Firms That Promised High-Tech Ransomware Solutions Almost Always Just Pay the Hackers

As ransomware attacks crippled businesses and law enforcement agencies, two U.S. data recovery firms claimed to offer an ethical way out. Instead, they typically paid the ransom and charged victims extra. From a report: Proven Data promised to help ransomware victims by unlocking their data with the "latest technology," according to company emails and former clients. Instead, it obtained decryption tools from cyberattackers by paying ransoms, according to Storfer and an FBI affidavit obtained by ProPublica. Another U.S. company, Florida-based MonsterCloud, also professes to use its own data recovery methods but instead pays ransoms, sometimes without informing victims such as local law enforcement agencies, ProPublica has found. The firms are alike in other ways. Both charge victims substantial fees on top of the ransom amounts. They also offer other services, such as sealing breaches to protect against future attacks. Both firms have used aliases for their workers, rather than real names, in communicating with victims.

The payments underscore the lack of other options for individuals and businesses devastated by ransomware, the failure of law enforcement to catch or deter the hackers, and the moral quandary of whether paying ransoms encourages extortion. Since some victims are public agencies or receive government funding, taxpayer money may end up in the hands of cybercriminals in countries hostile to the U.S. such as Russia and Iran.

Re:

[fahrbot-bot]

What I'm getting from this is that we should just use OpenBSD for all of our computing needs ...

Or... just have ransomware hackers sign up for Universal Basic Income -- that should cover any/all potential ransom demands.
Problem solved. :-)

Re:

[Aighearach]

What does a person with a little money want? A little more money and a consistent meal.

What does a person who now has a little more money want? A lot more money.

Re:

[Myrdrahl]

How exactly does that help on a compromised system?

Re:

[Shaitan]

Yes which is an argument against this not UBI. Any sane UBI doesn't punish having or making money. It isn't charity.

Re:

[Archangel Michael]

The primary argument against UBI is that UBI doesn't actually solve anything, and only gets more people/processes in the way.

What does "basic" mean? If housing costs before UBI is based on market demands (it is) what happens when you suddenly have more people fighting for the same resources? Why the cost goes up! And suddenly UBI no longer covers the "basics", time to increase the UBI amount. Wash, rinse, repeat.

The end goal of socialism is always the same, because people can't figure out that socialism has

Re:

[Shaitan]

Socialism? What does socialism have to do with a UBI?

The purpose of a UBI is not charity, it has nothing to do with enabling more people to compete for the same resources, it has nothing to do with the poor. A UBI is not the same thing as the welfare cash they used to give the poor. The purpose of UBI is facilitate a mechanism for controlling the limited resources in a world where labor is no longer needed to produce them. It is a rationing system to replace work earnings when nobody has to work anymore. Du

Re:

[UnknownSoldier]

You can harden the OS all you want but you can't fix stupid clicking on a phishing email. :-/

"nearly impossible to compromise" isn't possible. All you can do is set up layers to prevent prenetrstion.

If you want a hardened system you don't make it accessible online. You have hardened physical barriers of entry.

The problem with good security is that it is inconvenient and potentially can impact performance. As the majority of Windows users have demonstrated most users don't care about "good" security. If they

Re: Is the solution to use OpenBSD?

[cyber-vandal]

Or the software they want to use only runs on Windows.

Re:

[stealth_finger]

As the majority of Windows users have demonstrated most users don't care about "good" security. If they did they wouldn't be using Windows in the first place.

If the majority of users were on a different platform then that one would be the target of choice and probably be in the same position security wise.

Sounds like fraud, and possibly worse crimes

[davidwr]

If the end users were led to believe no ransom would be paid, there may be a civil or criminal fraud case against the company that paid the ransom.

If the final recipient of the money was known to be on any "prohibited-to-do-business-with" list and anyone along the chain 1) knew it or should have known it and 2) knew or should have known that payment would wind up in that person's or entity's hands, then there could be more serious charges. I'm thinking about future cases where the ransomware is widely know

Re:

[gbjbaanb]

Now you're thinking of Prenda Law (who sued users who illegally downloaded the porn video they created and uploaded to bittorrent networks).

Re:

[Rockoon]

who sued users who illegally downloaded the porn video

No, legally downloaded. Get it right.

If you offer your copyrighted stuff to the public for free, it is not illegal for the public to take advantage of your offer, regardless of what "trap" you think you are setting.

Re:

[stealth_finger]

If the end users were led to believe no ransom would be paid, there may be a civil or criminal fraud case against the company that paid the ransom.

If the final recipient of the money was known to be on any "prohibited-to-do-business-with" list and anyone along the chain 1) knew it or should have known it and 2) knew or should have known that payment would wind up in that person's or entity's hands, then there could be more serious charges. I'm thinking about future cases where the ransomware is widely known to be tied to terrorists or other organizations or individuals that are on a United States "don't do business with them" blacklist.

I'd be pretty pissed if the company I paid to fix my shit just paid the ransom and pocketed the difference.

Re:

[znrt]

Back-ups, cool and off line...man, that's the best defense.
First post?

first making any sense anyway ;)

Re:

[darkain]

And even before backups, a copy-on-write file system with snapshotting. ZFS alone solves the ransomware issue. File is replaced with an encrypted version? WALP, let me just open up my snapshot directory and just revert to an older copy of that file. #ProblemSolved.

It's a cime but easily defended against

[Excelcia]

I have to say, I have mixed feelings about ransomware "victims". I feel like it's akin to leaving my wallet somewhere, with PINs written in sharpie on all my cards, not reporting the cards stolen, then being upset that someone cleaned out my account. If you are making proper, weekly backups then you're just not really vulnerable to ransomware. If you're not making proper, weekly backups then you're already dumb and I almost think that getting hit by ransomware is akin to stupid tax. Maybe it'll prompt you to be a little smarter about your online practices and more disciplined about your backups.

That being said, the ransomware payments do benefit criminals and terrorists, hence the mixed feelings. Maybe I should get into ransomware attacks and then donate the proceeds to a good charity. Best of both worlds.

Re:

[iggymanz]

weekly? Some people and places make very high value information daily. We're not talking about your porn collection and vacation photos here....

Re:

[Excelcia]

weekly? Some people and places make very high value information daily. We're not talking about your porn collection and vacation photos here....

Fair enough, but the sentiment is the same. If you are daily generating data that is of greater value than the cost of paying someone who uses its loss to extort money from you, then your data is of the kind of value that necessitates daily backups. If you are not doing backups on a schedule that is commensurate with the volume and value of data you are generating, then you are being negligent. It's that simple. You are inviting crime. The more people that leave their houses unlocked, the more criminals

Re:

[dimmthewitted]

Daily?!
If you are in any financial transactional envionment, if you are not doing 15 min incremental backups off your database you are about stupid.

Re:

[bitwiz_2008]

47 milliseconds! Oh the luxury, we do backups in real-time.

Re:

[stealth_finger]

Frankly, if your backup interval is longer than a planck you're just amatuer XD

Re:

[Bigjeff5]

He's talking about users and their own personal information, not companies and their sensitive data. Obviously the more important the data the more frequently you back up.

Re:

[darkain]

As I've mentioned elsewhere: just use a copy-on-write file system like ZFS with snapshots. Hell, if your business is generating that much data, you could snapshot every minute if need be. I have this in one deployment. Snapshots are created every minute with a 2-hour expiration. Hourly snapshots are created with weekly expiration. Daily snapshots are created with no expiration. Every snapshot is pushed to an off-site location right after it is created.

Re:

[pak9rabid]

ZFS isn't feasible for everyone. A daily, incremental backup tool like rsync is probably sufficient for most people's needs.

Re:

[darkain]

Considering that modern NAS systems use ZFS now, it is fairly trivial to do. These stories are not about "normal" users either, these are businesses that are most likely using a centralized server for storage anyways. So why not use a solution that not only stores data, but also secures it? This is called risk management.

