Sting Finds Ransomware Data Recovery Firms Are Just Paying The Ransom (propublica.org) 148
"ProPublica recently reported that two U.S. firms, which professed to use their own data recovery methods to help ransomware victims regain access to infected files, instead paid the hackers. Now there's new evidence that a U.K. firm takes a similar approach."
An anonymous reader quotes their report: Fabian Wosar, a cyber security researcher, told ProPublica this month that, in a sting operation he conducted in April, Scotland-based Red Mosquito Data Recovery said it was "running tests" to unlock files while actually negotiating a ransom payment. Wosar, the head of research at anti-virus provider Emsisoft, said he posed as both hacker and victim so he could review the company's communications to both sides. Red Mosquito Data Recovery "made no effort to not pay the ransom" and instead went "straight to the ransomware author literally within minutes," Wosar said. "Behavior like this is what keeps ransomware running."
Since 2016, more than 4,000 ransomware attacks have taken place daily, or about 1.5 million per year, according to statistics posted by the U.S. Department of Homeland Security. Law enforcement has failed to stem ransomware's spread, and culprits are rarely caught... But clients who don't want to give in to extortion are susceptible to firms that claim to have their own methods of decrypting files. Often, victims are willing to pay more than the ransom amount to regain access to their files if they believe the money is going to a data recovery firm rather than a hacker, Wosar said.
Red Mosquito charged their client four times the actual ransom amount, according to the report -- though after ProPublica followed up, the company "did not respond to emailed questions, and hung up when we called the number listed on its website."
The company then also "removed the statement from its website that it provides an alternative to paying hackers. It also changed 'honest, free advice' to 'simple free advice,' and the 'hundreds' of ransomware cases it has handled to 'many.'"
An anonymous reader quotes their report: Fabian Wosar, a cyber security researcher, told ProPublica this month that, in a sting operation he conducted in April, Scotland-based Red Mosquito Data Recovery said it was "running tests" to unlock files while actually negotiating a ransom payment. Wosar, the head of research at anti-virus provider Emsisoft, said he posed as both hacker and victim so he could review the company's communications to both sides. Red Mosquito Data Recovery "made no effort to not pay the ransom" and instead went "straight to the ransomware author literally within minutes," Wosar said. "Behavior like this is what keeps ransomware running."
Since 2016, more than 4,000 ransomware attacks have taken place daily, or about 1.5 million per year, according to statistics posted by the U.S. Department of Homeland Security. Law enforcement has failed to stem ransomware's spread, and culprits are rarely caught... But clients who don't want to give in to extortion are susceptible to firms that claim to have their own methods of decrypting files. Often, victims are willing to pay more than the ransom amount to regain access to their files if they believe the money is going to a data recovery firm rather than a hacker, Wosar said.
Red Mosquito charged their client four times the actual ransom amount, according to the report -- though after ProPublica followed up, the company "did not respond to emailed questions, and hung up when we called the number listed on its website."
The company then also "removed the statement from its website that it provides an alternative to paying hackers. It also changed 'honest, free advice' to 'simple free advice,' and the 'hundreds' of ransomware cases it has handled to 'many.'"
Re: Data Recovery (Score:3, Interesting)
Re: (Score:2)
Yes. It does actually. In this case they have participated in a criminal conspiracy. US law is quite clear on this. The problem is that they accepted money in furtherance of a criminal enterprise and profited. If they had broken the encryption as advertised, or advertised a brokerage service then they would have been fine, but they didn't. They fraudulently offered a service that they didn't provide, choosi
Re: (Score:1)
Re: (Score:3)
Haha (Score:1)
Wonder if they had any organized crime or government clients.....
Um, he *did* work for the police! (Score:1)
Oh, wait!
STOP USING WINDOWS. (Score:1)
For fuck's sake, anyone who doesn't know how to protect themselves from this shit by now should just go live in a cave somewhere.
Re: (Score:2)
You need immutable backups. An external hard drive will be just as encrypted. You need something like ZFS with snapshots on a remote server and a URBackup client on your machines or something similar. FreeNAS has a load of backup plugins, it literally takes a few hundred dollars in hardware and a half a day to backup an entire office worth of clients.
Re: (Score:2)
2TB? That's cute. Maybe you can use that to backup Gamgam's Facebook machine from 2005.
Re:STOP USING WINDOWS. (Score:5, Interesting)
Its absolutely possible to use Windows and still protect yourself from ransomware and other malware.
Keep Windows and your software (browsers, Office etc) up-to-date with the latest patches.
