Ransomware recovery firms often just pay attackers’ ransom demands

Companies advertising ransomware recovery services often simply pay the attackers their ransom demand in exchange for the decryption keys, an investigation into the sector has revealed.

A former employee at Proven Data Recovery of Elmsford, New York, tells ProPublica that the firm “regularly made ransom payments to SamSam hackers over more than a year.”

Instead of using specialized decryption tools, as one would imagine, the company (and others like it) resorted to simply paying the attackers to decrypt the data, according to Jonathan Storfer, who worked at Proven Data Recovery.

The firm hasn’t always been very transparent about its practices, but it does openly admit to paying ransomware demands as a last resort. From the company’s website:

“Our goal as one of the first companies to become involved with Ransomware recovery is to restore business functionality as soon as possible while preventing future ransomware occurrences. Whether it’s reverse engineering the malware, restoring from backups, or as a last resort option paying the ransom, we’re standing by to get you up and running as soon as possible.”

MosterCloud is another example offered in the ProPublica report. Despite professing to use its own data recovery technology, the Florida-based firm pays ransoms, “sometimes without informing victims such as local law enforcement agencies,” according to the report.

Like Proven Data Recovery, MonsterCloud charges victims fees that exceed the actual ransom amounts. Both firms also use aliases for their workers in communicating with victims.

Some players in the ransomware recovery industry are very open about their practices:

“In contrast to Proven Data and MonsterCloud, several other firms, such as Connecticut-based Coveware, openly help clients regain computer access by paying attackers. They assist victims who are willing to pay ransoms but don’t know how to deal in bitcoin or don’t want to contact hackers directly. At the same time, Coveware seeks to deter cybercrime by collecting and sharing data with law enforcement and security researchers, CEO Bill Siegel said.”

Proven Data Chief Executive Victor Congionti defends the practice. He says it’s easy to blame those who give in to a ransomware attack, but, when it’s your data, your business, and potential lives at stake, it’s not so black and white.

“It is easy to take the position that no one should pay a ransom in a ransomware attack because such payments encourage future ransomware attacks,” he said. “It is much harder, however, to take that position when it is your data that has been encrypted and the future of your company and all of the jobs of your employees are in peril. It is a classic moral dilemma.”

It’s an even bigger moral predicament when one realizes that many ransomware operators, such as those behind the SamSam ransomware strain, are essentially enemy states.

“Since some victims are public agencies or receive government funding, taxpayer money may end up in the hands of cybercriminals in countries hostile to the U.S. such as Russia and Iran,” the report notes.

Investigators said the practice underscores the lack of options for ransomware victims, including the failure of law enforcement to catch or deter attackers.

As we’ve said before on this blog, the best option to prevent a ransomware infection is just that – to keep it from happening in the first place. Keep regular, offline backups of your most sensitive, business-critical data in case disaster strikes.