Rsync isn't a solution. If a file becomes corrupt or encrypted via these malware attacks, what happens? Rsync will simply copy the local broken file over the remote good file, and then you

Re:It's a cime but easily defended against

[Bigjeff5]

It's an unexpected failure point. Most people aren't computer experts, or security experts, or anything in between. They know how to do what they need to do and not much else. They don't necessarily even realize that their data even needs protecting. It's there on their computer, after all, what could happen to it?

People don't usually get backup religion until they lose a lot of important data. Ransomware is just another reason to get backup religion, and people still won't get backup religion unless they or someone they know well are affected by not having good backups.

Re:

[omfglearntoplay]

Non-companies, aka average persons, should just do one of these things.

1. Email your most important files to yourself, so whatever email system you have will keep a copy... I'm thinking like gmail or something.

2. Copy important things to one of your two thumbdrives, and rotate them. Do it weekly. Buy new ones every year.

3. Get some sort of system to do real backups, but this is probably complicated.

Re:

[JaredOfEuropa]

I feel like it's akin to leaving my wallet somewhere, with PINs written in sharpie on all my cards, not reporting the cards stolen, then being upset that someone cleaned out my account.

It's more akin to you drawing up the tenancy agreement for your rental property yourself, then being upset that you're being screwed by your tenant, without legal recourse because your contract is full of holes. The message being: some stuff is complex, full of pitfalls and best left to the experts. Many people make what they feel are "proper" backups: weekly copies of their important files to a drive kept offline or even offsite. They might even have thought about the eventualities to guard against: fir

Re:

[Areyoukiddingme]

Of course once the ransomware hits, the weekly copy will get overwritten with the encrypted files...

So there has long been a rule not to overwrite the most recent backups with the newest backup, but rather the oldest backup with the newest backup, primarily to avoid hardware failures. That rule now applies as a way to attempt to avoid this failure mode as well.

But isn't it time for backup software to proactively watch for a ransomware infection? Backup software will by definition touch every file. Backup software typically tracks every file in order to enable incremental backups. Backup software typic

Re:

[casualgeek]

I used to think that way ... until I did get hit by a ransomware. I figured they got in via a vulnerability in Windows 7, since only my Windows 7 machines got hit. My Windows 10 and Server 2012R2 machines were not breached. I was lucky, I had backups and managed to recover without loosing anything significant, but still it took weeks to scramble and rebuild machines from images, some dated a while back, reapplying updates, etc... It was a huge wake up call, and I have since begun to harden security even

Re:

[pak9rabid]

Don't give Anonymous any more stupid ideas (assuming they even still exist).

So, anyone check...

[CrimsonAvenger]

...as to whether any of these aliased employees are the guys doing the ransomware?

Be funny if it turned out they're getting the ransoms they demanded, plus a little extra by pretending to "fix" the problem....

Re:

[e3m4n]

Sorta like symantec writing half the virus’ in the 90s while being the lead antivirus company. Sometimes it was just to habe an ‘extensive’ library of definitions. Other times im sure it was job security.

Re:

[sad_]

Sorta like symantec writing half the virus’ in the 90s while being the lead antivirus company.

citation needed.

What I've said about bitcoin

[slack_justyb]

For those who rode/ride the BitCoin train thinking "Oh yea, anonymous payments". You might be interested in this quip from the story.

Although bitcoin transactions are intended to be anonymous and difficult to track, ProPublica was able to trace four of the payments. Sent in 2017 and 2018, from an online wallet controlled by Proven Data to ones specified by the hackers, the money was then laundered through as many as 12 bitcoin addresses before reaching a wallet maintained by the Iranians, according to an analysis by bitcoin tracing firm Chainalysis at our request. Payments to that digital currency destination and another linked to the attackers were later banned by the U.S. Treasury Department, which cited sanctions targeting the Iranian regime.

