#monstercloud | Explore Tumblr posts and blogs

benychamp · 6 years ago

Text

The secret trick used by firms helping cyberhacking victims: pay the ransom

Four payments sent to hackers who targeted entities across the US were traced by ProPublica to an online wallet controlled by Proven Data

From 2015 to 2018, a strain of ransomware known as SamSam paralyzed computer networks across North America and the UK. It caused more than $30m in damages to at least 200 entities, including the cities of Atlanta and Newark, the port of San Diego and Hollywood Presbyterian medical center in Los Angeles. It knocked out Atlantas water service requests and online billing systems, prompted the Colorado Department of Transportation to call in the national guard, and delayed medical appointments and treatments for patients nationwide whose electronic records couldnt be retrieved. In return for restoring access to the files, the cyberattackers collected at least $6m in ransom.

You just have 7 days to send us the BitCoin, read the ransom demand to Newark. After 7 days we will remove your private keys and its impossible to recover your files.

At a press conference last November, then deputy attorney general Rod Rosenstein announced that the US Department of Justice had indicted two Iranian men on fraud charges for allegedly developing the strain and orchestrating the extortion. Many SamSam targets were public agencies with missions that involve saving lives, and the attackers impaired their ability to provide healthcare to sick and injured people, Rosenstein said. The hackers knew that shutting down those computer systems could cause significant harm to innocent victims.

In a statement that day, the FBI said the criminal actors were out of the reach of US law enforcement. But they werent beyond the reach of an American company that says it helps victims regain access to their computers. Proven Data Recovery of Elmsford, New York, regularly made ransom payments to SamSam hackers over more than a year, according to Jonathan Storfer, a former employee who dealt with them.

Proven Data Recoverys office in Elmsford, New York. Photograph: Jonno Rattman/ProPublica

Although bitcoin transactions are intended to be anonymous and difficult to track, ProPublica was able to trace four of the payments. Sent in 2017 and 2018 from an online wallet controlled by Proven Data to ones specified by the hackers, the money was then laundered through as many as 12 bitcoin addresses before reaching a wallet maintained by the Iranians, according to an analysis by bitcoin tracing firm Chainalysis at our request. Payments to that digital currency destination and another linked to the attackers were later banned by the US treasury department, which cited sanctions targeting the Iranian regime.

I would not be surprised if a significant amount of ransomware both funded terrorism and also organized crime, Storfer said. So the question is, every time that we get hit by SamSam, and every time we facilitate a payment and heres where it gets really dicey does that mean we are technically funding terrorism?

Proven Data promised to help ransomware victims by unlocking their data with the latest technology, according to company emails and former clients. Instead, it obtained decryption tools from cyberattackers by paying ransoms, according to Storfer and an FBI affidavit obtained by ProPublica.

Another US company, Florida-based MonsterCloud, also professes to use its own data recovery methods but instead pays ransoms, sometimes without informing victims such as local law enforcement agencies, ProPublica has found. The firms are alike in other ways. Both charge victims substantial fees on top of the ransom amounts. They also offer other services, such as sealing breaches to protect against future attacks.

The payments underscore the lack of other options for individuals and businesses devastated by ransomware, the failure of law enforcement to catch or deter the hackers, and the moral quandary of whether paying ransoms encourages extortion. Since some victims are public agencies or receive government funding, taxpayer money may end up in the hands of cybercriminals in countries hostile to the US, such as Russia and Iran.

In contrast to Proven Data and MonsterCloud, several other firms, such as Connecticut-based Coveware, openly help clients regain computer access by paying attackers. They assist victims who are willing to pay ransoms but dont know how to deal in bitcoin or dont want to contact hackers directly. At the same time, Coveware seeks to deter cybercrime by collecting and sharing data with law enforcement and security researchers, CEO Bill Siegel said.

Siegel refers to a handful of firms globally, including Proven Data and MonsterCloud, as ransomware payment mills. They demonstrate how easily intermediaries can prey on the emotions of a ransomware victim by advertising guaranteed decryption without having to pay the hacker, he said in a blogpost. Although it might not be illegal to obfuscate how encrypted data is recovered, it is certainly dishonest and predatory.

ProPublica is a nonprofit newsroom that investigates abuses of power. You can sign up to their Big Story newsletter for more stories like this.

MonsterClouds chief executive, Zohar Pinhasi, said that the companys data recovery solutions vary from case to case. He declined to discuss them, saying they are a trade secret. MonsterCloud does not mislead clients, and never promises them that their data will be recovered by any particular method, he said.

The reason we have such a high recovery rate is that we know who these attackers are and their typical methods of operation, he said. Those victims of attacks should never make contact themselves and pay the ransom because they dont know who they are dealing with.

On its website, Proven Data says it does not condone or support paying the perpetrators demands as they may be used to support other nefarious criminal activity, and there is never any guarantee to obtain the keys, or if obtained, they may not work. Paying the ransom, it says, is a last resort option.

