Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Crime Encryption Security

Sting Finds Ransomware Data Recovery Firms Are Just Paying The Ransom (propublica.org) 148

"ProPublica recently reported that two U.S. firms, which professed to use their own data recovery methods to help ransomware victims regain access to infected files, instead paid the hackers. Now there's new evidence that a U.K. firm takes a similar approach."

An anonymous reader quotes their report: Fabian Wosar, a cyber security researcher, told ProPublica this month that, in a sting operation he conducted in April, Scotland-based Red Mosquito Data Recovery said it was "running tests" to unlock files while actually negotiating a ransom payment. Wosar, the head of research at anti-virus provider Emsisoft, said he posed as both hacker and victim so he could review the company's communications to both sides. Red Mosquito Data Recovery "made no effort to not pay the ransom" and instead went "straight to the ransomware author literally within minutes," Wosar said. "Behavior like this is what keeps ransomware running."

Since 2016, more than 4,000 ransomware attacks have taken place daily, or about 1.5 million per year, according to statistics posted by the U.S. Department of Homeland Security. Law enforcement has failed to stem ransomware's spread, and culprits are rarely caught... But clients who don't want to give in to extortion are susceptible to firms that claim to have their own methods of decrypting files. Often, victims are willing to pay more than the ransom amount to regain access to their files if they believe the money is going to a data recovery firm rather than a hacker, Wosar said.

Red Mosquito charged their client four times the actual ransom amount, according to the report -- though after ProPublica followed up, the company "did not respond to emailed questions, and hung up when we called the number listed on its website."

The company then also "removed the statement from its website that it provides an alternative to paying hackers. It also changed 'honest, free advice' to 'simple free advice,' and the 'hundreds' of ransomware cases it has handled to 'many.'"
This discussion has been archived. No new comments can be posted.

Sting Finds Ransomware Data Recovery Firms Are Just Paying The Ransom

Comments Filter:
  • by Anonymous Coward

    Wonder if they had any organized crime or government clients.....

  • by Anonymous Coward

    For fuck's sake, anyone who doesn't know how to protect themselves from this shit by now should just go live in a cave somewhere.

    • by jonwil ( 467024 ) on Sunday June 30, 2019 @05:44AM (#58849020)

      Its absolutely possible to use Windows and still protect yourself from ransomware and other malware.
      Keep Windows and your software (browsers, Office etc) up-to-date with the latest patches.

      Don't run old versions of software that are no longer secure or maintained (or if you have to run them for legacy reasons, keep them disconnected from the Internet if at all possible)

      Run a decent anti-virus program and keep it up to date so it will pick up the latest viruses and nasties (and if it gives you any kind of warnings or alerts, do what it says and don't just ignore it)

      Take regular backups (and take steps to make sure you don't overwrite your backups after a ransomware infection)

      Run a decent ad-blocker (and/or other filtering) that blocks infections by malvertizing. (there are filters and blockers that catch out known dangerous sites as well)

      Don't download/run/open strange or unknown programs/documents (if you get an email from someone you dont recognize and aren't expecting that contains strange looking attachments, dont open them)

      Don't click strange links in/on Spam emails, weird online ads or unknown websites.

      There are probably others but if you practice proper cyber safety and do the other things suggested above it is definitely possible to keep a Windows PC safe from malware (I have been running Windows for many years and can't think of any time malware has ever actually caused serious problems for me or my PC or caused any data loss)

      • by Anonymous Coward

        If less people would be using windows, the market share for malware infecting other platforms would be greater. Its not an windows intrinsic property its just that it is so widely used, which is why it doesn't really make sense to think everybody using some unix would actually help in the long run.

      • I feel like this is way too akin to trying to get people to use condoms.

        "Practice safe [sex|cyber] and you won't get infected."

      • It sounds like what you're saying can be boiled down to "don't make a mistake".

        Easy to say, hard to do.

        Yes, most of what you said makes sense and I agree with it (backups, anti-virus, don't click on sketchy links, etc) but it all still comes down to "don't step on that landmine".

        The only solution is regular, verified backups stored in secure location(s). Everything else is just window dressing- good to have but in the end, not a defense against disaster/breach/infection.

      • Reading each and every comment this morning, I was disappointed at the utter fucking garbage that wasted my time. /. is getting worse in that regard.

        Thanks for posting the only goddam shit that got a mod point above a 2.