And this is something I've pointed out time and time again about BitCoin. You're anonymous to simple scans, but someone with enough fire power and time can absolutely track you down in BitCoin. The anonymous argument with the qualifier of "completely" is just a bunch of bull.

Re:

[bspus]

All it tells me is they did a piss poor job hiding their tracks. Shuffling the amount among a dozen addresses is not laundering by any means, except against amateurs.

They could have signed up to an exchange that requires no KYC, deposit the bitcoin there (log in through tor) and withdraw it either in bitcoin again or preferable a different currency altogether, even on specializing in truly anonymous payments.

But even they withdrew it in btc again, it would come from a different exchange address and would be

Re:What I've said about bitcoin

[gweihir]

Bitcoin is not even designed to be anonymous. I mean, every transaction is out there in the open, forever. The only "anonymity" you have is that your wallet is not immediately identifiable as yours, but that is it. Make one use of the wallet that can be traced to you and any anonymity you ever had is gone, retroactively.

Re:

[gweihir]

It does not work very well though. What protects the rich is that they are rich and in bed with the right people.

Re:

[nuckfuts]

If you get ransomeware it's your fault. It's fairly trivial to put in safe guards and training to prevent this. FSRM and knowb4 is pennies to implement and will prevent (via the training) and kill (via FSRM) the ones that get through before too much damage is done. On top of that you can enable protected folders, applocker, etc to stop even more bad things from happening.

Ransomeware only works because companies are not taking their security seriously.

The problem is nowhere near as trivial as you think.

FSRM - Tries to protect by enumerating all known ransomware file extensions. Good luck keeping up with that, especially with randomly generated extensions.
KnowBe4 - Security training for end-users? You call that trivial?
Protected Folders - Most people require write access to their data in order to do their work. If users can write, so can the malware running as them.
Applocker - Ask Google how to bypass.

Not to mention, infections are not always the resu

Re:

[gweihir]

What also works nicely, is putting everything important on a version control system. You should do that anyways, but it is also a great protection against ransomware.

No other options?

[gweihir]

What about security that does not suck, backups that work and putting everything important on a version control system? You know, the minimal measures anybody with half a clue already has in place?

Sure, these people are criminals. But this is entirely a crime of opportunity, the victims here just have no sensible protection at all. But that, they create the criminal opportunity and are partially to blame for the problem. Of course, something as utterly stupid as _paying_ the criminals makes things massively

Re:

[phantomfive]

How do you avoid overwriting a good backup with garbage? (when your data fails and automated backup backs it up)

Have multiple backups, over time. Apple TimeMachine will do this for you, but it's not hard to write a script to do so, also.

Will RAID 1 duplicate corruption in real time to the other drive

RAID is not backup.

Fail-over server gets destroyed or doesn't work / back ups are destroyed or lost in the same event as the data that was backed up and lost

Geographically separated backups. Don't store all your backups in the same building.

(let's write a deduplication script that wipes all instances of duplicated data)

Don't leave your backups online.

Re:

[gweihir]

You seem to be a bit confused about what a "backup" is. A backup is an independent, offline copy. Common wisdom has it that you need at least 3 media sets that you use in rotation. For private use, "media" will likely be USB-disks these days. You _always_ verify the backup after you create a new one, and you do so by comparing it to the original data.

Re:

[Wycliffe]

Of course, something as utterly stupid as _paying_ the criminals makes things massively worse.

Making this illegal should be one of the first steps. Basically, you should treat an encrypted drive as a crashed drive or a fire. Paying a ransom should be prosecuted for what it is which is knowingly giving money to a terrorist organization. The penalty should be sufficiently large that it is never worthwhile to pay a terrorist's ransom demand. Something like a penalty of 10x what the data is worth to the company and/or actual "aiding and abetting a criminal" charges.

Re:

[gweihir]

I agree. Completely. Usually, I am pretty much against making things illegal, but the people that pay harm others and that is just not acceptable.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion