A firm called Dr. Shifro promises to unlock encrypted files so targets can avoid paying their attackers a hefty sum. The organization says they will retrieve files for ransomware with no publicly available key – and they work with attackers to do it.

Researchers at Check Point recently discovered Dr. Shifro, a Russian firm falsely offering decryption services, while investigating the Dharma/Crisis ransomware.

The Crisis ransomware family, also called Dharma, was first seen in 2016. Back in Nov. 2016 and March 2017, there were master decryption keys for the Crisis family and security companies could create tools for victims. However, autumn 2018 brought new versions with no public key.

Dr. Shifro, which started in 2016, poses as a legitimate company and claims it can unlock files encrypted by new versions of Crisis/Dharma, as well as Scarab, No_More_Ransom, and Da Vinci ransomware. It claims it can exploit vulnerabilities in encryption algorithms of ransomware, which lets them restore RSA private keys. Researchers found this unlikely and investigated.

Findings show Dr. Shifro functions as a broker between ransomware victims and operators as a way of maximizing profit. Victims who want to unlock files pay Dr. Shifro, who passes money to the attacker. The attacker sends the files to Dr. Shifro, who returns them to the victim. The malicious firm offered to pay ransomware distributors the equivalent of $950 for doing this while charging victims $2,300. The firm could earn around $1,350 from one victim.

Read more details here.