as aircraft freight" for no passport or extradition paper travel.

[1] Remember theft like fraud is covered by "The denying the owner or their agent the rights and privileges pertaining to ownership". Encrypting or just destroying files are both "denying the owner" thus theft. Even saying you have encrypted files is again "denying the owner" thus a form of fraud.

[2] Yes I'm aware that few large organisations actually use tape drives any longer for daily or even weakly backups, hence it's the "grandfather" backup that's held off site you are going for as the prime target.

[3] Often just called "sux" it's a short action muscle relaxant, which does not effect consciousness. It would not be found in an ordinary postmortem tox screen and unless the examiner was very thorough, finding such a fine needle mark in your posterior not very likely. You would die excruciatingly painfully as you effectively have a full blown fatal heart attack. It's a widely available drug on the UN's list of most important "essential drugs". It's frequently used in operations, where I know from experience this little note on the Wikipedia page is correct,

    Suxamethonium does not produce unconsciousness or anesthesia, and its effects may cause considerable psychological distress while simultaneously making it impossible for a patient to communicate.

Due to my deceptively large size I'm very much on the fatality risk border line for general anaesthetics, and also for other reasons an asphyxiation risk not a good combination, and they had not given quite enough anesthesia or it had not kicked in for some reason. So there I was tracheal intubated and awake and paralysed. Not in any real danger, but a good enough reason to have full on nightmares from time to time. Oh and it was not my first "wake on the operating table" experience. It's why I talk to anesthesiologists about "spinal taps" and "adrenaline free local anesthetics"... So yeh I've had some operations where I've chatted to the anesthesiologists or the surgeon or nurses whilst they are doing their thing. It's funny but when it's your choice to be awake, you don't get nightmares, nor the crappy recovery times where you are sluggish for days.

vas pupJuly 10, 2019 10:25 AM

Hacking related:
Anesthetic devices 'vulnerable to hackers':
https://www.bbc.com/news/technology-48935111

"A type of anesthetic machine that has been used in NHS hospitals can be hacked and controlled from afar if left accessible on a hospital computer network, a cyber-security company says.

A successful attacker would be able to change the amount of anesthetic delivered to a patient, CyberMDX said.

Alarms designed to alert anesthetists to any danger could also be silenced."

Rosey angelinaJuly 13, 2019 6:38 AM

A supply chain present on a Blockchain is more traceable, transparent and reliable. This type of information is really very helpful for all the users very nicely. I also get useful ideas from windows 10 taskbar frozen page.

Jeffrey DeutschJuly 13, 2019 11:57 AM

Reminds me a bit of the old-time ward heeler who agreed to "fix" citizens' parking tickets...he just paid them out of his own pocket.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.