Study Finds Most Ransomware Solutions Just Pay Out Crypto

A study has found that most ransomware recovery services are actually just paying crypto ransoms to hackers.

AccessTimeIconMay 15, 2019 at 7:30 p.m. UTC
Updated Sep 13, 2021 at 9:12 a.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global hub for everything crypto, blockchain and Web3.Register Now

A study by ProPublica found that most ransomware solutions providers have one weird trick for getting rid of hackers - paying them off.

Ransomware activity is growing weekly according to experts at Coveware . The result? Companies who just want to pay the ransom and move on.

According to Coveware, ransomware attacks were up in Q1 2019:

In Q1 of 2019, the average ransom increased by 89% to $12,762, as compared to $6,733 in Q4 of 2018. The ransom increase reflects increased infections of more expensive types of ransomware such as Ryuk, Bitpaymer, and Iencrypt. These types of ransomware are predominantly used in bespoke targeted attacks on larger enterprise targets.

Once hackers encrypt an infected computer, however, the real question is how to unlock your data. ProPublica found that many data recovery firms simply pay the ransom and then charge a premium for their trouble.

Proven Data promised to help ransomware victims by unlocking their data with the “latest technology,” according to company emails and former clients. Instead, it obtained decryption tools from cyberattackers by paying ransoms, according to Storfer and an FBI affidavit obtained by ProPublica.

Another U.S. company, Florida-based MonsterCloud, also professes to use its own data recovery methods but instead pays ransoms, sometimes without informing victims such as local law enforcement agencies, ProPublica has found. The firms are alike in other ways. Both charge victims substantial fees on top of the ransom amounts. They also offer other services, such as sealing breaches to protect against future attacks. Both firms have used aliases for their workers, rather than real names, in communicating with victims.

Going up

Ransomware is getting worse.

After US Attorney General traced and indicted two Iranian hackers for releasing ransomware called SamSam, authorities hoped the prevalence of attacks would fall. Instead, it rose, beating 2018 levels considerably.

The reason, many believe, is because ransomware is so lucrative. Hackers can launch an attack and then, when the victims discover the hack, they negotiate briefly with companies like MonsterCloud and others to unlock the computers. However, many of these companies offer recovery methods and many security researchers work on free methods this one for the popular WannaCry ransomware.

Unfortunately, the hacks are getting worse and the software necessary is getting more complex.

to actually negotiating with scammers. They've found it to be one of the simplest methods for getting data back. The concern, however, is that these efforts are inadvertently funding terrorism. Further, they write, it is taking longer to decrypt hacked computers, thanks to new versions of the ransomeware. In Q1 2019, wrote Coveware, the "average downtime increased to 7.3 days, from 6.2 days in Q4 of 2018."

Pattern recognition

Coveware CEO Bill Siegel has found that the average ransomware recovery isn't really a negotiation with "terrorists" as US Government officials believe. They've negotiated a "few hundred" ransomware cases this year and find that each hacker is different and often just frustrated.

"Our sense based on our study of the industry and experience is that the vast vast majority are relatively normal people that don't have legal economic prospects that match their technical abilities," Siegel said. "They also live in parts of the world that are beyond the jurisdiction of Western law enforcement, and are ambivalent about stealing from the West."

Their process for talking with the hackers is also quite precise.

"We study their communications patterns so that we can build up a database of experience. There is a surprisingly small group of threat actors that are active at any given time, so identifying them is relatively straight forward. From there, we have scripts and tactics that we have honed over our experience. We draw on those to develop a negotiation strategy on behalf of our client. We know the hackers based on the profile and patterns they exhaust. We don't communicate with them outside of representing our clients in a negotiation. All of the data exhaust we create from our cases is provided to law enforcement on a quarterly basis as well."

Zohar Pinhasi of MonsterCloud said his company worked hard to use both methods - recovery and ransom.

The recovery process varies from case to case depending on the scope and nature of the cyber attack. Our methods for achieving data recovery and protection are the product of years of technical experience and expertise and we do not disclose the process to the public or to our customers. That is communicated clearly up front. However, what I can tell you is that we are a cyber security company, not a data recovery company. We have vast knowledge and experience dealing with these criminals, and we spend countless hours staying atop their evolving methods in order to provide our clients with protections against all future attackers, not just the one infiltrating their data at the time they come to us. We offer a money back guarantee to any client if we are unable to recover their data, and to date we have not had a single client report a follow-up attack from the same criminals or any other attacker.

While sending a few thousand BTC to a strange address might not sit well with many victims, it still looks like the best way to reduce downtimes. After all, it's the organization's fault for catching the ransomware bug in the first place. Prevention, as they say, is often better than the cure.

Image via Coindesk archive.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is an award-winning media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. In November 2023, CoinDesk was acquired by Bullish group, owner of Bullish, a regulated, institutional digital assets exchange. Bullish group is majority owned by; both groups have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary, and an editorial committee, chaired by a former editor-in-chief of The Wall Street Journal, is being formed to support journalistic integrity.

Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to to register and buy your pass now.