For their services, companies charge a tariff that is several times more than a ransom for hackers.
From 2015 to 2018, the SamSam extortionist virus, which blocks computer data and requests a ransom, hit thousands of computers in North America and the UK, inflicting damage of more than $ 30 million. He undermined the work of institutions in Atlanta, New Jersey, San Diego and Newark, including the functioning of medical institutions. In total, the intruders earned about six million dollars in ransoms.
In the US, MonsterCloud and Proven Data are considered to be one of the major companies in the field of data recovery after an ransomware attack. They offer customers, including municipal institutions and the police, unlock data computers affected by the virus. It is alleged that with the help of high-tech tools, experts will restore the captured information without redemption.
In fact, companies rarely try to unlock data and simply pay the money to hackers, billing the client at their own rate, found out the publication ProPublica, which deals with large journalistic investigations. The main source of reporters was former Proven Data employee Jonathan Storfer, who participated in the corporate scheme and tied up business relations with hackers without the knowledge of customers, but with the permission of the authorities.
Cooperation with hackers, winding up tariffs and misinformation of the client
The “father” of extortion viruses is a graduate of Harvard University and anthropologist Joseph Popp Jr. In 1989, he studied the theory of the emergence of HIV in green monkeys in East Africa and sent out more than 20 thousand diskettes with information about the disease to people interested in health care. After launching the media, the recipients’ computers hung up, and an instruction appeared on the screen demanding to send $ 378 to a postal address in Panama so that they could send a second diskette for data recovery in response.
The FBI arrested Popp shortly before he prepared to distribute another two million carriers. The US extradited him to England, where he was declared insane, after which he returned and settled in the state of New York. “I believe that he sincerely tried to stop the spread of HIV. But he was wrong when he engaged in extortion. I don’t think he soberly assessed the consequences of his actions for other people, ”recalled the man’s lawyer, John Kilroy.
In 2006, the 55-year-old creator of the first extortion virus crashed in an accident, never having seen how his brainchild became one of the most popular methods of cybercrime. Annually, one and a half million devices are attacked, and in the USA many victims are turning to Proven Data and MonsterCloud. They work according to a similar scheme, promising customers to recover data using “modern technologies”, but often they simply pay attackers for the decryption keys.
Record an interview with the founder of MonsterCloud Zohar Pinhasi
For a client, the cost of such a service is always several times higher than the price requested by hackers. Often, municipal and government organizations become clients of firms, whose representatives are not informed that budget money falls into the hands of the unknown. Firms do not reveal the secrets of “high-tech methods” that are used for data recovery. Independent enthusiasts who are looking for free vulnerabilities in the virus code and posting solutions to the network are skeptical about the ability of companies like Proven Data to independently decrypt data.
In 2016, a team of cyber specialists decided to check how exactly MonsterCloud “save” customer data. Enthusiasts infected their computer with their own extortion virus and contacted the company under the guise of customers. Soon an email from enthusiasts, which they gave out for the hackers’ address, received a letter from MonsterCloud with an offer to pay a ransom in exchange for the decryption keys.
As a result, cyber experts have paid their own money, and then returned the computer free of the virus. Representatives of the company did not notify about cooperation with hackers, but on the contrary – they behaved as if they had solved the problem without a ransom.
In December 2018, the Israeli cybersecurity company Check Point Software Technologies revealed a similar tactic to the Russian company DR.Snifro . The company’s website says that it is “the only one specialized in decrypting files”, and its services are trusted by the large Russian cargo carrier Tranco and GazpromPurinvest. The investigation said that the company’s employees simply paid the ransom. Representatives of the organization did not respond to requests from ProPublica, written in English and Russian.
The extent of manipulation and police neutrality
ProPublic journalists met with the head of MonsterCloud Zohar Pinhasi, who refused to tell how often the company pays a ransom. Instead, he responded with a lengthy phrase that the firm’s experts “work in the shadows”, and rested on the fact that MonsterCloud performs its task, and the details are secondary. Pinchasi called on ordinary people to never communicate with intruders, “because they do not know who they are dealing with.”
In January 2019, IT consultant Tim Anderson asked the company to unlock data on his client’s computer. The work was estimated at $ 2,500 for analysis and at $ 25,000 for file recovery. At the same time, the extortioner virus demanded for these two bitcoins, at that time the value of which did not exceed seven thousand dollars. When Anderson asked the experts to explain how they decrypt the files, they refused.
“I immediately sensed a trick. How could I have known that they would not take 25 thousand and not pay seven thousand of the ransom from them? The client does not understand the details of what is happening, ”the man explained. He refused the services of the company and turned to another company that also guaranteed data recovery, but did not conceal that he was cooperating with hackers and paying a ransom.
