28 June 19, 07:20
Quote:Continue Reading
ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for The Big Story newsletter to receive stories like this one in your inbox.
ProPublica recently reported that two U.S. firms, which professed to use their own data recovery methods to help ransomware victims regain access to infected files, instead paid the hackers.
Now there’s new evidence that a U.K. firm takes a similar approach. Fabian Wosar, a cyber security researcher, told ProPublica this month that, in a sting operation he conducted in April, Scotland-based Red Mosquito Data Recovery said it was “running tests” to unlock files while actually negotiating a ransom payment. Wosar, the head of research at anti-virus provider Emsisoft, said he posed as both hacker and victim so he could review the company’s communications to both sides.
Red Mosquito Data Recovery “made no effort to not pay the ransom” and instead went “straight to the ransomware author literally within minutes,” Wosar said. “Behavior like this is what keeps ransomware running.”
Since 2016, more than 4,000 ransomware attacks have taken place daily, or about 1.5 million per year, according to statistics posted by the U.S. Department of Homeland Security. Law enforcement has failed to stem ransomware’s spread, and culprits are rarely caught. If files encrypted by attackers are not backed up, and a free public decryption tool is unavailable, usually the only way to clear them is paying the ransom, said Michael Gillespie, a software analyst in Illinois whom the FBI has honored with a community leadership award for his help on ransomware. But clients who don’t want to give in to extortion are susceptible to firms that claim to have their own methods of decrypting files. Often, victims are willing to pay more than the ransom amount to regain access to their files if they believe the money is going to a data recovery firm rather than a hacker, Wosar said.
On its website, Red Mosquito Data Recovery calls itself a “one-stop data recovery and consultancy service” and says it has dealt with hundreds of ransomware cases worldwide in the past year. It advertised last week that its “international service” offers “experts who can offer honest, free advice.” It said it offers a “professional alternative” to paying a ransom, but cautioned that “paying the ransom may be the only viable option for getting your files decrypted.”
It does “not recommend negotiating directly with criminals since this can further compromise security,” it added.
Red Mosquito Data Recovery did not respond to emailed questions, and hung up when we called the number listed on its website. After being contacted by ProPublica, the company removed the statement from its website that it provides an alternative to paying hackers. It also changed “honest, free advice” to “simple free advice,” and the “hundreds” of ransomware cases it has handled to “many.”
Besides Red Mosquito Data Recovery’s website, a company called Red Mosquito has its own website. A person answering the phone at the Red Mosquito site said they are “sister” companies and that RMDR, as it is known, specializes in helping ransomware victims. The Red Mosquito site markets a wider array of cyber-services.
The two U.S. firms, Proven Data Recovery of Elmsford, New York, and Hollywood, Florida-based MonsterCloud, both promised to use their own technology to help ransomware victims unlock their data, but instead typically obtained decryption tools from cyberattackers by paying ransoms, ProPublica found.
We also traced ransom payments from Proven Data to Iranian hackers who allegedly developed a strain known as SamSam that paralyzed computer networks across North America and the U.K. The U.S. government later indicted two Iranian men on fraud charges for allegedly orchestrating the extortion, and banned payments to two digital currency destinations associated with them. Proven Data chief executive Victor Congionti told ProPublica in May it paid the SamSam attackers at the direction of clients, and didn’t know they were affiliated with Iran until the U.S. government’s actions. Congionti said that Proven Data’s policy on disclosing ransom payments to clients has “evolved over time” and it is now “completely transparent.”