However, the chief executive, Victor Congionti, told ProPublica in an email that paying attackers is standard procedure at Proven Data. Our mission is to ensure that the client is protected, their files are restored and the hackers are not paid more than the minimum required to serve our clients, he said. Unless the hackers used an outdated variant for which a decryption key is publicly available, most ransomware strains have encryptions that are too strong to break, he said.

Congionti said that Proven Data paid the SamSam attackers at the direction of our clients, some of which were hospitals where lives can be on the line. It stopped dealing with the SamSam hackers after the USgovernment identified them as Iranian and took action against them, he said. Until then, he said, the company did not know they were affiliated with Iran. Under no circumstances would we have knowingly dealt with a sanctioned person or entity, he said.

Proven Datas policy on disclosing ransom payments to clients has evolved over time, Congionti said. In the past, the company told them it would use any means necessary to recover data, which we viewed as encompassing the possibility of paying the ransom, he said. That was not always clear to some customers. The company informed all SamSam victims that it paid the ransoms, and currently is completely transparent as to whether a ransom will be paid, he said.

It is easy to take the position that no one should pay a ransom in a ransomware attack because such payments encourage future ransomware attacks, he said. It is much harder, however, to take that position when it is your data that has been encrypted and the future of your company and all of the jobs of your employees are in peril. It is a classic moral dilemma.

divider

No US laws prohibit paying ransoms. The FBI frowns on it officially and winks at it in practice. Ransom payment encourages continued criminal activity, leads to other victimizations, and can be used to facilitate serious crimes, an FBI spokesperson told ProPublica. But in 2015, the assistant special agent in charge of the FBIs cyber program in Boston said at a cybersecurity conference that the bureau will often advise people just to pay the ransom, according to news reports.

Paying a ransom while pretending otherwise to a client, though, could constitute deceptive business practices prohibited by the Federal Trade Commission (FTC) Act, said former FTC acting chairman Maureen Ohlhausen. Neither MonsterCloud nor Proven Data has been cited by the FTC.

Storfer, who worked for Proven Data from March 2017 until September 2018, said in a series of interviews that the company not only paid ransoms to the SamSam hackers, but also developed a mutually beneficial relationship with them. As that relationship developed, he said, Proven Data was able to negotiate extensions on payment deadlines.

With SamSam, we could say, Hello, this is Proven Data, please keep this portal open while we contact and interact with the customer while moving forward, Storfer said. And they would remove the timer on the portal. And then they would respond quicker and in many cases would be able to provide things a little bit easier.

The SamSam attackers didnt identify themselves, he said. While Proven Data generally concealed its identity when responding to ransom demands, we were very open with the SamSam hackers, and we would essentially announce ourselves, Storfer said.

The door to the office of Proven Data in Elmsford, New York. Photograph: Jonno Rattman/ProPublica

Eventually, the attackers began recommending that victims work with the firm. SamSam would be like, If you need assistance with this, contact Proven Data, said Storfer, who declined to identify clients. Some of them wondered about this endorsement. Honestly, the weirdest thing was clients would ask us why, and we would have to respond to that, which was not a really fun conversation, he added.

The referrals indicate the SamSam hackers confidence that Proven Data would pay the ransom, said Bart Huffman, a Houston lawyer specializing in privacy and information security. Such prior understandings could be seen as a criminal conspiracy and may violate the US Computer Fraud and Abuse Act, he said.

That does seem like you are working for the other side, Huffman said. You are facilitating the payment at the recommendation of SamSam, in the manner suggested by SamSam.

Proven Data has never been charged with such a violation. The company never had a close relationship with SamSam attackers, said Congionti, who didnt comment on the recommendations specifically. Our contact with attackers is limited to minimizing the attack on the customer Anyone can reach out to a hacker and tell them to keep the portal open longer.

divider

Ransomware is one of the most common types of cybercrime. Since 2016, more than 4,000 ransomware attacks have taken place daily, or about 1.5m a year, according to statistics posted by the US Department of Homeland Security.

Ransomware continues to spread and is infecting devices around the globe, the FBI said in a statement. We are seeing different kinds of ransomware, different deployment methods, and a coordinated distribution. The FBI considers it one of the top cybercriminal threats.

Yet the FBIs Internet Crime Complaint Center counted only 1,493 ransomware victims in 2018 a figure the bureau itself says represents only a small fraction of total incidents. Victims dont report attacks, perhaps because theyre embarrassed, or reluctant to acknowledge gaps in their IT security, according to law enforcement officials.

Even when victims do report ransomware, the culprits are rarely caught. While demands to businesses and municipal governments have reached as high as six figures, the average ransom sought is a few thousand dollars, according to cyber-research firms. Thats well below the thresholds maintained by federal prosecutors to trigger an investigation, said former FBI deputy director John Pistole.

Local police departments lack the resources to solve cybercrime and themselves are frequently ransomware targets. It is a weird gray area where there is a law but it isnt enforced, said Jeffrey Kosseff, an assistant professor of cybersecurity law at the US Naval Academy. Ransomware is a real failure of the current legal system. There is not a good remedy.

