Beware - ransomware fixer parasites who do deals with your attacker

News by Mark Mayne

New research delving into the world of ransomware decryption offerings, uncovers some dark double-dealing in the process

The latest development in the world of ransomware sees fake cyber-security consultancy firms promise to decrypt the files of ransomware victims, but instead merely act as middlemen with your attacker.

Check Point researchers found a Russian company, Dr Shifro, that appears to offer ransomware decryption services. The company claims to be able to decrypt Office documents, standard files and accounting databases, even those encrypted by Dharma/Crisis ransomware, as well as Bomber and Scarab ransomware.

"Something first seemed off when our team came across ‘Dr. Shifro’, that offered only one service – helping ransomware victims unlock their files. For an IT consultancy to offer only one unique service is highly unusual and arguably suspicious", noted the researchers.

"In addition, Dr. Shifro promises to perform dazzling feats of cyber wizardry to unlock files held captive by the Dharma/Crisis ransomware (for which no decryption key is available), among others. So, whereas IT services such as these usually explain they can only try and do their best, with no promises made, it seemed strange that Dr. Shifro guarantees to unlock files for ransomware that has no public key even available", they continued.

The reason behind this technical feat is that, somewhat predictably, the consultancy simply contacts the ransomware creator and strikes a deal for the encryption keys, relaying the cost and a US$ 1000 (£780) fee back to the victim, in the case documented by the researchers. In response to a request for decryption keys, ‘Dr. Shifro’ emailed a malware creator stating:

"I’m an intermediary. We redeem keys for clients since 2015 on a regular basis. Send bitcoins tight, don’t ask dumb questions. Clients frequently addressed under recommendation. Could you give a discount to 0.15 btc?"

"When organisations have been locked out of their most important files and data, they are desperate to regain access to them. It does not help that those who claim to be able to help them out are actually riding the ransomware wave and profiting from attacks. Activities such as those carried out by Dr. Shifro bring additional losses to ransomware victims, because of the extra charges for their services.

"These activities merely encourage the popularity of ransomware as an attractive method for cyber-criminals to use, to extort money from the organisations and individuals they attack. It is possible that we will see others getting in on this parasitic development in the ransomware landscape", the Check Point researchers told SC Media UK.

Dr Shifro is estimated to have conducted more than 300 ransomware decryptions for customers, based on the trading volume of Dr. Shifro’s account of around 100 BTC, which could be extrapolated to point to a spend of £300,000 on encryption key purchases, paying approximately £950 for each key and charging a fee of around £1,000 to the customer.

Enterprises affected by ransomware should visit Europol’s NoMoreRansom site for further advice and legitimate ways to unlock encrypted files. However, as highlighted in a recent SC Media NCSC exclusive, advance preparation is the best defence.

The average ransomware demand to businesses is around US $10,000 (£7,800), and the ransomware industry is now worth an estimated US$ 5 billion (£3.9 billion) annually according to estimates from Europol’s 2018 Internet Organised Crime Threat Assessment.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews