ProRepublica has published a story about how some ransomware recovery companies are just paying the ransom on behalf of their customers.
Proven Data and MonsterCloud were two companies named in the article, but surely, they aren’t the only ones that use the same practice.
Jonathan Storfer, a former employee of Proven Data explained how the “data recovery” process worked. Companies that had their data stolen via ransomware would contact Proven Data, who promised to help ransomware victims by unlocking their data with the “latest technology.” Instead, they obtained decryption tools from cyberattackers by paying ransoms, according to Storfer and an FBI affidavit.
MonsterCloud, also professes to use its own data recovery methods but instead pays ransoms, sometimes without informing victims or local law enforcement agencies. The firms are alike in other ways. Both charge victims substantial fees on top of the ransom amounts. They also offer other services, such as sealing breaches to protect against future attacks. The question becomes, are these companies scamming their customers, by allowing them to believe that they are recovering their data through “technological magic?”
In contrast, other firms, such as Connecticut-based Coveware, openly help clients regain computer access by paying attackers. They assist victims who are willing to pay ransoms but don’t know how to deal in bitcoin or don’t want to contact hackers directly. At the same time, Coveware seeks to deter cybercrime by collecting and sharing data with law enforcement and security researchers, CEO Bill Siegel said.
The fact that these companies are making payments underscore the lack of other options for individuals and businesses devastated by ransomware, and the failure of law enforcement to catch or deter the hackers. There is a moral issue of whether paying ransoms encourages extortion and potentially funds terrorism. Particularly when some victims are public agencies or receive government funding, by paying the ransom, taxpayer money may end up in the hands of cybercriminals in countries hostile to the U.S. such as Russia and Iran.
As you can see, most firms that claim to recover lost data actually just pay the ransom. And charge a premium to do it! If you wanted to pay the ransom, you would have paid it yourself. The best way to recover is to plan for it from the beginning. Phishing email awareness education is a must, as that’s how most ransomware infects systems. In addition, always ensure you have data back-ups in place, so that should someone claim to have stolen your data, you don’t need to buy it back.