Grifty "information security" companies promised they could decrypt ransomware-locked computers, but they were just quietly paying the ransoms

Ransomware has been around since the late 1980s, but it got a massive shot in the arm when leaked NSA cyberweapons were merged with existing strains of ransomware, with new payment mechanisms that used cryptocurrencies, leading to multiple ransomware epidemics that locked up businesses, hospitals, schools, and more (and then there are the state-level cyberattacks that pretend to be ransomware).

The boom in ransomware infections is also a boom for companies that provide services to the infected. A lot of these companies are in the business of taking your money, sending some Bitcoin to your attackers, then holding your hand as you use the codes the attackers provide to get your files back (assuming the malware performs according to spec and that the ransomware attackers don't just run off with your dough).

But not everyone wants to pay ransom! There are ethical and political reasons to avoid paying ransom, and the more money ransomware attracts, the more clever programmers will throw themselves at the project of making ransomware even more virulent and widespread.


Some companies advertised that they could decrypt your locked-up files without paying the ransom, using proprietary methods they'd developed in house to undo the attackers' encryption. This isn't outside the realm of possibility (programmers make mistakes) but it's still a bit of a stretch (well-implemented encryption is extremely robust).

Propublica's Renee Dudley and Jeff Kao provide a deep investigative look at two of these "don't pay ransom" companies, Proven Data and MonsterCloud, and reveal that these companies made false representations and had no ability to decrypt their customers' files. Instead, they simply paid the ransoms and deceived their customers about their activities. The reps the customers dealt with turn out to be pseudonymous fake people, and the marketing endorsements on these companies' sites are also almost certainly fabricated.

Update: MonsterCloud disputes that it tells customers that it can decrypt files without paying ransom. In contrast to this dispute, Propublica cites credible independent researchers who documented these claims being made by MonsterCloud.

Proven Data not only paid ransoms, they effectively became confederates of the ransomware criminals, creating long-term, professional relationships with them that allowed them to negotiate for extra time on their customers' behalf. What's more the criminals began to refer their victims to the companies, advising the victims that if they couldn't figure out how to pay ransom or needed to be convinced that the threat was real, that they should pay these companies for their professional services.

Propublica quotes on-the-record whistleblowers, the executives at the companies, and their customers, and paint a picture of companies that engaged in blatant misrepresentation to the detriment of their customers, peddling lies and snake-oil to people who'd already been victimized. Meanwhile, public records show that the founders of these companies got ridiculously rich, buying multiple luxury homes and luxury cars. These founders deny that they told customers that their data could be decrypted without paying, but their own websites make these claims in plain language.

The grift encompasses people like former FBI director and Mueller crony John Pistole, who produced a still-available promo for MonsterCloud in which he falsely states that "MonsterCloud's proprietary technology and expertise protects their professional reputations and organizational integrity" and that this allows customers to recover their data without paying ransom — a claim Pistole admits he knows is false.


Meanwhile, Propublica traces some of the money that the anti-ransomware companies quietly paid to criminals ended up violating US sanctions against Iran.


The firms eagerly agreed to help. "They all claimed to be able to decrypt ransomware families that definitely weren't decryptable and didn't mention that they paid the ransom," Wosar said. "Quite the contrary actually. They all seemed very proud not to pay ransomers."

Soon, the email accounts that he'd set up for the imaginary attacker began receiving emails from anonymous addresses offering to pay the ransom, he said. He traced the requests to the data recovery firms, including MonsterCloud and Proven Data.

"The victims are getting taken advantage of twice," he said.

Proven Data's Congionti and MonsterCloud's Pinhasi both said they could not recall this particular case. "If someone is saying that we promised up front that we would be able to decrypt their files, I am certain that this is inaccurate," Pinhasi said.

The Trade Secret [Renee Dudley and Jeff Kao/Propublica]


(via /.)