Company Pretends to Decrypt Ransomware But Just Pays Ransom

[SupremeGOAT]

Ramsomware has created "jobs" for malware devs and security "specialists" alike. The saying "Prevention is better than cure" has never been more true in this case.

Quote

 

Researchers from leading cybersecurity vendor Check Point have uncovered a Russian IT consultancy named Dr. Shifro (http://www.dr-shifro.ru/) that claims to unlock and recover consumers’ and businesses’ encrypted files. But in fact, the company simply pays the ransomware’s creator themselves and passes the cost onto the victim at a 75%-plus profit margin.

 

Dr. Shifro offers only one service – helping ransomware victims unlock their files. It claims to be able to unlock files scrambled by the Dharma/Crisis ransomware (for which no decryption key is available), among others, which is suspicious. This caused the Check Point researchers to investigate.

They found that Dr. Shifro was actually making contact with the ransomware’s creator themselves and making a deal to unlock the victim’s files in return for the ransom payment (in the case the researchers followed, $1300). Dr. Shifro then passes that cost on to the victim, with their own fee charged on top (another $1000).

 

The researchers found correspondence between Dr. Shifro and a ransomware creator which shows how Dr. Shifro’s ‘consultancy’ works. By connecting directly with the threat actor to collect the decryption key, in return for payment, Dr. Shifro simply acts as a broker between victim and attacker

I'm not sure if this was originally in Russian and then roughly translated but this is the correspondence that was found.

 

“I’m an intermediary. We redeem keys for clients since 2015 on a regular basis. Send bitcoins tight, don’t ask dumb questions. Clients frequently addressed under recommendation. Could you give a discount to 0.15 btc?” 

 

Well at least he is trying get a discount eh? maybe that will markdown the markup? lol this the next bit is from BleepingComputers.com 

 

Quote

The researchers say that the revenue from this type of activity rises to at least $300,000, calculated at an average BTC price of $3,000 recorded during their investigation. However, it is unclear if all victims were billed the same.

The general recommendation is not to pay the ransom in order to make the ransomware business unprofitable. So turning to a company that can decrypt files is a way to get the data back without endorsing criminal activity.

Ransomware victims should be aware that a legitimate company offering file decryption services does not make bold claims regarding the success of their efforts because there is a good chance of failure, especially with data locked by strong encryption. Only the availability of the decryption keys can give the confidence of recovery.

To be fair people in the position to fall completely for ransomware would just panic and seek the nearest oasis. Normal tech people such as myself who send inappropriate pictures to the Ransomdev, format our PC's and copy the files from our backup drive(s) cloud based our otherwise.

 

Here is some interesting info to boot

Quote

This activity is not without restrictions, though, and these companies should be more careful about who they negotiate with. At the end of November, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) imposed sanctions for two Iran-based individuals associated with SamSam ransomware, banning any business with them. This means that transactions to their cryptocurrency wallets are in violation with the imposed sanctions.

Yeah these guys are evil and need to be stopped! Preying on innocent people like that... THEY ARE THE WORST!

 

Quote

The average ransom demand to businesses is around $10,000. According to Europol’s 2018 Internet Organized Crime Threat Assessment, the ransomware industry is now worth an estimated $5 billion annually.

.... then again...

Sources: https://www.informationsecuritybuzz.com/news/beware-ransomware-doctors/

                        https://www.bleepingcomputer.com/news/security/company-pretends-to-decrypt-ransomware-but-just-pays-ransom/

 

 

[Muffin_man17]

Oh Russia

 

[Syntaxvgm]

6 hours ago, SupremeGOAT said:

My favorite part about this graphic is they made it in msword or something, and left the red underlines in fuck it. 

[Syntaxvgm]

Found this humdinger in the comments 

[Tech_Dreamer]

top 10 anime betrayals.

[AndrewCC]

Not paying the ransom to get your data back is the same principle to not paying the ransom to get your husband or son back. Sure, if everyone does it the kidnappers will find it unprofitable in the long run, but are YOU ready to sacrifice your loved ones for the benefit of potential future victims? Yeah, I don't think so.

Edited December 6, 2018 by AndrewCC
spelling

[Lurick]

5 minutes ago, AndrewCC said:

Not paying the ransom to get your data back is the same principle to not paying the ransom to get your husband or son back. Sure, if everyone does it the kidnappers will find it unprofitable in the long run, but are YOU ready to sacrifice your loved ones for the benefit of potential future victims? Yeah, I don't think so.

You can backup and restore data, you can't do the same for a person. Saying that data you weren't smart enough to backup is like losing a loved one is just stupid.

[AndrewCC]

If you need to consider paying the ransom for your data it means you have no backups.

And if you lack reading comprehension, I said the principle behind not paying is the same, not that losing my photos or the project data I was working on were equivalent.

[williamcll]

Or you know, don't download suspicious programs.

[poochyena]

Thats actually genius. I love it in a twisted way.

[ZacoAttaco]

This only encourages more ransomware attacks. Who knows, maybe the attackers will start pushing ads for this Dr Shifro...makes sense for them.

[corrado33]

I'm so confused. How do people actually still get viruses now-a-day. Especially the serious ransomware ones? 

 

I mean, I download crap, I go to porn sites, yet my computers remain virus free....

[ZacoAttaco]

2 hours ago, corrado33 said:

I'm so confused. How do people actually still get viruses now-a-day. Especially the serious ransomware ones? 

 

I mean, I download crap, I go to porn sites, yet my computers remain virus free....

I mean, people are getting better at designing viruses these days. People are still uneducated I guess. 

 

I don’t get why they didn’t just pay the ransom themselves, cut out the middle man and save some money. 

[RejZoR]

Why would you pay more to someone instead of just paying up the ransomware? Sure, they say don't pay the criminals, but if that's only way to your important files, then you do it. The thing is, ransomware makers need to be honest when decrypting files after payment. If they weren't, that would be bad for their business because then, no one would pay up if it was known that they don't keep their end of the deal.

[JoostinOnline]

22 minutes ago, RejZoR said:

Why would you pay more to someone instead of just paying up the ransomware?

There's no real guarantee the criminal won't just keep your money and the files. People spend more money for the (perceived) safer choice.

[RejZoR]

10 minutes ago, JoostinOnline said:

There's no real guarantee the criminal won't just keep your money and the files. People spend more money for the (perceived) safer choice.

Because that would be bad for their business? They need to give users a guarantee otherwise, what's the point of paying? If it becomes a common knowledge that they don't unlock things, then no one will even bother to pay them. Which is bad for them. So, they make sure they decrypt the files for which people pay.

 

Sure this guy was a hack, but that's the whole logic behind it. They need to get paid otherwise all ransomware is pointless. This russian dude just found a way to make a buck from someone elses crime lol

[dgsddfgdfhgs]

I wounder why no crackers to solve this issue? 

becoz its not a "official" game / program so no body cares?

[strajk-]

1 hour ago, dgsddfgdfhgs said:

I wounder why no crackers to solve this issue? 

becoz its not a "official" game / program so no body cares?

Good luck decrypting a random generated key that was used to encrypt your files, specially if for each file a new key was generated, having basically double layered encryption since to decrypt the files you need the key to begin with...

Some Ransomware did get cracked, because they "shipped" the key with the ransomware instead of randomly generating it.

 

Unless you have a quantum computer, it's downright impossible to "crack" this procedure, only hoping that malware developers implemented (intentionally or not) some type of backdoor that would allow you to recover your files, this is not as basic as cracking a videogame back in the 90s by setting a "CD is present" bit, or emulating an online activation service for licensing that's activated with an internet connection.