European law enforcement agencies have had more success. In March 2018, for example, the Polish police in cooperation with the Belgian federal police and Europol arrested a Polish national suspected of having infected several thousand computers with ransomware. European law enforcement officials just hang out on Slack channels where we tell them stuff, said Fabian Wosar, a UK-based security researcher, referring to the popular messaging platform.

Asked whether its agents also gather information via Slack, the FBI said that it must adhere to rules relating to federal agency recordkeeping, which makes the adoption of more agile communication methods trickier for us than for private sector companies.

When Wosar discovered servers in the US and the Netherlands that probably contained the attackers decryption keys for the ASN1 ransomware strain and could help identify the criminals, he and another researcher notified the FBI and the Dutch national police. Great news, a member of the Dutch high-tech crime team responded. We are eager to start things up and try to seize the servers. The FBI replied with basic questions that reflected a lack of understanding of how ransomware works, said Wosar, who is head of research at anti-virus provider Emsisoft.

The bureau declined to comment on the incident.

As ransomware proliferated without an effective law enforcement response, an industry sprang up to unlock victims computers. In the US, it was dominated by two firms: Proven Data and MonsterCloud. Each says it has assisted thousands of ransom victims.

The companies claims to be able to release files using their own technology aroused Wosars curiosity. He and other security experts sometimes find ways to disable ransomware, and they post those fixes online for free. But they can decrypt ransomware only if there are errors in the underlying software or if a security lapse allows the researchers themselves to hack into the attackers server, he said; otherwise, its essentially bulletproof.

If there is a company that claims they broke the ransomware, we are skeptical, Wosar said. Everything the ransomware did has been analyzed by other researchers. Its incredibly unlikely they were the only ones to break it.

In December 2016, he devised an experiment dubbed Operation Bleeding Cloud, after MonsterCloud and the Heartbleed software vulnerability. He and another researcher created a variant of ransomware and used it to infect one of their own test computers. Then they emailed MonsterCloud, Proven Data and several other data recovery firms based in the UK and Australia, posing as a victim who didnt want to pay a ransom.

Wosar said he sent some sample encrypted files to the firms along with a fake ransom note that he himself had written. Like many ransom notes, the demand included an email address to contact the attacker for instructions on how to pay. Each note also contained a unique ID sequence for the victim, so Wosar could later identify which firm had contacted him even if it used an anonymous email account.

The firms eagerly agreed to help. They all claimed to be able to decrypt ransomware families that definitely werent decryptable and didnt mention that they paid the ransom, Wosar said. Quite the contrary actually. They all seemed very proud not to pay ransomers.

Soon the email accounts that he had set up for the imaginary attacker began receiving emails from anonymous addresses offering to pay the ransom, he said. He traced the requests to the data recovery firms, including MonsterCloud and Proven Data.

The victims are getting taken advantage of twice, he said.

propublica graphic

Proven Datas Congionti and MonsterClouds Pinhasi both said they could not recall this particular case. If someone is saying that we promised up front that we would be able to decrypt their files, I am certain that this is inaccurate, Pinhasi said.

divider

In testimonials on MonsterClouds website, four local law enforcement agencies praise the firm for restoring their data following ransomware attacks.

One was the Trumann police department in Arkansas. When its computer system was infected in November, decades worth of data including case notes, witness statements, affidavits and payroll records were frozen. The departments IT manager came across MonsterCloud on a Google search while frantically looking for a way to fix the problem, said the chief of police, Chad Henson.

Henson, who oversees about two dozen officers serving a population of 8,000, said he was reassured about MonsterClouds capabilities when he discovered how friendly they are to law enforcement and to government entities.

In testimonials on MonsterClouds website, four local law enforcement agencies praise the firm for restoring their data following ransomware attacks. Photograph: Jeffery A Salter/Jeffery Salter

Thats when we made the phone call to them, he recalled. They said: Dont worry about it. We are pretty sure we can get everything back.

Another reason he chose MonsterCloud, he said, was that it wouldnt pay the ransom. Im the one in the seat, the one charged to safeguard the department, he said. To turn around and spend taxpayer money on a ransom that is absolutely the wrong decision. It is the nuclear option. But with MonsterCloud, we can just remove that option.

MonsterCloud restored the police departments files within 72 hours, and assured the department it did not pay a ransom, Henson said. In return for the testimonial, it waived its $75,000 fee.

MonsterClouds contract with the Trumann police, obtained under a public records request, calls its recovery method a trade secret and says the firm would not explain the proprietary means and methods by which clients files were restored. It also says that if all possible means of directly decrypting clients files have been exhausted, the firm would attempt to recover data by communicating with the cyber attacker.

Pinhasi said that the Trumann department was crippled by the Dharma strain of ransomware. Wosar and Michael Gillespie, a software analyst in Illinois whom the FBI has honored with a community leadership award for his help on ransomware, said there was no known way of decrypting the Dharma ransomware in use at the time. They said MonsterCloud must have paid a hacker.

Pinhasi declined to say how MonsterCloud retrieved Trumanns data, but noted that it did so for free. We provide complimentary services to law enforcement agencies, he said. There has never been one cent of taxpayer money used for any ransom weve been involved with.

divider

In April 2016, a strain of ransomware called DMA Locker infiltrated the computer files and backups for Leif Herringtons real estate brokerage in Anchorage, Alaska. The ransom note demanded four bitcoin, then worth about $1,680. Herrington called the FBIs office there. They said: Theres thousands of these going on every day, we dont have the resources to do anything, Herrington said.

He called Proven Data Recovery. It told him it could unlock his files for $6,000. They represented that they had proprietary software they developed to unencrypt, Herrington said. They never said anything about paying the ransom.

A January 2018 FBI affidavit, seeking a search warrant to obtain information from Proven Data and its email provider, lays out what happened next. Herringtons IT consultant, Simon Schroeder, gave Proven Data a sample infected file for evaluation. A couple of days later, Schroeder watched as Proven Data unlocked a set of files in 45 minutes.

The firm cleared the files so quickly that Schroeder suspected it paid the ransom. Although Herrington was back in business, he called the FBI again. An agent came to his office to ask about Proven Data, Herrington said, adding that he and Schroeder turned over all their documents.

Herrington told the agent that he didnt know whether Proven Data actually had keys or if they were in cahoots with the ransomware attackers and just collected the money, he said.

The FBI confirmed his hunch. Records provided to the FBI pursuant to a federal grand jury subpoena showed four bitcoin flowing from a Proven Data account to the online wallet that the attackers had designated for payment. An email from the hackers address thanked Proven Data for the payment and included instructions on decrypting Herringtons files.

Subsequent investigation by the FBI confirmed that PDR was only able to decrypt the victims files by paying the subject the ransom amount, the affidavit said. (An FBI spokeswoman said in January that the bureau could not discuss the case because it was active. The US Department of Justice declined this month to identify the target of the investigation or to say if its still ongoing. As yet, no charges have been publicly filed.)

Storfer wondered if the hacker behind DMA Locker was a British soccer fan because his emails contained references to Manchester United including one username of John United and another honoring former team manager Alex Ferguson. The ransom price was in British pounds, an unusual currency in ransomware circles, he said.

Congionti acknowledged that the company paid Herringtons ransom. It was the only option to get his data back, Congionti said. We regret that he felt misled There was obviously a misunderstanding as to how we would solve his problem. We have re-examined all of our practices and procedures to ensure that such a misunderstanding does not occur again.

divider

In 2017, Storfer was a year out of college and looking for a job when he spotted an opening for an office manager at Proven Data Recovery. After a short time there, he was assigned to negotiate with hackers. Storfer was responsible for some of the correspondence with ransomware attackers, Congionti said.

He soon realized that ransomware is a vast global industry. Most attacks on US targets originate from foreign countries, especially Russia and eastern Europe. There are hundreds of ransomware strains, and thousands of variants of those strains. Some are sidelined as their financial returns diminish or cybersecurity researchers devise ways to neutralize them, while new ones are always emerging.

Some ransomware attacks hit millions of computers indiscriminately, hoping to infiltrate them through infected spam email attachments. Others target businesses, government agencies, and not-for-profit organizations, sometimes with brute-force tools that invade computer networks. While individuals are frequently attacked, criminals increasingly extort institutions that have deeper pockets and that readily pay the ransom to minimize disruption to their operations.

Once ransomware penetrates the computer, a ransom note pops up on the screen. It may direct victims to a page only accessible through Tor, a dark web browser, or to a hackers email address, for information on how to pay. Once the hackers receive confirmation of payment usually in bitcoin but sometimes in even less traceable forms of cryptocurrency, such as Dash and Monero they send the software and key to unlock the files.

The hackers sometimes offer discounts, which Congionti said Proven Datas present policy is to pass on to clients. The dark website for the GandCrab strain offers a promo code box on its ransom checkout page exclusively for data recovery firms. After paying a ransom, the firms receive a code for a discount on a future ransom.

Proven Data kept a list of hackers who could supply decryption keys quickly and cheaply as needed, Storfer said. He bargain-hunted by stirring up market rate competition among them. Even though one group may have done the hacking, a different group could provide you with the key and unlock the files of Proven Datas client, he said.

Storfer often didnt know who he was dealing with. It could have been the ransomware creator or a middleman. He learned quickly never to use the term hacking. Instead, he would assume his correspondent thinks theyre a businessman, Storfer said. Id say: Look, we cant afford this at this time. Do you mind providing your product at a lower rate? And it worked, he said. Theyre doing a job where everyone hates them, so feeling like they were respected made them work with us. I like to think empathy goes a long way.

The rapport reaped discounts. Once, we were able to get a $5,000 ransom lessened to $3,000 because they knew we could deliver it exactly when we said we were going to get it to them, Storfer said.

Once the attackers agreed to lower the ransom for one client, it was easier to persuade them to reduce it for others as well. Hed tell them: Look, we have another client who you may be able to help. Can you provide this pricing? Their response is: Sure thing.

Storfer rarely revealed his companys name to hackers. Still, by using the same anonymous email address repeatedly, he became familiar to them. The hackers would want to verify that we worked with them before.

