Last month, Propublica published a blockbuster investigative report on companies that claimed they could help you get your ransomware-locked data back, but who were secretly just paying off the criminals — one company got so good at it that ransomware criminals started to refer their victims to them.
Now, just to prove the point, a security researcher used sting operations on a British "ransomware solutions" company and found that they, too, simply pay the ransom, while charging a markup — doubly victimizing its customers in the process.
Fabian Wosar from the antivirus company Emsisoft says that Scotland-based Red Mosquito Data Recovery told him that they were "running tests" on his locked files, but were in actuality negotiating with criminals to pay them off, and that the payoff attempt began "minutes" after he contracted with Red Mosquito, who had promised that they would unlock the files without paying the ransom (Wosar was impersonating both the victim and the crooks).
Red Mosquito bills itself as the "professional alternative" to paying ransom.
Propublica tried to get a comment from Red Mosquito (which promised "honest, free advice") and did not hear back; the company hung up on Propublica's reporter when contacted by phone.
Meanwhile, "Joe Mess" pressed Lairg for confirmation that Red Mosquito wouldn't pay the ransom: "So you think you may be able to help without me having to pay the ransom?"
"We are still investigating and will get back to you as soon as possible," Lairg responded.
Less than an hour later, Wosar, posing as the hacker, began negotiating with "firstname.lastname@example.org," the correspondence shows.
"$1200 in Bitcoin," he wrote. "You pay, we provide key and decriptor (sic) to recover data."
The respondent sought a better deal. "Can you do for 500 USD," it replied.
Wosar's hacker alter ego agreed to lower the price. "$900. Take it or kiss data bye bye," he wrote. "We don't run chairity (sic) here."
The contact told him it would try to obtain the Bitcoin needed.
The next day, documents show, Lairg wrote to Wosar's victim email address, saying he was "pleased to confirm that we can recover your encrypted files" for $3,950 — four times as much as the agreed-upon ransom. Lairg said the firm would recover the files within an estimated three business days. Payment would be required before recovery began, but the money would be returned if they couldn't recover any of the files, he wrote.
Sting Catches Another Ransomware Firm — Red Mosquito — Negotiating With "Hackers" [Renee Dudley/ProPublica]