A company that claimed to use technology tools to help victims with ransomware cleanup was found to secretly be paying the ransom, while collecting a premium from their clients, according to an expose out this week. The situation brings the core dilemma of business-focused ransomware directly into the spotlight: To pay, or not to pay?
According to an investigation from ProPublica, a firm called Proven Data Recovery in upstate New York, “regularly made ransom payments to SamSam hackers,” despite telling its clients that it had its own legitimate methods for liberating their locked-up files. The outlet also reported that the firm charged the cost of the ransom plus additional fees, according to a former Proven Data employee and unpublished FBI affidavits – while keeping their clients in the dark about what the fees were for.
According to an analysis from Bitcoin-tracing firm Chainalysis commissioned by ProPublica, four payments in 2017 and 2018 from an online wallet controlled by Proven Data (which did not return a request for comment) were able to be traced. The payments were made to a the SamSam ransom wallet, and then laundered through as many as 12 Bitcoin addresses before reaching their final home in a wallet maintained by Iran cybercriminals.
The ProPublica report is an eye opener to some of the dirty secrets of the ransomware-recovery trade. It also highlights an unholy and sometimes cozy relationship between ransomware hackers and the data recovery firms that work with them.
To Pay, or Not To Pay: That is the Decryption Question
The report is especially piquant given the dilemma that many organizations find themselves in when hit by ransomware. The choice is often to either pay the ransom and hope the cyberattackers keep their word and deliver the decryption keys; or, to pay a cybersecurity firm to perform remediation and cleanup, which can cost more than the actual ransom. The latter path is more ethical, avoiding money flowing into criminal pockets. But the choice “to pay, or not?” can be hard.
“It’s easy to say that companies should never pay, but it’s also quite unrealistic,” said Brett Callow, spokesperson for Emsisoft, in an interview with Threatpost. “The reality is that making payment may be the only option that will enable a company to become operational again within a reasonable period of time. It’s very much a case of ethics versus business necessity.”
He added, “it may be the only recovery option available. Second, some companies may believe that payment is the fastest route to becoming operational again. Third, in some instances, they may believe that making payment will enable them to avoid the matter coming to the attention of the public and their shareholders.”
Remediation firms themselves often have no options to give their customers, if those customers haven’t fully backed up their data, according to at least one researcher.
“I have no doubt that there are many firms out there that offer ‘sophisticated tools and tactics’ to decrypt victims files for a hefty fee,” Tyler Moffitt, security analyst at Webroot, said via email. “It also doesn’t surprise me that the majority of the time all these firms do is pay the ransom and then charge the victim a premium. This is pretty much the only chance that these assistance firms would be able to actually retrieve files. Retrieving them without paying the ransom is very rare and again only available when criminals make mistakes, so for the most part getting these encryption keys is impossible without paying the ransom and dealing with the criminals directly.”
ProPublica mentioned a handful of firms that specialize in transparently dealing with attackers and negotiating ransoms on their clients’ behalf if needed, including a company called Coveware.
Coveware CEO Bill Siegel told Threatpost that his firm takes care to help victims understand the risks they are taking when choosing to pay – and that the decision-making can be very complex.
“Victims of ransomware typically take parallel paths to negotiate with the threat actor, while working to restore from any available backups or rebuilding from scratch,” he said. “The decision to actually pay comes down to data that the company can’t restore or rebuild, and without which the company faces existential risk of lost customers or liability. In short, these are not decisions that are taken lightly.”
Another dimension that businesses need to think about when deciding whether or not to pay is the fact that payment is no guarantee of data security or integrity.
“In some cases, the attackers don’t actually have the ability to decrypt the affected data and are just bluffing, meaning that even if you do pay, there’s no guarantee you’ll get your data back,” said Elfredy Cadapan, director of product development at OpenVPN, via email. “With that, paying the ransom only encourages the attackers to return at a later date and repeat the same process.”
There’s also the possibility of unintended consequences: “Just because you pay the ransom and they give you the key, you may not get your data back,” Chris Duvall, senior director at The Chertoff Group, explained in an interview. “Databases are altered by the process of encryption and de-encryption, and can become useless and corrupt. We’ve seen it often when working with clients post-incident – not all of the documents and information and databases will be intact.”
He also noted that ransomware is often used as a cover for a larger exfiltration of data and “to hide their deeper reconnaissance activities.” Thus, remediation will go far beyond a simple payment.
And finally, there’s the issue that making payments creates a reward mechanism for cybercriminals that mount ransomware attacks, according to Adam Kujawa, director of Malwarebytes.
“Paying ransom reinforces the belief that ransomware is a viable and profitable attack,” he said. “However, it’s been years now that we have dealt with on and off ransomware attacks, and regardless of what we say, cybercriminals read the news, they know how effective these attacks are and they are going to keep improving on them until its clear they aren’t profitable anymore. Families like WannaCry which spread across the world alarmingly fast are also blueprints for future cybercriminals, to use the same tactics and get the best payout possible.”
Reinforcing his argument are statistics. According to FBI’s Internet Crime Report, ransomware continues to be a scourge for businesses. There were 1,493 ransomware attacks reported in 2018, which resulted in losses of $3.6 million.
“However, that only represents attacks that were reported to directly to the FBI,” said Emisoft’s Callow, commenting on the report. “It doesn’t include attacks that were reported to FBI field offices or that went unreported, so this definitely only an extremely small fraction of the real number.”
Coveware’s Siegel noted that ransomware will continue to persist given that cybercriminals are operating in a target-rich environment with poor security postures persisting across industry segments. And for many organizations, especially municipal government and law-enforcement agencies, hospitals and small- to medium-sized businesses (SMBs), a lack of in-house security expertise and resources can exacerbate the problem.
“Microsoft recently releasing patches for long deprecated remote-access products is a good reminder of just how many organizations are failing to keep up with basic security measures,” he said. “The availability of targets is what makes cybercrime so lucrative, as even a low conversion rate can create a windfall for a criminal. Cyber-policies that cover both extortion costs as well as business interruption may create the optics of an incentive to pay rather than restore, but in our experience working with victims, it is never a simple choice.”
Want to know more about Identity Management and navigating the shift beyond passwords? Don’t miss our Threatpost webinar on May 29 at 2 p.m. ET. Join Threatpost editor Tom Spring and a panel of experts as they discuss how cloud, mobility and digital transformation are accelerating the adoption of new Identity Management solutions. Experts discuss the impact of millions of new digital devices (and things) requesting access to managed networks and the challenges that follow.