      • by Kiralan ( 765796 )
        I also advise running under an account that has no higher than 'Power User' as the permissions. Admin level should only be used when installing software that requires it, and only if you are sure of the trustworthiness of the source.
    • You're a moron, not an idiot, an outright moron. Windows isn't the cause of ransomware. Users executing code voluntarily is the cause. It works really well in Linux as well.

      • by account_deleted ( 4530225 ) on Sunday June 30, 2019 @07:31AM (#58849290)
        Comment removed based on user account deletion
        • Sure, just like hydrogen wasn't the cause of the Hindenburg disaster.

          It wasn't. Conductive, flammable paint was responsible. (Not the accelerant, the aluminum itself.) Further, most people aboard were able to survive the Hindenburg, by jumping off.

          • *puts self into management mode* Ahh, so what your saying is if it all goes up in flames, jumping off windows and running for your life isn't as fatal as it first appears. Sounds to me like there isn't a reason to be careful in the first place. /m
        • Windows isn't the cause of ransomware.

          Sure, just like hydrogen wasn't the cause of the Hindenburg disaster.

          -jcr

          Oh? I just installed Windows and I didn't get randsomeware attacked. What am I doing wrong? How would Linux defend me against this? Which Linux distro by default mounts the user's home directory as read only and blocks the user from modifying files?

          Don't pretend to be dumb jcr, you are smarter than this, from your post history we can see you often put some thought into your comments, why not this time?

      • No. It does not work "really well in Linux." It doesn't work at all *on* Linux systems in fact. You cannot encrypt entire systems as a user on a Linux system. Linux systems don't have just one user with full admin rights by default the way most Windows systems are shipped by OEMs. Linux users know better than to log in to the system as root, and every decent Linux system on the planet save Kali will refuse to run the GUI as root. Kali is the exception because it is assumed that anyone using it knows exactly
      • by Bert64 ( 520050 )

        No, the cause of ransomware is allowing people with no technical background to use a highly complex piece of equipment.

        Windows is not the sole reason, and ransomware problems would still exist if linux or macos were the most common systems, however windows has significantly contributed towards making the problem worse...

        Windows has always encouraged voluntary execution of code, that's always been the standard installation method and there were even features to automatically execute code stored on inserted m

      • "Idiot" and "moron" are technical words from different eras that describe the same thing.

        When used as a pejorative, they also mean the same thing.

        As a great person once said, "Don't be a maroon."

        • No, they are technical definitions from the same era that describe differing degrees of the same thing, said being mental retardation. While there are older definitions for idiot, they were not technical definitions. Moron was a word specifically created having a technical definition.

          "Idiots.—Those so defective that the mental development never exceeds that or a normal child of about two years.
          Imbeciles.—Those whose development is higher than that of an idiot, but whose intelligence does not exc

    • Know of any decent caves for rent at median prices?

  • This is precisely what Oliver North was convicted of:during the Iran-Contra affair in the late 1980's. The Wikipedia article about Oliver North describes it, where the US government covertly sold weapons to Iran to get hostages released. Now in position of illegal money, for a violation of US foreign policy and various treaties, the money was used illegally to support the Contras in Nicaragua, which had also been specifically prohibited by Congress.

    It's another reason not to pay extortion. Middlemen or mone

    • Re:Very Oliver North (Score:4, Interesting)

      by Mr. Dollar Ton ( 5495648 ) on Sunday June 30, 2019 @04:28AM (#58848884)

      The US government did not sold weapons to get hostages released. Rather, the Reagan campaign negotiated a deal with Iran to hold the hostages a little bit more, so that they were not released before the elections, so that they could be used by team "Alzheimer".

      The weapons were sold later to Iran 1) because Iran kept their side of this deal and 2) because the money came in handy for other purposes. One of which was financing literal cutthroats to block people in Latin America asking the US business interests there for higher wages, because higher wages are "communism", and "communism" is "bad".

      • Nice story, bro.

        Do you have a cite that's more credible than Alex Jones?

        • Sure, "bro". There is a bunch of Iranians, including a former president, and people linked to the Reagan campaign that have made it plain the negotiations happened. The sudden travels of Casper Weinberger to places in Europe which matched the movement of important Iranian figures are also very telling. And so on, and so forth.

          This scandal brought to life the phrase "October surprise". You think it was for nothing?

          Keep reading, not so much the article as the linked references for more.

          https://en.wikipedia.or [wikipedia.org]

      • I'm always amazed that this isn't a bigger deal. The GOP literally used hostages to win an election. That should have been a watershed moment in American history and barely a blip. Then again in 2005 we found out about the Gulf of Tonkin and we still went to war with Iraq. The again (again) we didn't buy it this time with Iran, so I guess that's progress.
        • It is hardly the first use of this tactic by a Republican. The Chennault Affair predates Weinberger's travels to Europe in the summer of 1980 by a whopping 12 years.

          What is the Chennault Affair? Well, in 1968 a journalist of Chinese origin sabotaged the peace talks in Vietnam because that gave Nixon an election advantage.

          https://en.wikipedia.org/wiki/... [wikipedia.org]

      • Rather, the Reagan campaign negotiated a deal with Iran to hold the hostages a little bit more, so that they were not released before the elections, so that they could be used by team "Alzheimer".

        So your theory is that the Carter administration had successfully convinced Iran to release hostages. And they would've been released except the Reagan campaign "offered them a better deal" to hold the hostages until after the election? Why exactly would Iran, which had already held the hostages for 300+ days, s

  • For many of these Fortune 500 customers, time is money.

    The encryption used by these ransomware criminal groups or individuals is often of a sufficiently complex manner that it would take thousands, if not millions, of years to crack through brute force, if a "time clock" isn't already attached to that ransomware threatening total deletion of encrypted data if the ransom isn't paid within a certain amount of time.

    Even if one of these companies has access to a supercomputer cluster, it wouldn't be enough to c

    • by jred ( 111898 )
      #1 The clients probably didn't have the "data recovery" specialists on retainer. The beginning of the business relationship wasn't until after the ransomware occurred. #2 The IT staff or company probably *did* try to sell them a robust backup solution... but it was "too expensive".
  • by nospam007 ( 722110 ) * on Sunday June 30, 2019 @03:45AM (#58848820)

    The FBI paying Ransom to kidnappers to get the victim back?

    • Re:What's next? (Score:4, Interesting)

      by AmiMoJo ( 196126 ) on Sunday June 30, 2019 @04:36AM (#58848894) Homepage Journal

      The issue is honesty. If they just said they were going to pay, manage the process and ensure data was properly decrypted, and then secure the systems so it doesn't happen again, then that would be fine.

      It's the lying about it that is the problem. You can you trust them with your data when they lie to you?

      • "The issue is honesty. If they just said they were going to pay, manage the process and ensure data was properly decrypted, and then secure the systems so it doesn't happen again, then that would be fine.

        It's the lying about it that is the problem. You can you trust them with your data when they lie to you?"

        IOW you can never again buy a German car.

  • by Anonymous Coward

    The only way these ransomware attacks are possible is due to cryptocurrency. Otherwise, they would have had to make a bank transfer (easily traceable) or a cash payment (very risky, can't be scaled globally).

    • True that. All the regulations regarding wire transfer became irrelevant overnight. Is there any benefit to cryptocurrency anyway? Ban the thing and make the act of buying or selling cryptocurrency with money illegal so only the few people who will know where to look can do it.
      • Right ... and we should also ban cash. I mean is there any benefit to it anyway? Everyone knows all cash transactions are illegal and serve no purpose but to obfuscate transactions from our benevolent and protective overlords!
        • Affected users were never asked to pay ransomware fees to a hacker in China or India thousands of miles away. Cash still needs a destination address, cryptocurrency doesn't. Which makes it an extortion tool basically.
          • I mean asked to pay in cash obv.
            • You seem to be saying that because cryptocurrency protects people better from government fascism orthogonally it is somehow worse than cash because like cash it can also be used in criminal transactions like cash can. You also don't seem to be smart enough to figure out that Chinese and Indian hackers would simply use middlemen / online accounts rather than crypto. It isn't difficult to wire money to a swiss account or to have a chain of accounts in different jurisdictions to pass any transaction through.
      • Wrap the transactions in a full-disclosure security model. To claim bitcoins in a transaction require bullet-proof identification. Sorry, libertarians, the State needs to become part of this. It's actually one of the few legitimate roles for govenment.

    • The first ransomware I delt with asked for payment via Greendot cards. Fortunately this was an early generation where it just locked the UI so was trivial to fix. A lot of fake FBI web pop-ups telling people they broke the law and better pay the fine also use that method.
  • by Halo1 ( 136547 ) on Sunday June 30, 2019 @05:25AM (#58848974)

    ... you make the best of what's still around

    Sting Finds Ransomware Data Recovery Firms Are Just Paying The Ransom

    Somebody call the police.

    (I'll let myself out)

  • The ethical issue is they just paid the ransom and charged the client 4 times that amount. Otherwise, if a ransomware is asking for $500 and your files are worth much more than that, the reasonable choice is to pay. You can't just hope someone will release a decrypter app because it might not happen. This is why cryptocurrency should be banned btw.
    • by ledow ( 319597 )

      This is why backups should be taken.

      Literally, it's as simple as that. Backup your machine / system. If ransomware can get on it and trash it, so can anyone else, and so can a hardware or software problem.

      With backups, ransomware is useless. All it could try is a reverse ransom - "give us money or we'll *release* your data to the world", a blackmail. But, the problem there - they already have your data and there's nothing stopping them releasing it anyway.

      Backup. That's your cure to ransomware. Not ba

      • by guruevi ( 827432 )

        Ransomware creators rarely steal any data beyond credentials. They'd have to backup their "clients" somewhere (perhaps a cloud service) and it would cost them a lot of money where the payout would be small. The "interesting" data in a business is very small compared to the total amount of data they have.

      • Correct. And also, cryptocurrencies in their present form should be banned. They are flagrantly non-democratic, beyond the will of elected government. Shut 'er down. We have proven the world can't handle 'nice things' like that.

      • Somebody should hire some kpop bands to write songs about backing up the servers, it is the only way to sell it at this point. Society has declined, you can't sell engineering anymore you have to disguise it as dance music.

  • by h33t l4x0r ( 4107715 ) on Sunday June 30, 2019 @06:58AM (#58849210)
    He *is* the king of pain, after all.
    • He also did "Consider Me Gone," "Russians," "Seven Days," "The Pirate's Bride," and "History Will Teach Us Nothing."

      He's always been at the cutting edge.

    • by q4Fry ( 1322209 )

      He puts your data in a bo-o-o-o-o-o-ottle, data in a bo-o-o-o-o-o-ottle...

  • The first few of these ransomware attacks ended with some company releasing a "code generator" or "decryptor" that would generate the code to decrypt your files or actually do the decryption.... That's bad cryptography for you.

    But getting things right is not that hard. Generate a random key, use that to encrypt the files, encrypt the key with the public key of the hacker. The hacker needs his private key to decrypt the encrypted key and voila!

    The only way to mess this scheme up is to make things easier for

  • So if the company is paying the ransomware fee, they must be charging the customer (the victim) more than whatever the ransom is, right?

    If the ransom is (for example) $500K and the company wants $600K to 'unlock' the data, why doesn't the customer/victim just pay the $500K and save $100K?

    I confess, I don't understand how this works. Why would you pay more than the ransom fee to a third party?

    • they're negotiating a ransom

      funny how IT departments aren't getting purged over this for not being able to recover databases and such

      • funny how IT departments aren't getting purged over this for not being able to recover databases and such

        I agree- heads should roll. Everyone in the chain of responsibility for this debacle should be fired (and not just IT staff, but anyone who had any responsibility for ensuring that this wouldn't happen).

        Will these cities learn a lesson and start doing proper backups? I doubt it. I mean, that shit costs money, and now they don't have any, lol.

        My guess is that they'll hire a firm to come in and give the employees more training on how not to click on a link, but that's about it.

  • I mean, the ransomware recovery companies would go out of business without ransomware. So they need to keep ransomware alive and well - by paying those ransoms. As long as they can charge their customers more, everybody's happy.

    It's no different from the suspicions many of us harbored about certain anti-virus makers: without viruses, they would be out of business, so maybe, just maybe, they helped ensure that viruses remained alive and well?

    Of course, it's a bit embarrassing to be caught. It would be nice i

  • Companies who fall victim to ransomware attacks don't really care about how their data is recovered. They just want their data back, even if it means paying the ransom.

    But they don't want to get their hands dirty. Paying criminals is bad for their reputation, there may even be legal repercussions. They are also not guaranteed that paying the ransom will work. So instead, they call "data recovery" firms that do the dirty work for them and provide some form of insurance. If they manage to work without paying

  • Apparently no one learns from history anymore.
  • I didn't realise Sting's talents included tech as well as music and tantra.
  • It's nice to see an ageing pop star who can find a new career that is really useful.

  • Nice to hear that Eighties musicians are keeping busy though, haven't heard of him since his Tantric shagging headlines. Which laptop is the best singer by the way? A Dell.

To stay youthful, stay useful.

Working...