Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

5/15/2019
12:45 PM
50%
50%

Two Ransomware Recovery Firms Typically Pay Hackers

Companies promising the safe return of data sans ransom payment secretly pass Bitcoin to attackers and charge clients added fees.

A new report sheds light on the practices of two US data recovery firms, Proven Data Recovery and MonsterCloud, both of which paid ransomware attackers and charged victims extra fees.

ProPublica researchers were able to trace four payments from a Bitcoin wallet controlled by Proven Data to a wallet controlled by the operators of SamSam ransomware, which caused millions of dollars in damages to cities and businesses across the US. Payments to this wallet, and another connected to the attackers, were banned by the US Treasury Department due to sanctions on Iran, explained former Proven Data employee Jonathan Storfer to researchers.

Proven Data claims to unlock ransomware victims' data using its own technology. Storfer and an FBI affidavit say otherwise: The company instead paid ransom to obtain decryption tools. MonsterCloud, another data recovery firm that claims to employ its own recovery practices, also pays ransoms — without telling the victims, some of which are law enforcement offices.

Proven Data chief executive Victor Congionti did tell ProPublica paying ransom "is standard procedure" at the company, and oftentimes it pays attackers at the request of clients. But Storfer explains how the company developed a relationship with the attackers and, as a result, was able to receive extensions on payment dates and even get discounts on ransoms. SamSam operators would advise their victims to contact Proven Data for help with submitting payment.

The report draws attention to a dilemma that businesses face when hit with ransomware: It's easy to frown on paying the ransom in theory; it's different when your data is held hostage.

It's neither illegal to hide strategies for decrypting data nor illegal to pay attackers, the report points out. But paying ransom while pretending otherwise to a client could fall under deceptive business practices banned by the Federal Trade Commission Act, former FTC acting chairman Maureen Ohlhausen said. The FTC has not cited MonsterCloud or Proven Data, they note.

Read the full report here.

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
State of SMB Insecurity by the Numbers
Ericka Chickowski, Contributing Writer,  10/17/2019
Tor Weaponized to Steal Bitcoin
Dark Reading Staff 10/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-9496
PUBLISHED: 2019-10-22
The freshmail-newsletter plugin before 1.6 for WordPress has shortcode.php SQL Injection via the 'FM_form id=' substring.
CVE-2015-9497
PUBLISHED: 2019-10-22
The ad-inserter plugin before 1.5.3 for WordPress has CSRF with resultant XSS via wp-admin/options-general.php?page=ad-inserter.php.
CVE-2015-9498
PUBLISHED: 2019-10-22
The wps-hide-login plugin before 1.1 for WordPress has CSRF that affects saving an option value.
CVE-2015-9499
PUBLISHED: 2019-10-22
The Showbiz Pro plugin through 1.7.1 for WordPress has PHP code execution by uploading a .php file within a ZIP archive.
CVE-2015-9500
PUBLISHED: 2019-10-22
The Exquisite Ultimate Newspaper theme 1.3.3 for WordPress has XSS via the anchor identifier to assets/js/jquery.foundation.plugins.js.