Ransom recovery firms found simply paying off attackers

News by Robert Abel

Pro Publica was able to trace four payments sent in 2018 and 2017 from an online wallet belonging to Proven Data Recovery to a wallet maintained by Iranians believed to spread SamSam ransomware.

Imagine your company gets hit with a ransomware attack. Critical files become inaccessible, work productivity is lost, sensitive data could be at risk of either being compromised and leaked or even deleted, all while being extorted by a cyber-assailant for funds your firm may or may not be able to shell out.

Companies often call in firms that offer "high-tech" ransomware solutions in these situations, but a recent report from Pro Publica found some of these companies simply pay off the attackers.

In one instance, the publication was able to trace four payments sent in 2018 and 2017 from an online wallet belonging to Proven Data Recovery, an American firm that claims to help companies regain access to their computers, to a wallet maintained by Iranians believed to be responsible for spreading SamSam ransomware.

"I would not be surprised if a significant amount of ransomware both funded terrorism and also organised crime," Jonathan Storfer, a former employee with the company told the publication. "So the question is, is every time that we get hit by SamSam, and every time we facilitate a payment — and here’s where it gets really dicey — does that mean we are technically funding terrorism?"

Another company, MonsterCloud, was mentioned in a case of paying attackers after the firm requested US$ 2,500 (£2,000) for an analysis of the problem and costing up to US$ 25,000 (£20,000) to recover from an attack where the ransom was only US$ 7,000 (£5,500) worth of bitcoin.

In addition when the company handling the ransomware attack asked for specifics on how the data would be recovered MonsterCloud was evasive, said Tim Anderson, an IT consultant based in Houston, handling the problem for a client.

"I immediately smelled a rat," Anderson told ProPublica. "How do I know they’re not taking the US$ 25,000 and paying the ransom guy US$ 7,000 of it? The consumer doesn’t know what’s going on."

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop