Study Finds Most Ransomware Solutions Just Pay Out Crypto

A study by ProPublica found that most ransomware solutions providers have one weird trick for getting rid of hackers - paying them off.

Ransomware activity is growing weekly according to experts at Coveware . The result? Companies who just want to pay the ransom and move on.

According to Coveware, ransomware attacks were up in Q1 2019:

Once hackers encrypt an infected computer, however, the real question is how to unlock your data. ProPublica found that many data recovery firms simply pay the ransom and then charge a premium for their trouble.

Proven Data promised to help ransomware victims by unlocking their data with the “latest technology,” according to company emails and former clients. Instead, it obtained decryption tools from cyberattackers by paying ransoms, according to Storfer and an FBI affidavit obtained by ProPublica.

Another U.S. company, Florida-based MonsterCloud, also professes to use its own data recovery methods but instead pays ransoms, sometimes without informing victims such as local law enforcement agencies, ProPublica has found. The firms are alike in other ways. Both charge victims substantial fees on top of the ransom amounts. They also offer other services, such as sealing breaches to protect against future attacks. Both firms have used aliases for their workers, rather than real names, in communicating with victims.

Ransomware is getting worse.

After US Attorney General traced and indicted two Iranian hackers for releasing ransomware called SamSam, authorities hoped the prevalence of attacks would fall. Instead, it rose, beating 2018 levels considerably.

The reason, many believe, is because ransomware is so lucrative. Hackers can launch an attack and then, when the victims discover the hack, they negotiate briefly with companies like MonsterCloud and others to unlock the computers. However, many of these companies offer recovery methods and many security researchers work on free methods this one for the popular WannaCry ransomware.

Unfortunately, the hacks are getting worse and the software necessary is getting more complex.

Coveware admits

to actually negotiating with scammers. They've found it to be one of the simplest methods for getting data back. The concern, however, is that these efforts are inadvertently funding terrorism. Further, they write, it is taking longer to decrypt hacked computers, thanks to new versions of the ransomeware. In Q1 2019, wrote Coveware, the "average downtime increased to 7.3 days, from 6.2 days in Q4 of 2018."

Coveware CEO Bill Siegel has found that the average ransomware recovery isn't really a negotiation with "terrorists" as US Government officials believe. They've negotiated a "few hundred" ransomware cases this year and find that each hacker is different and often just frustrated.

"Our sense based on our study of the industry and experience is that the vast vast majority are relatively normal people that don't have legal economic prospects that match their technical abilities," Siegel said. "They also live in parts of the world that are beyond the jurisdiction of Western law enforcement, and are ambivalent about stealing from the West."

Their process for talking with the hackers is also quite precise.

Zohar Pinhasi of MonsterCloud said his company worked hard to use both methods - recovery and ransom.

While sending a few thousand BTC to a strange address might not sit well with many victims, it still looks like the best way to reduce downtimes. After all, it's the organization's fault for catching the ransomware bug in the first place. Prevention, as they say, is often better than the cure.

Image via Coindesk archive.