Ransomware has become a favorite attack vector
for hackers - after all, for them, it’s pretty much a no loss game. They either
get paid, or they move on to their next target. Unfortunately, cyberattackers
that dispatch ransomware often do get paid, and these payments can sometimes
come from a surprising source: cybersecurity firms.
What Happened with SamSam
You may recall the SamSam outbreak, which
stretched from 2015-to-2018 and racked up $30,000,000 in damages across 200
entities. This large total was partially due to the fact that SamSam knocked
out a few sizable municipalities, including the cities of Atlanta and Newark,
the port of San Diego, the Colorado Department of Transportation, and medical
records across the nation.
The ransom demand sent to Newark gave a
one-week deadline to pay up the ransom in Bitcoin, before the attackers would
render the files effectively useless.
In November 2018, then deputy attorney general
Rod Rosenstein announced that two Iranian men had been indicted on fraud charges
by the United States Department of Justice for allegedly developing the SamSam
strain and carrying out these attacks with it. As Rosenstein pointed out, many
of SamSam’s targets were the kind of public agencies whose primary goal was to
save lives - meaning that the hackers responsible knew that their actions could
do considerable harm to innocent victims. Unfortunately, those responsible have
never been apprehended.
How Some Cybersecurity Firms Just
Pay the Ransoms
According to a former employee, Jonathan
Storfer, the firm Proven Data Recovery (headquartered in Elmsford, New York)
regularly made ransomware payments to SamSam hackers for over a year.
ProPublica managed to trace four payments made in 2017 and 2018 from an online
wallet controlled by Proven Data, through up to 12 Bitcoin addresses, before
finally ending up in a wallet controlled by the Iranians.
This wasn’t a huge revelation to Storfer, who
worked for the firm from March 2017 until September 2018.
“I would not be surprised if a significant
amount of ransomware both funded terrorism and also organized crime… So, the
question is, every time that we get hit by SamSam, and every time we facilitate
a payment – and here’s where it gets really dicey – does that mean we are
technically funding terrorism?”
According to Proven Data, they assist
ransomware victims by using the latest technology to unlock their files.
According to Storfer and the FBI, however, Proven Data instead pays ransoms to
obtain the decryption tools that their clients need. Storfer actually states
that the firm was able to build a business-like relationship with the hackers,
negotiating extensions on payment deadlines - and the hackers would actually
direct their victims to Proven Data.
Another firm, Florida-based MonsterCloud,
follows a few similar ‘strategies,’ according to ProPublica. In addition to
paying the ransoms (sometimes without informing the victims), these companies
then add an upcharge to the ransom payment.
However, it becomes important to consider
where the money that is used to pay these ransoms is actually coming from. In
the case of SamSam, many of the victims received some kind of government
funding, which means that - if the ransoms were paid - taxpayer money likely
wound up in the hands of cybercriminals in countries hostile to the United
Differing Accounts from Proven
Proven Data provides the following disclaimer
on their website:
“[PROVEN DATA] DOES NOT CONDONE OR
SUPPORT PAYING THE PERPETRATOR’S DEMANDS AS THEY MAY BE USED TO SUPPORT OTHER
NEFARIOUS CRIMINAL ACTIVITY, AND THERE IS NEVER ANY GUARANTEE TO OBTAIN THE
KEYS, OR IF OBTAINED, THEY MAY NOT WORK. UNFORTUNATELY, SOME CASES MAY REQUIRE
THE PAYMENT OF THE DEMAND IN HOPES OF OBTAINING THE MEANS TO DECRYPT YOUR DATA.
AS A LAST RESORT OPTION, [PROVEN DATA] RESERVES THE RIGHT TO PAY THE DEMAND FOR
THE PURPOSE OF RESTORING BUSINESS FUNCTIONALITY AS SOON AS POSSIBLE. THE CLIENT
ACKNOWLEDGES THAT THIS WILL BE AN OPTION EXPLORED BY [PROVEN DATA] IF ALL OTHER
CONVENTIONAL METHODS ARE NOT POSSIBLE.”
However, the company’s chief executive, Victor
Congionti, revealed to ProPublica that their actual standard operating
procedures are significantly different. Unless a decryption key is already
available (which generally means that the hackers utilized an outdated variant
of their attack) Proven Data tends to default to paying the ransom - and is
apparently open with their clients about doing so.
According to Congionti, the SamSam attackers
were paid upon the direction of their clients, and once it was discovered who
the attackers were, Proven Data stopped dealing with them as they had not known
they were affiliating with Irani nationals.
Should You Pay the Ransom?
According to Congionti, it would certainly
seem so. As he said: “It is easy to take the position that no one should pay a
ransom in a ransomware attack because such payments encourage future ransomware
attacks. It is much harder, however, to take that position when it is your data
that has been encrypted and the future of your company and all of the jobs of
your employees are in peril. It is a classic moral dilemma.”
The Federal Bureau of Investigation seems to
take a “do as I say here, not as I say there” approach. Some spokespeople (and
it seems to depend on who they are talking to) will denounce paying a data
ransom. As one FBI spokesperson put it, paying a ransom “encourages continued
criminal activity, leads to other victimizations, and can be used to facilitate
serious crimes.” However, 2015 news reports quoted the assistant special agent
in charge of the FBI’s cyber program as stating that the bureau’s practice is
to “often advise people to just pay the ransom.”
At Emerge, it is our position that you should never, ever pay a cybercriminal’s ransom demand. First of all, do you really trust them to return your data once they have received payment, and second, that payment only serves to fund further cybercrime.
Instead, we prefer to take a proactive
approach. We do so with a full, isolated backup of your data, allowing you to
restore any data that may be encrypted in a ransomware attack. That way, you
aren’t paying criminals to maybe get
your data back, and you can move on and continue your operations.
To learn more about how we can protect your business against ransomware and other threats, reach out to us at 859-746-1030.