
Firms That Promised Ransomware Decryption Almost Always Just Pay the Hackers - jkao-propublica
https://features.propublica.org/ransomware/ransomware-attack-data-recovery-firms-paying-hackers/
======
jkao-propublica
Hey HN, I'm a reporter at the non-profit newsroom ProPublica. I used to be a
software engineer in the Bay Area, but now I work primarily with data and code
for news investigations.

We published a story today that found that a lot of the firms touting their
ransomware decryption services actually end up paying the hackers (often
behind the client's back) and then tacking on a fee.

Though you all would find it interesting. A great tidbit that my reporting
partner Renee uncovered: a former deputy FBI director was paid to promote
MonsterCloud, _while knowing_ that they paid bitcoin to cybercriminals.

He's also a former TSA director. So of course, he partnered with their CEO on
a side biz to put massage chairs in airports. ¯\\_(ツ)_/¯

Anyway, thought this would be a story that HN would enjoy. Would love to hear
y'all's thoughts since this is the community with the expertise & experience
to comment. If you have things (ransomware or otherwise) you think we should
look into, would love to hear as well. :-)

~~~
jpfed
>a former deputy FBI director >He's also a former TSA director.

That narrows it down a bit. With a name like that you'd hope he was more of a
straight shooter.

~~~
behringer
Well we're talking about the TSA here.

~~~
inflatableDodo
Thousands Standing Around, now with added massage chairs.

------
shittyadmin
I feel this is actually a decent service for a few reasons:

\- Many average users don't want to understand cryptocurrencies, how to safely
and securely buy and use it is a challenge in and of itself.

\- They're on the hook and the client pays nothing if the ransomer fails to
provide a working key.

\- They'll also manage the ransom decryption software - if there's problems
with it there are 3rd party tools that can often do a better job of decryption
than the original decryption tool, again, this is something that's going to be
complicated for average users to deal with.

\- For some ransomware there are decryption processes available without the
need to pay the ransom, figuring out which of these applies can be challenging

\- Certain institutions may be unable or unwilling to work with the attacker
directly - introducing a middle man to broker can help solve this.

Overall the piece seems somewhat hyperbolic.

~~~
jplayer01
Yeah, seems like a great service to a certain degree. But it's not the service
they're selling and they're lying to their customers. Their service
incentivizes ransomware authors, so this absolutely needs transparency. I
assume most people go to them because they want the problem solved but they
feel they shouldn't be paying the hostage takers. "we don't negotiate with
terrorists" comes to mind. So if this service is doing exactly this and making
the situation worse for everybody else, this is something that needs to be
consciously weighed off and decided by the people considering their services.

~~~
londons_explore
I wonder how many of these "white hat middlemen" are also the ransomware
owners...

Obviously the two companies collaborating would give benefits to eachother,
and it might just be a convenient way to seperate the illegal from the
legal...

~~~
elliekelly
This was my first thought as well. What’s the biggest risk when you’re paying
the ransom? That the thief will run off with the bitcoin without providing the
key. The easiest way to mitigate that risk is to either collaborate with the
thieves or become the thieves.

------
hcs
I'd never heard of this historical precedent:

> The father of ransomware was Harvard-educated anthropologist Joseph L. Popp
> Jr. While researching the theory that AIDS originated in green monkeys in
> East Africa, Popp in 1989 mailed more than 20,000 floppy disks about AIDS
> education to people interested in public health. When recipients ran the
> disk, their computers froze, and a message on the screen instructed them to
> send up to $378 to a post office box in Panama for a second disk that would
> restore their access.

~~~
john-radio
Holy crap, that message:

> ATTENTION I have been elected to inform you that throughout your process of
> collecting and executing files, you have accdientally ¶HÜ¢KΣ► yourself over:
> again, that's PHUCKED yourself over. No, it cannot be; YES, it CAN be, a
> √ìτûs has infected your system. Now what do you have to say about that?
> HAHAHAHAHA. Have ¶HÜÑ with this one and remember, there is NO cure for AIDS.

~~~
GlitchMr
This isn't the AIDS malware in question. You are looking for Aids Info Disk/PC
Cyborg Trojan.

------
arosier
> Although bitcoin transactions are intended to be anonymous and difficult to
> track, ProPublica was able to trace four of the payments.

I didn’t think Bitcoin transactions were intended to be anonymous and
difficult to track, why would Bitcoin use a public ledger if that was the
intention? I was under the impression other cryptocurrencies are trying to
solve for “anonymous and difficult to track.”

~~~
anextomp
The term is pseudonymous - the list of all transactions is available for
anyone to look at but in theory you can't link bitcoin addresses to people.

However, in practice, most people buy bitcoins via a method that requires ID,
which links their ID to one of their addresses. Multiple addresses can then be
linked together by cluster analysis based on usage patterns

------
paid-themselves
So...

How do we know that they (MonsterCloud) weren't _also_ the criminals on the
other side of the bitcoin transaction?

Is it possible this was all a giant payola/extortion ring?

I mean, the criminals were just _that_ reliable, organized and scrupulous
about unlocking their victims?

~~~
yoz-y
If it became known that ransomware criminals never actually decrypt your data
they would lose their "business", so it is in their interest to actually do
it.

It certainly is not impossible that the decrypting company would be so scummy
but it is in the same vein as accusing a home security company financing
burglars to go on rampage.

~~~
lftl
> If it became known that ransomware criminals never actually decrypt your
> data they would lose their "business", so it is in their interest to
> actually do it.

This opens up one of those weird moral dilemmas akin to asking whether it's
moral to hack someone's exposed device to patch a security hole: Would it
actually be a net positive to create a ransomware variant that had no
decryption key, but acted like it did?

~~~
shittyadmin
There've been a few cases where the ransomware was not decryptable - sites
like BleepingComputer frequently discuss which ransomware have been cracked by
researchers, which are currently actively run and will provide keys and which
are undecryptable and you shouldn't pay in any circumstances. Basically it
just makes things more complicated, but people are still willing to pay if
they can in their specific case and the one they're infected with is reported
as regularly providing good keys.

------
unnouinceput
quote 1 : “The reason we have such a high recovery rate is that we know who
these attackers are and their typical methods of operation,” he said. “Those
victims of attacks should never make contact themselves and pay the ransom
because they don’t know who they are dealing with.”

quote 2: " It stopped dealing with the SamSam hackers after the U.S.
government identified them as Iranian and took action against them, he said.
Until then, he said, the company did not know they were affiliated with Iran.
"

There you have it, the way of the managers, lie lie and more lies, as long as
$$$ can be made.

~~~
unnouinceput
Also this. Quote: "Witherspoon was especially impressed by his primary contact
at MonsterCloud, Zack Green. “Zack’s title, dear God, it’s a mile long title.
He seems to know a lot.” Green’s titles on his email signature include
“Ransomware Recovery Expert,” “Cyber Counterterrorism Expert,” “Cyber Crime
Prevention Expert” and “Cyber Intelligence Threat Specialist.” We called
MonsterCloud asking for Green but were told he was in a meeting."

In my experience on dealing with US managers, the longer the titles they have,
the dumber the person is.

~~~
glenneroo
Sounds more like a bullshit artist than an idiot.. otherwise they wouldn't be
getting enough jobs to stay a profitable enterprise.

------
SlowRobotAhead
I guess the only surprising part to me was paying behind the clients back and
charging a little more.

Because on the surface, of course you pay the ransom! I specifically selected
insurance that stated up front they would pay a ransom if they had to. I think
this has to be fairly common knowledge outside of infosec.

Perhaps some CTO/CIO/CFO types would rather the peace of mind or the idea that
they aren’t helping these ransom-entrepreneurs out by paying them.

------
francisofascii
MonsterCloud quote: “Our goal is to restore the data and help the customer. If
we need to walk to the moon on broken glass, we will. We don’t care how, what,
where, whatever. Our goal is to get the data out.” Sounds like if they don't
care how, paying the criminals is a viable option for them.

------
milofeynman
I love propublica and donate monthly. Good to see it getting some great tech
coverage. Thanks for your reporting!

~~~
shearskill
Thanks for the reminder to donate, they really do fine work. AC Thompson is an
acquaintance and his coverage of fringe extremists is thorough and anxiety
inducing, but his investigations have led to bad guys going to jail many times
over.

------
motohagiography
Buying discounted receivables is one of the oldest businesses around. That it
happens to be for a criminal ransomware organization is new.

The instinct to contact ransomers and say, "hey, I see you have some
uncertainty in how much money you are going to collect. Do you want a
guaranteed amount now, or a risk adjusted figure later? If now, I can offer
you $x for a key I can use on as many customers as I can..."

Ethics aside, that's really impressive deal making.

------
scarejunba
Let's be honest. There's only one way this ends. You have vigilante ransomware
dudes who promise to decrypt the ransomed stuff and then abscond with the
money. Poison the well and people will just assume they've lost the data.

~~~
swombat
That actually would probably work... especially if the vigilantes masqueraded
as the “genuine” hackers convincingly. Then you (or the companies covered in
TFA) would just have no way of knowing whether there is any chance of
recovering the data for real.

As the probability of recovery goes down, the likelihood of being willing to
pay the ransom also goes down.

Though in a way this feels a bit like going around _actually shooting_ people
in order to “poison the well” for a group that goes around _threatening to
shoot_ people, but not actually shooting them if they pay up.

~~~
jacobush
Yes, and also with the guys not actually shooting if you pay working hard on
establishing a brand everyone can "trust". They could for instance sign their
releases of malware so it couldn't easily be spoofed by the proposed
vigilantes.

------
devereaux
Why am I not surprised?

They just provide plausible deniability to clients, who may not be able to pay
the ransom for legal reasons.

~~~
olliej
Or their clients are naive I don’t recognize that they’re being charged more
to “decrypt” than the cost of the ransom, or (plausibly) the client is
intentionally not paying the ransom because they (incorrectly) believe it
means they aren’t giving money to criminals.

~~~
XorNot
Or they maintain back channels to the groups and negotiate discounted rates on
the basis of reliability of pay outs.

~~~
olliej
I was actually wondering about that - or alternatively ye olde protection
racket type thing: they being the original authors of the attack.

Of course it’s much more plausible that they’re just scumbags looking to make
an “honest” profit of a criminal act.

~~~
Phlarp
We aren't being presented any evidence that they are playing both sides of the
table that brazenly. However, I can't see a situation where if the firm were
in a position to stop the ransomware globally that they would actually do so.

Maybe an altruistic individual within the company, but not as a directed
managerial effort.

~~~
wolco
I believe they would because the press will be worth it for future business.
Not all ransomware but certain strains.

~~~
Phlarp
If they are a UK company with a prominent young leader it seems just as likely
to get you investigated or indicted.

------
ianhawes
As much as I want to appreciate this story, it's lines like this that reflect
poorly on it's authenticity:

> In a video posted online touting MonsterCloud’s services, Pinhasi wears a
> dark suit and tie and rimless glasses. At lunch, the 43-year-old sported a
> white long-sleeve T-shirt emblazoned with the logo of teen retailer
> Abercrombie & Fitch.

~~~
fredsted
why?

~~~
ianhawes
It is a clear ad hominem attack on Pinhasi. It adds nothing to the story,
especially without context. This piece masquerades as a serious discussion
about the ethics of ransomware services but goes out of it's way to equate
their personal habits with that of their business.

------
Havoc
Outsourcing the "we don't negotiate with terrorists" problem...

------
el_cujo
Unless you've got tools on the level of what the CIA or NSA has, you're
probably not cracking the encryption, but I agree it's bad to mislead your
clients (and also creates some conflict of interest concerns). It kind of
reminds me of when a family member is having computer problems and asks me to
fix things. They think I have some sort of deep knowledge of how the computer
works and can pinpoint their exact problem to fix it, when in reality I just
back up their files and reinstall windows without really knowing why things
were messed up.

------
hackerbabz
This must be a result of pure ignorance of the victims.

As far as I understand, ransomware simply applies RSA on the victim's data. If
the victims understood what that meant, they would understand that it is
entirely unrecoverable. The data is simply gone without the private key.

If the data were recoverable that would mean RSA had been broken, and the
entire world would know about that. Normal people would understand because the
global financial system would need to stop entirely while they switched to a
new algorithm.

~~~
john_moscow
There are implementation details that could make the data recoverable even
when RSA is used. The data itself is typically encrypted using a symmetric
cipher (e.g. AES) and the key used for it would be encrypted using RSA.
However, if the key for the symmetric algorithm was generated in a predictable
way (e.g. using a pseudo-RNG initialized from the system time), it could be
possible to bruteforce it in reasonable time.

------
LinuxBender
Sortof Off Topic: If your data is important, back it up to something that
automation, daemons and users can't tamper with. i.e. Immutable after ${n}
minutes or hours. Replicate that data to multiple places and ensure it is also
immutable in that location. I think everyone knows this, but make excuses not
to do it. i.e. cost, laziness, indifference, risk takers, etc.

------
qwerty456127
Don't the hackers almost always just take you money and demand more without
actually decrypting anything?

~~~
SolarNet
No, that is counter to their making money. The way to make money through
ransoming something on a regular basis is to always ensure you follow through.

There are actual cases in history of ransomers attacking fellow ransomers who
_don 't_ follow through for hurting the shared business model.

~~~
billpg
I think that time has passed. I've heard of too many cases of "ransomware"
that just wipes your disks and asks for money that I wouldn't pay up.

"True" ransomware requires a key management infrastructure with a capacity for
delivering a service. Setting up a bitcoin recipient takes next to no
resources. If you were criminally minded, what would you do?

It would harm the ransomware-maker's reputation? Just pick a new name every
week.

~~~
dmurray
At least one ransomware program gives you the option to pick one file to
decrypt for free, to prove that the files can be recovered.

~~~
billpg
Fine, I won't really delete the files, but move them all into a hidden ZIP
file. When the user picks the one file to rescue, the code will pull that file
out then delete the ZIP. You've got an hour to make your choice before the ZIP
gets deleted anyway.

Remember, ransomware-makers aren't providing a service anyone wants. They have
inserted themselves into the system and only care about getting their victim's
money.

------
bitcoinfailure
Of course they pay them, who actually believes these firms are capable of
breaking the encryption? This is digital hostage taking, you pay the hostage
takers, you don't try and fight them.

------
jasonhansel
I think there's a case to be made for making ransom payments illegal. Allowing
such payments only encourages the development of newer, more sophisticated
ransomware.

------
tcarn
There needs to be more accountability for Bitcoin, solve btc and you solve a
lot of these hacks...

~~~
olliej
The lack of accountability in btc is considered a feature. The fact that funds
can be tracked at all is considered a bug, hence monero and zerocoin etc.

~~~
quickthrower2
Not just a feature, it's the reason for bitcoins existence.

~~~
acct1771
One of maaaaany.

------
devit
Is this legal?

~~~
AnIdiotOnTheNet
K&R insurance is legal, so why not?

~~~
pbhjpbhj
K&R == kidnap & ransom