Don't run old versions of software that are no longer secure or maintained (or if you have to run them for legacy reasons, keep them disconnected from the Internet if at all possible)
Run a decent anti-virus program and keep it up to date so it will pick up the latest viruses and nasties (and if it gives you any kind of warnings or alerts, do what it says and don't just ignore it)
Take regular backups (and take steps to make sure you don't overwrite your backups after a ransomware infection)
Run a decent ad-blocker (and/or other filtering) that blocks infections by malvertizing. (there are filters and blockers that catch out known dangerous sites as well)
Don't download/run/open strange or unknown programs/documents (if you get an email from someone you dont recognize and aren't expecting that contains strange looking attachments, dont open them)
Don't click strange links in/on Spam emails, weird online ads or unknown websites.
There are probably others but if you practice proper cyber safety and do the other things suggested above it is definitely possible to keep a Windows PC safe from malware (I have been running Windows for many years and can't think of any time malware has ever actually caused serious problems for me or my PC or caused any data loss)
Re: (Score:1)
If less people would be using windows, the market share for malware infecting other platforms would be greater. Its not an windows intrinsic property its just that it is so widely used, which is why it doesn't really make sense to think everybody using some unix would actually help in the long run.
Re: (Score:2)
Well, due to a combination of security through obscurity, its absurdly minuscule userbase, and general batshittery, I'm going to go out on a limb here and say that TempleOS is probably more secure than any of the big players. I doubt a single piece of malware exists for it, unless you're going to count the OS itself as malware, in which case there's a certain other malware OS called Windows 10 that is probably less secure.
Re: (Score:2)
I feel like this is way too akin to trying to get people to use condoms.
"Practice safe [sex|cyber] and you won't get infected."
Re: (Score:3)
It sounds like what you're saying can be boiled down to "don't make a mistake".
Easy to say, hard to do.
Yes, most of what you said makes sense and I agree with it (backups, anti-virus, don't click on sketchy links, etc) but it all still comes down to "don't step on that landmine".
The only solution is regular, verified backups stored in secure location(s). Everything else is just window dressing- good to have but in the end, not a defense against disaster/breach/infection.
Re: (Score:3)
Reading each and every comment this morning, I was disappointed at the utter fucking garbage that wasted my time. /. is getting worse in that regard.
Thanks for posting the only goddam shit that got a mod point above a 2.
Re: (Score:3)
Re: (Score:2)
Exactly, that ${a bazillion of inconvenient precautions that realistically nobody will be able to adhere to} are because complex computers are not and never were suitable for non technical users.
Go buy an ios device or a chromebook. If you are not technically competent enough to manage a complex system, have someone else manage it for you.
Re: (Score:3)
You're a moron, not an idiot, an outright moron. Windows isn't the cause of ransomware. Users executing code voluntarily is the cause. It works really well in Linux as well.
Comment removed (Score:4, Funny)
Re: (Score:3)
Sure, just like hydrogen wasn't the cause of the Hindenburg disaster.
It wasn't. Conductive, flammable paint was responsible. (Not the accelerant, the aluminum itself.) Further, most people aboard were able to survive the Hindenburg, by jumping off.
Re: (Score:2)
Re: (Score:2)
Windows isn't the cause of ransomware.
Sure, just like hydrogen wasn't the cause of the Hindenburg disaster.
-jcr
Oh? I just installed Windows and I didn't get randsomeware attacked. What am I doing wrong? How would Linux defend me against this? Which Linux distro by default mounts the user's home directory as read only and blocks the user from modifying files?
Don't pretend to be dumb jcr, you are smarter than this, from your post history we can see you often put some thought into your comments, why not this time?
Re: (Score:2)
Re: STOP USING WINDOWS. (Score:1)
Re: (Score:1)
Re: (Score:2)
No, the cause of ransomware is allowing people with no technical background to use a highly complex piece of equipment.
Windows is not the sole reason, and ransomware problems would still exist if linux or macos were the most common systems, however windows has significantly contributed towards making the problem worse...
Windows has always encouraged voluntary execution of code, that's always been the standard installation method and there were even features to automatically execute code stored on inserted m
Re: (Score:2)
"Idiot" and "moron" are technical words from different eras that describe the same thing.
When used as a pejorative, they also mean the same thing.
As a great person once said, "Don't be a maroon."
Re: (Score:2)
No, they are technical definitions from the same era that describe differing degrees of the same thing, said being mental retardation. While there are older definitions for idiot, they were not technical definitions. Moron was a word specifically created having a technical definition.
"Idiots.—Those so defective that the mental development never exceeds that or a normal child of about two years.
Imbeciles.—Those whose development is higher than that of an idiot, but whose intelligence does not exc
Re: (Score:2)
Know of any decent caves for rent at median prices?