And I want to be clear, worked with them being the most accurate term, but I want to say that there is no love in this agreement, Storfer said. And it was something that we would openly talk about about how creepy and crawly we felt in general to have to put yourself on their side and empathize with these individuals to get them to work with you. Because you kind of have to shed your skin afterwards.

Despite Storfers best efforts, sometimes the hackers behaved erratically. Proven Data would pay the requested ransom, but they would not respond. At such times, Storfer would share the attackers email address and details of the snub with other hackers in the same group.

Then the hacker would come back and say: Sorry, Ive been on a coke binge for three weeks, Storfer said.

Storfers conscience was weighing on him. He took a dont ask, dont tell, approach to informing clients that Proven Data would pay their ransoms. If they didnt ask, it was more of a lie by omission, he said. If they asked, he told the truth. He never felt comfortable interacting with cybercriminals. But for the good of helping people that we were dealing with and making their lives easier, I thought it was a real benefit.

Even after Storfer left for a job outside the data recovery industry, Proven Data still paid the SamSam hackers. Chainalysis found that on 16 November 2018, 1.6 bitcoins, or about $9,000 at the time, moved from Proven Datas wallet to a digital currency address associated with the SamSam attackers an intermediary step on the chain to the Iranian-controlled wallet. Twelve days later, the Iranians were indicted, and payments into their wallets were banned.

Today, hardly any money is left in those Iranian wallets.

Garen Hartunian contributed to this report.

An unabridged version of this story has been published by ProPublica. ProPublica is a nonprofit newsroom that investigates abuses of power. You can sign up to their Big Story newsletter for more stories like this.

Original Article : HERE ; This post was curated & posted using : RealSpecific

The secret trick used by firms helping cyberhacking victims: pay the ransom was originally posted by NewsToday

#NewsToday

0 notes

dontletmeontheinternet · 6 years ago

Text

Firms That Promised High-Tech Ransomware Solutions Almost Always Just Pay the Hackers

As ransomware attacks crippled businesses and law enforcement agencies, two U.S. data recovery firms claimed to offer an ethical way out. Instead, they typically paid the ransom and charged victims extra. From a report: Proven Data promised to help ransomware victims by unlocking their data with the "latest technology," according to company emails and former clients. Instead, it obtained decryption tools from cyberattackers by paying ransoms, according to Storfer and an FBI affidavit obtained by ProPublica. Another U.S. company, Florida-based MonsterCloud, also professes to use its own data recovery methods but instead pays ransoms, sometimes without informing victims such as local law enforcement agencies, ProPublica has found. The firms are alike in other ways. Both charge victims substantial fees on top of the ransom amounts. They also offer other services, such as sealing breaches to protect against future attacks. Both firms have used aliases for their workers, rather than real names, in communicating with victims. The payments underscore the lack of other options for individuals and businesses devastated by ransomware, the failure of law enforcement to catch or deter the hackers, and the moral quandary of whether paying ransoms encourages extortion. Since some victims are public agencies or receive government funding, taxpayer money may end up in the hands of cybercriminals in countries hostile to the U.S. such as Russia and Iran.

Read more of this story at Slashdot.

from Slashdot http://bit.ly/2Ea4IpW

#Slashdot

0 notes

jdkinetagiri · 6 years ago

Text

Counterterrorism expert: Small healthcare companies are the new ransomware targets

MonsterCloud CEO says RYUK attacks can be fatal for businesses that can’t afford to pay the ransom or to get help from experts.

View On WordPress

0 notes

aheliotech · 6 years ago

Text

Sting Catches Another Ransomware Firm — Red Mosquito — Negotiating With “Hackers”

New Post has been published on https://www.aheliotech.com/blog/sting-catches-another-ransomware-firm-red-mosquito-negotiating-with-hackers/

Sting Catches Another Ransomware Firm — Red Mosquito — Negotiating With “Hackers”

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for The Big Story newsletter to receive stories like this one in your inbox.

ProPublica recently reported that two U.S. firms, which professed to use their own data recovery methods to help ransomware victims regain access to infected files, instead paid the hackers.

Now there’s new evidence that a U.K. firm takes a similar approach. Fabian Wosar, a cyber security researcher, told ProPublica this month that, in a sting operation he conducted in April, Scotland-based Red Mosquito Data Recovery said it was “running tests” to unlock files while actually negotiating a ransom payment. Wosar, the head of research at anti-virus provider Emsisoft, said he posed as both hacker and victim so he could review the company’s communications to both sides.

Red Mosquito Data Recovery “made no effort to not pay the ransom” and instead went “straight to the ransomware author literally within minutes,” Wosar said. “Behavior like this is what keeps ransomware running.”

Since 2016, more than 4,000 ransomware attacks have taken place daily, or about 1.5 million per year, according to statistics posted by the U.S. Department of Homeland Security. Law enforcement has failed to stem ransomware’s spread, and culprits are rarely caught. If files encrypted by attackers are not backed up, and a free public decryption tool is unavailable, usually the only way to clear them is paying the ransom, said Michael Gillespie, a software analyst in Illinois whom the FBI has honored with a community leadership award for his help on ransomware. But clients who don’t want to give in to extortion are susceptible to firms that claim to have their own methods of decrypting files. Often, victims are willing to pay more than the ransom amount to regain access to their files if they believe the money is going to a data recovery firm rather than a hacker, Wosar said.

On its website, Red Mosquito Data Recovery calls itself a “one-stop data recovery and consultancy service” and says it has dealt with hundreds of ransomware cases worldwide in the past year. It advertised last week that its “international service” offers “experts who can offer honest, free advice.” It said it offers a “professional alternative” to paying a ransom, but cautioned that “paying the ransom may be the only viable option for getting your files decrypted.”

It does “not recommend negotiating directly with criminals since this can further compromise security,” it added.

Red Mosquito Data Recovery did not respond to emailed questions, and hung up when we called the number listed on its website. After being contacted by ProPublica, the company removed the statement from its website that it provides an alternative to paying hackers. It also changed “honest, free advice” to “simple free advice,” and the “hundreds” of ransomware cases it has handled to “many.”

Besides Red Mosquito Data Recovery’s website, a company called Red Mosquito has its own website. A person answering the phone at the Red Mosquito site said they are “sister” companies and that RMDR, as it is known, specializes in helping ransomware victims. The Red Mosquito site markets a wider array of cyber-services.

The two U.S. firms, Proven Data Recovery of Elmsford, New York, and Hollywood, Florida-based MonsterCloud, both promised to use their own technology to help ransomware victims unlock their data, but instead typically obtained decryption tools from cyberattackers by paying ransoms, ProPublica found.

We also traced ransom payments from Proven Data to Iranian hackers who allegedly developed a strain known as SamSam that paralyzed computer networks across North America and the U.K. The U.S. government later indicted two Iranian men on fraud charges for allegedly orchestrating the extortion, and banned payments to two digital currency destinations associated with them. Proven Data chief executive Victor Congionti told ProPublica in May it paid the SamSam attackers at the direction of clients, and didn’t know they were affiliated with Iran until the U.S. government’s actions. Congionti said that Proven Data’s policy on disclosing ransom payments to clients has “evolved over time” and it is now “completely transparent.”

MonsterCloud chief executive Zohar Pinhasi said in May that its data recovery methods are a trade secret and it doesn’t mislead clients. A spokesperson said Friday that Pinhasi stands by his earlier statements.

For his Red Mosquito Data Recovery experiment, Wosar said he created a fake ransomware, which he named “GOTCHA.” He also drafted a ransom note — laden with typos such as “immidiately” for authenticity, since many attackers aren’t native English speakers — with instructions for contacting the hacker, according to a copy of the note that he provided to ProPublica. Like many actual ransom notes, Wosar’s included a unique ID sequence, and instructed the victim to use it in any reply, the copy shows. Such a sequence helps real hackers know which victim is paying them. Wosar said he inserted it so that he could confirm it was Red Mosquito Data Recovery contacting him at the “hacker” email address, even if the firm didn’t identify itself. The ID sequence was an encrypted version of the company’s own name, he said.

On April 17, posing as prospective client “Joe Mess,” Wosar sought RMDR’s help, according to emails he provided to ProPublica. Attaching the ransom note and sample files, he wrote in an email, “Two days ago I found my home server to be hacked by someone and all my pictures, documents, videos, and other files have been renamed to .gotcha files and encrypted… I don’t have any backups but I do not want to pay those assholes.”

“I am very confident we will be able to recover your files,” someone identifying himself as Conor Lairg replied later that day from a Red Mosquito email address, copies of the correspondence show. “We are now running tests and I will be in touch as soon as possible with an update.”

Two minutes later, Wosar’s hacker email account lit up with a response from “tony7877(Replace this parenthesis with the @ sign)protonmail.com.” The subject line contained the unique ID he had assigned to the victim, which meant the message could only come from Red Mosquito Data Recovery or someone that the company shared it with.

“How much for decrypt?” the respondent asked.

Meanwhile, “Joe Mess” pressed Lairg for confirmation that Red Mosquito wouldn’t pay the ransom: “So you think you may be able to help without me having to pay the ransom?”

“We are still investigating and will get back to you as soon as possible,” Lairg responded.

Less than an hour later, Wosar, posing as the hacker, began negotiating with “tony7877(Replace this parenthesis with the @ sign)protonmail.com,” the correspondence shows.

“$1200 in Bitcoin,” he wrote. “You pay, we provide key and decriptor (sic) to recover data.”

The respondent sought a better deal. “Can you do for 500 USD,” it replied.

Wosar’s hacker alter ego agreed to lower the price. “$900. Take it or kiss data bye bye,” he wrote. “We don’t run chairity (sic) here.”

The contact told him it would try to obtain the Bitcoin needed.

The next day, documents show, Lairg wrote to Wosar’s victim email address, saying he was “pleased to confirm that we can recover your encrypted files” for $3,950 — four times as much as the agreed-upon ransom. Lairg said the firm would recover the files within an estimated three business days. Payment would be required before recovery began, but the money would be returned if they couldn’t recover any of the files, he wrote.