MonsterCloud’s clients include municipal institutions, including police stations and sheriffs. Some turn to companies for fear that if they try to pay the money themselves, hackers will deceive them. Others do not want the taxpayers’ money to go to the intruders, because they go to “professional” firms.
A police station in Truman, Ark., Paid MonsterCloud $ 75,000 to recover data within 72 hours. Experts did not disclose what methods they were able to accomplish the task, but they assured that they did not pay the ransom to the hackers. However, independent cyber specialists interviewed by reporters are confident that they lied to the company.
Sometimes clients suspected dishonest practices on the part of companies. In 2016, the management of the city of Safford (Arizona) hired Proven Data to restore administrative data from infected computers. A week later, experts completed the task and asked for work more than eight thousand dollars. After payment, the administration realized that some of the files remained locked.
Proven Data agreed to decrypt them again, but, despite numerous attempts, they did not succeed. The city government did not understand why Proven Data did not use the same method. “If their algorithms did it the first time, why didn’t it work in the second?”, Asked Safford’s system administrator Cade Bryce. The interlocutors of cybersecurity journalists suggested that for the first time the company simply paid the ransom, but errors in the virus code caused permanent damage to the files.
Proven Data specialists had a list of hackers from outside who provided keys to decrypt data for payment. They didn’t know about the origin of these people in the company, each set its own tariff – someone helped the company for four thousand dollars, and someone demanded 10 thousand dollars. The hackers themselves did not like being called that way, preferring the image of a business partner.
It follows from ProPublica that such company cooperation with third parties is not regulated at all and is located in the gray market zone. As told Storfer, who was responsible for cooperation with hackers, sometimes they could sell the keys at a discount if the specialist explained that the company can not afford the starting amount. “They work in an area where everyone hates them, but they collaborated with us because we respected them,” said a former Proven Data employee.
Sometimes “partners” stopped responding after a specialist transferred money to them, and returned only after some time. According to the interlocutor Storfer, once a hacker explained his disappearance by the fact that he fell into a “cocaine trip for three weeks.”
In the US, there are no laws prohibiting Proven Data, MonsterCloud and other similar companies to pay hackers for returning data. The contract states only that firms must restore access to information, and their methods of work are not regulated. At the same time, lawyers and human rights activists interviewed by journalists suggested that the actions of companies can be interpreted as participation in criminal conspiracy and computer fraud.
Representatives of Proven Data and MonsterCloud rejected all suspicions of fraud and clarified that they resort to paying the ransom only in extreme cases, notifying the client.
In law enforcement agencies, the payment of ransoms to hackers is reserved. In 2015, at the cyber defense conference, FBI agents reported that the bureau often advises people to just pay the required amount. The fact is that it is very difficult to calculate and arrest intruders, and the cost of such operations for the budget is much more than a few thousand dollars that victims of ransomware viruses lose. The human factor also plays a role – to many it is a shame to tell that they were deceived by intruders, and they do not submit an application to the police.
In 2018, the US Treasury Department banned transfers to several Bitcoin wallets, suspecting their owners in financing terrorism. With the support of Chainalys, a company that tracks suspicious transfers on the blockchain, ProPublica journalists proved four cases in which Proven Data transferred bitcoins to these wallets. Probably to get the keys to decrypt customer data. As Storfer suggested, a significant portion of the ransom from ransomware viruses can go to finance organized crime or terrorists.
As Storfer says, most often attacks in the USA are made from Russia and Eastern Europe, therefore their initiators are so hard to find. A former employee of Proven Data got a job at the company a year after graduating from college, in 2017. Despite the lack of experience in the field of cyber security, he was hired as a manager for $ 41,000 a year.
Storfer worked in Proven Data for a year and a half, during which time he established relations with various hackers, including the authors of the famous ransomware virus SamSam. There was a kind of affiliate program between the parties – sometimes attackers advised the victim to seek help from Proven Data, because they knew that in this case they would be guaranteed a ransom. At some point, Storfer’s conscience forced him to leave, as he was tired of deceiving clients and doing business with unknown persons. Since then, he has been working in the field not related to the field of data recovery.
Do I miss explaining the essence of my work to someone? Not. All these conversations in the spirit of “what are you doing?” Oh, I negotiate with hackers to make a living. This is a very strange business, and this is one of the reasons why I left. […]
I decided to leave because I felt uncomfortable. The kingdom in which Proven Data, MonsterCloud, Coveware and all others operate is the Wild West. They set their own rules.
Jonathan storfer former employee of cyber security company Proven Data, an informant for ProPublica