Very Oliver North (Score:2)
This is precisely what Oliver North was convicted of:during the Iran-Contra affair in the late 1980's. The Wikipedia article about Oliver North describes it, where the US government covertly sold weapons to Iran to get hostages released. Now in position of illegal money, for a violation of US foreign policy and various treaties, the money was used illegally to support the Contras in Nicaragua, which had also been specifically prohibited by Congress.
It's another reason not to pay extortion. Middlemen or mone
Re:Very Oliver North (Score:4, Interesting)
The US government did not sold weapons to get hostages released. Rather, the Reagan campaign negotiated a deal with Iran to hold the hostages a little bit more, so that they were not released before the elections, so that they could be used by team "Alzheimer".
The weapons were sold later to Iran 1) because Iran kept their side of this deal and 2) because the money came in handy for other purposes. One of which was financing literal cutthroats to block people in Latin America asking the US business interests there for higher wages, because higher wages are "communism", and "communism" is "bad".
Re: Very Oliver North (Score:1)
Nice story, bro.
Do you have a cite that's more credible than Alex Jones?
Re: (Score:2)
Sure, "bro". There is a bunch of Iranians, including a former president, and people linked to the Reagan campaign that have made it plain the negotiations happened. The sudden travels of Casper Weinberger to places in Europe which matched the movement of important Iranian figures are also very telling. And so on, and so forth.
This scandal brought to life the phrase "October surprise". You think it was for nothing?
Keep reading, not so much the article as the linked references for more.
https://en.wikipedia.or [wikipedia.org]
Mod parent up (Score:2)
Re: (Score:2)
It is hardly the first use of this tactic by a Republican. The Chennault Affair predates Weinberger's travels to Europe in the summer of 1980 by a whopping 12 years.
What is the Chennault Affair? Well, in 1968 a journalist of Chinese origin sabotaged the peace talks in Vietnam because that gave Nixon an election advantage.
https://en.wikipedia.org/wiki/... [wikipedia.org]
Re: (Score:3)
So your theory is that the Carter administration had successfully convinced Iran to release hostages. And they would've been released except the Reagan campaign "offered them a better deal" to hold the hostages until after the election? Why exactly would Iran, which had already held the hostages for 300+ days, s
Re: (Score:2)
The idiot is just brainwashed and readily denies every fact that doesn't fit into their narrow world view - "Murricah, fuck, yeah". Or, as the Soviet party members used to say back in the day, "I won't see it, but I condemn it".
Why? Here's why... extensive analysis not required (Score:2)
For many of these Fortune 500 customers, time is money.
The encryption used by these ransomware criminal groups or individuals is often of a sufficiently complex manner that it would take thousands, if not millions, of years to crack through brute force, if a "time clock" isn't already attached to that ransomware threatening total deletion of encrypted data if the ransom isn't paid within a certain amount of time.
Even if one of these companies has access to a supercomputer cluster, it wouldn't be enough to c
Re: (Score:2)
What's next? (Score:3)
The FBI paying Ransom to kidnappers to get the victim back?
Re:What's next? (Score:4, Interesting)
The issue is honesty. If they just said they were going to pay, manage the process and ensure data was properly decrypted, and then secure the systems so it doesn't happen again, then that would be fine.
It's the lying about it that is the problem. You can you trust them with your data when they lie to you?
Re: (Score:1)
"The issue is honesty. If they just said they were going to pay, manage the process and ensure data was properly decrypted, and then secure the systems so it doesn't happen again, then that would be fine.
It's the lying about it that is the problem. You can you trust them with your data when they lie to you?"
IOW you can never again buy a German car.
Re: What's next? (Score:1)
Electronic anonymous payment methods should not exist. If you want to use physical cash, by all means do so and remain quasi-anonymous. Any online financial transactions should require a 'private key/public key' authentication scheme, and all the public keys should be mandatory to disclose.
People aren't going to stand for this shit indefinitely. If cryptocurrency continues to facilitate this kind of shit, it will be used as a reason by the powers-that-be to shut it down.
Re: Pay your bills (Score:1)
The power company has a physical presence somewhere. These ransomware folks need to disclose their location so somebody can park a truck bomb next to it.
All thanks to BitCoin (Score:1, Interesting)
The only way these ransomware attacks are possible is due to cryptocurrency. Otherwise, they would have had to make a bank transfer (easily traceable) or a cash payment (very risky, can't be scaled globally).
Re: (Score:2)
Re: (Score:2)
Re: All thanks to BitCoin (Score:1)
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Re: All thanks to BitCoin (Score:1)
Wrap the transactions in a full-disclosure security model. To claim bitcoins in a transaction require bullet-proof identification. Sorry, libertarians, the State needs to become part of this. It's actually one of the few legitimate roles for govenment.
Re: (Score:2)
Re: Fantastic musician and cyber-investigator (Score:1)
Doesn't he work for an outfit called the police? Our boys in blue, doing a splendid job!
When the World Is Running Down... (Score:4, Funny)
... you make the best of what's still around
Sting Finds Ransomware Data Recovery Firms Are Just Paying The Ransom
Somebody call the police.
(I'll let myself out)
Any choice? (Score:2)
Re: (Score:2)
This is why backups should be taken.
Literally, it's as simple as that. Backup your machine / system. If ransomware can get on it and trash it, so can anyone else, and so can a hardware or software problem.
With backups, ransomware is useless. All it could try is a reverse ransom - "give us money or we'll *release* your data to the world", a blackmail. But, the problem there - they already have your data and there's nothing stopping them releasing it anyway.
Backup. That's your cure to ransomware. Not ba
Re: (Score:2)
Ransomware creators rarely steal any data beyond credentials. They'd have to backup their "clients" somewhere (perhaps a cloud service) and it would cost them a lot of money where the payout would be small. The "interesting" data in a business is very small compared to the total amount of data they have.
Re: Any choice? (Score:1)
Correct. And also, cryptocurrencies in their present form should be banned. They are flagrantly non-democratic, beyond the will of elected government. Shut 'er down. We have proven the world can't handle 'nice things' like that.
Re: (Score:2)
Somebody should hire some kpop bands to write songs about backing up the servers, it is the only way to sell it at this point. Society has declined, you can't sell engineering anymore you have to disguise it as dance music.
Well, Sting should know. (Score:3)
Re: (Score:2)
He also did "Consider Me Gone," "Russians," "Seven Days," "The Pirate's Bride," and "History Will Teach Us Nothing."
He's always been at the cutting edge.
Re: (Score:2)
He puts your data in a bo-o-o-o-o-o-ottle, data in a bo-o-o-o-o-o-ottle...
Getting things right is easy. (Score:2)
The first few of these ransomware attacks ended with some company releasing a "code generator" or "decryptor" that would generate the code to decrypt your files or actually do the decryption.... That's bad cryptography for you.
But getting things right is not that hard. Generate a random key, use that to encrypt the files, encrypt the key with the public key of the hacker. The hacker needs his private key to decrypt the encrypted key and voila!
The only way to mess this scheme up is to make things easier for
Not gettin' it (Score:2)
So if the company is paying the ransomware fee, they must be charging the customer (the victim) more than whatever the ransom is, right?
If the ransom is (for example) $500K and the company wants $600K to 'unlock' the data, why doesn't the customer/victim just pay the $500K and save $100K?
I confess, I don't understand how this works. Why would you pay more than the ransom fee to a third party?
Re: (Score:2)
they're negotiating a ransom
funny how IT departments aren't getting purged over this for not being able to recover databases and such
Re: (Score:2)
funny how IT departments aren't getting purged over this for not being able to recover databases and such
I agree- heads should roll. Everyone in the chain of responsibility for this debacle should be fired (and not just IT staff, but anyone who had any responsibility for ensuring that this wouldn't happen).
Will these cities learn a lesson and start doing proper backups? I doubt it. I mean, that shit costs money, and now they don't have any, lol.
My guess is that they'll hire a firm to come in and give the employees more training on how not to click on a link, but that's about it.
Hey, it's good business... (Score:2)
I mean, the ransomware recovery companies would go out of business without ransomware. So they need to keep ransomware alive and well - by paying those ransoms. As long as they can charge their customers more, everybody's happy.
It's no different from the suspicions many of us harbored about certain anti-virus makers: without viruses, they would be out of business, so maybe, just maybe, they helped ensure that viruses remained alive and well?
Of course, it's a bit embarrassing to be caught. It would be nice i
They are not "just" paying the ransom (Score:2)
Companies who fall victim to ransomware attacks don't really care about how their data is recovered. They just want their data back, even if it means paying the ransom.
But they don't want to get their hands dirty. Paying criminals is bad for their reputation, there may even be legal repercussions. They are also not guaranteed that paying the ransom will work. So instead, they call "data recovery" firms that do the dirty work for them and provide some form of insurance. If they manage to work without paying
Digital Danegeld (Score:2)
Time to call in The Police (Score:2)
Good old Sting (Score:2)
It's nice to see an ageing pop star who can find a new career that is really useful.
Send an SOS to the world (Score:2)
Re: You don't need a "ransomware recovery firm" (Score:1)
Just because wobbly old ladies need to sometimes walk across the street doesn't mean neighborhood toughs should be able to push her over, breaking her hip. Blaming the lack of a backup is victim-blaming. Surely we are better than that. Society is based on the notion that we don't need to live inside case-hardened steel forts. Criminal elements should never be rewarded. In fact they need to be vigorously punished.
This whole issue needs to be resolved with some very public cases that result in incarceration.