Posing as the victim, Wosar asked: “How did you do it?” Lairg did not answer, instead providing details of how to handle payment and outlining steps to prepare for the recovery, such as disabling anti-virus software that could interfere with decryption, according to the documents. Wosar said he stopped communications after that.

No one named Conor Lairg is listed on the contact pages of either Red Mosquito website or on LinkedIn. Calls to both Red Mosquito companies did not reach him.

In its investigation, ProPublica found that both MonsterCloud and Proven Data used aliases in dealing with customers.

Using the same ruse, Wosar said, he also contacted Proven Data, MonsterCloud, and a company outside the U.S. with which his experiment is still in progress. Proven Data was “very open about paying ransoms so no point to following up after that,” Wosar said. He said MonsterCloud, which currently serves businesses and government agencies hit by ransomware rather than home users, did not respond.

“Wosar is well respected in the cyber security community, and we take no issue with him poking and prodding various cyber security companies,” Pinhasi, the MonsterCloud CEO, said in a statement Monday. “MonsterCloud did not respond to his inquiry simply because we do not serve individual consumers – there was no action to be taken. However, it’s my strong preference that oversight and regulation be done through appropriate bodies – industry and/or government organizations that are both peer reviewed for proper checks and balances and also utilize proper scientific method, study methodology, and processes.”

This is the second time that Wosar has targeted Red Mosquito, he said. In 2016, he said this year, he and another researcher created a variant of ransomware and used it to infect one of their own computers. Then they emailed Red Mosquito, as well as MonsterCloud and Proven Data, posing as a victim who didn’t want to pay a ransom, he said.

The firms eagerly agreed to help, claiming the ability to decrypt ransomware strains that were not actually breakable — and they didn’t mention that they paid ransom, Wosar said. The email accounts that he’d set up for the imaginary attacker began receiving emails from anonymous addresses offering to pay the ransom, he said. He traced the requests to the data recovery firms. Wosar said he no longer has the email correspondence from the 2016 sting.

Congionti and Pinhasi both said they could not recall the particular case. Red Mosquito did not respond to an emailed question about it.

“Ransomware victims need to be aware that there’s no silver bullet when it comes to restoring their data,” Wosar said. “There is also no shame for a data recovery company in paying the ransom, as long as they are open and transparent about it.”

The post Sting Catches Another Ransomware Firm — Red Mosquito — Negotiating With “Hackers” appeared first on Emsisoft | Security Blog.

0 notes

heckyeahlucilleballilovelucy · 6 years ago

Text

Ransomware recovery firms often just pay attackers’ ransom demands

Companies advertising ransomware recovery services often simply pay the attackers their ransom demand in exchange for the decryption keys, an investigation into the sector has revealed.

A former employee at Proven Data Recovery of Elmsford, New York, tells ProPublica that the firm “regularly made ransom payments to SamSam hackers over more than a year.”

Instead of using specialized decryption tools, as one would imagine, the company (and others like it) resorted to simply paying the attackers to decrypt the data, according to Jonathan Storfer, who worked at Proven Data Recovery.

The firm hasn’t always been very transparent about its practices, but it does openly admit to paying ransomware demands as a last resort. From the company’s website:

“Our goal as one of the first companies to become involved with Ransomware recovery is to restore business functionality as soon as possible while preventing future ransomware occurrences. Whether it’s reverse engineering the malware, restoring from backups, or as a last resort option paying the ransom, we’re standing by to get you up and running as soon as possible.”

MosterCloud is another example offered in the ProPublica report. Despite professing to use its own data recovery technology, the Florida-based firm pays ransoms, “sometimes without informing victims such as local law enforcement agencies,” according to the report.

Like Proven Data Recovery, MonsterCloud charges victims fees that exceed the actual ransom amounts. Both firms also use aliases for their workers in communicating with victims.

Some players in the ransomware recovery industry are very open about their practices:

“In contrast to Proven Data and MonsterCloud, several other firms, such as Connecticut-based Coveware, openly help clients regain computer access by paying attackers. They assist victims who are willing to pay ransoms but don’t know how to deal in bitcoin or don’t want to contact hackers directly. At the same time, Coveware seeks to deter cybercrime by collecting and sharing data with law enforcement and security researchers, CEO Bill Siegel said.”

Proven Data Chief Executive Victor Congionti defends the practice. He says it’s easy to blame those who give in to a ransomware attack, but, when it’s your data, your business, and potential lives at stake, it’s not so black and white.

“It is easy to take the position that no one should pay a ransom in a ransomware attack because such payments encourage future ransomware attacks,” he said. “It is much harder, however, to take that position when it is your data that has been encrypted and the future of your company and all of the jobs of your employees are in peril. It is a classic moral dilemma.”

It’s an even bigger moral predicament when one realizes that many ransomware operators, such as those behind the SamSam ransomware strain, are essentially enemy states.

“Since some victims are public agencies or receive government funding, taxpayer money may end up in the hands of cybercriminals in countries hostile to the U.S. such as Russia and Iran,” the report notes.

Investigators said the practice underscores the lack of options for ransomware victims, including the failure of law enforcement to catch or deter attackers.

As we’ve said before on this blog, the best option to prevent a ransomware infection is just that – to keep it from happening in the first place. Keep regular, offline backups of your most sensitive, business-critical data in case disaster strikes.

from HOTforSecurity http://bit.ly/2HpLn63

#HOTforSecurity

0 notes

click2watch · 6 years ago

Text

Study Finds Most Ransomware Solutions Just Pay Out Crypto

A study by ProPublica found that most ransomware solutions providers have one weird trick for getting rid of hackers – paying them off.

Ransomware activity is growing weekly according to experts at Coveware . The result? Companies who just want to pay the ransom and move on.

According to Coveware, ransomware attacks were up in Q1 2019:

In Q1 of 2019, the average ransom increased by 89% to $12,762, as compared to $6,733 in Q4 of 2018. The ransom increase reflects increased infections of more expensive types of ransomware such as Ryuk, Bitpaymer, and Iencrypt. These types of ransomware are predominantly used in bespoke targeted attacks on larger enterprise targets.

Once hackers encrypt an infected computer, however, the real question is how to unlock your data. ProPublica found that many data recovery firms simply pay the ransom and then charge a premium for their trouble.

Proven Data promised to help ransomware victims by unlocking their data with the “latest technology,” according to company emails and former clients. Instead, it obtained decryption tools from cyberattackers by paying ransoms, according to Storfer and an FBI affidavit obtained by ProPublica.

Another U.S. company, Florida-based MonsterCloud, also professes to use its own data recovery methods but instead pays ransoms, sometimes without informing victims such as local law enforcement agencies, ProPublica has found. The firms are alike in other ways. Both charge victims substantial fees on top of the ransom amounts. They also offer other services, such as sealing breaches to protect against future attacks. Both firms have used aliases for their workers, rather than real names, in communicating with victims.

Going up

Ransomware is getting worse.

After US Attorney General traced and indicted two Iranian hackers for releasing ransomware called SamSam, authorities hoped the prevalence of attacks would fall. Instead, it rose, beating 2018 levels considerably.

The reason, many believe, is because ransomware is so lucrative. Hackers can launch an attack and then, when the victims discover the hack, they negotiate briefly with companies like MonsterCloud and others to unlock the computers. However, many of these companies offer recovery methods and many security researchers work on free methods this one for the popular WannaCry ransomware.

Unfortunately, the hacks are getting worse and the software necessary is getting more complex.

Coveware admits to actually negotiating with scammers. They’ve found it to be one of the simplest methods for getting data back. The concern, however, is that these efforts are inadvertently funding terrorism. Further, they write, it is taking longer to decrypt hacked computers, thanks to new versions of the ransomeware. In Q1 2019, wrote Coveware, the “average downtime increased to 7.3 days, from 6.2 days in Q4 of 2018.”

Pattern recognition

Coveware CEO Bill Siegel has found that the average ransomware recovery isn’t really a negotiation with “terrorists” as US Government officials believe. They’ve negotiated a “few hundred” ransomware cases this year and find that each hacker is different and often just frustrated.

“Our sense based on our study of the industry and experience is that the vast vast majority are relatively normal people that don’t have legal economic prospects that match their technical abilities,” Siegel said. “They also live in parts of the world that are beyond the jurisdiction of Western law enforcement, and are ambivalent about stealing from the West.”

Their process for talking with the hackers is also quite precise.

“We study their communications patterns so that we can build up a database of experience. There is a surprisingly small group of threat actors that are active at any given time, so identifying them is relatively straight forward. From there, we have scripts and tactics that we have honed over our experience. We draw on those to develop a negotiation strategy on behalf of our client. We know the hackers based on the profile and patterns they exhaust. We don’t communicate with them outside of representing our clients in a negotiation. All of the data exhaust we create from our cases is provided to law enforcement on a quarterly basis as well.”

Zohar Pinhasi of MonsterCloud said his company worked hard to use both methods – recovery and ransom.

The recovery process varies from case to case depending on the scope and nature of the cyber attack. Our methods for achieving data recovery and protection are the product of years of technical experience and expertise and we do not disclose the process to the public or to our customers. That is communicated clearly up front. However, what I can tell you is that we are a cyber security company, not a data recovery company. We have vast knowledge and experience dealing with these criminals, and we spend countless hours staying atop their evolving methods in order to provide our clients with protections against all future attackers, not just the one infiltrating their data at the time they come to us. We offer a money back guarantee to any client if we are unable to recover their data, and to date we have not had a single client report a follow-up attack from the same criminals or any other attacker.

While sending a few thousand BTC to a strange address might not sit well with many victims, it still looks like the best way to reduce downtimes. After all, it’s the organization’s fault for catching the ransomware bug in the first place. Prevention, as they say, is often better than the cure.

Image via Coindesk archive.

This news post is collected from CoinDesk