A damning new study has revealed the trick up the sleeve of some so-called ransomware solution providers—just pay the hackers their ransom in crypto.
Investigative journalists at ProPublica found that companies were increasingly choosing to simply pay hackers and move on, against a backdrop of a steep rise in the prevalence of these types of attack. According to figures published by ransomware analysts Coveware, the first quarter of this year saw both the frequency and scale of these attacks increase.
“In Q1 of 2019, the average ransom increased by 89% to $12,762, as compared to $6,733 in Q4 of 2018. The ransom increase reflects increased infections of more expensive types of ransomware such as Ryuk, Bitpaymer, and Iencrypt. These types of ransomware are predominantly used in bespoke targeted attacks on larger enterprise targets,” the report noted.
ProPublica found at least two firms that had been paying off SegWit scammers on behalf of their clients:
“Proven Data promised to help ransomware victims by unlocking their data with the ‘latest technology,’ according to company emails and former clients. Instead, it obtained decryption tools from cyberattackers by paying ransoms, according to Storfer and an FBI affidavit obtained by ProPublica.”
Even Florida-based company MonsterCloud, which professed to use its own data recovery, was revealed to have also been paying ransoms, “sometimes without informing victims such as local law enforcement agencies,” according to the ProPublica report, noting, “The firms are alike in other ways. Both charge victims substantial fees on top of the ransom amounts…Both firms have used aliases for their workers, rather than real names, in communicating with victims.”
Zohar Pinhasi of MonsterCloud was quoted by CoinDesk saying the firm did indeed pay ransoms on some occasions: “We are a cyber security company, not a data recovery company. We have vast knowledge and experience dealing with these criminals, and we spend countless hours staying atop their evolving methods in order to provide our clients with protections against all future attackers, not just the one infiltrating their data at the time they come to us.”
Pinhasi added, “We offer a money back guarantee to any client if we are unable to recover their data, and to date we have not had a single client report a follow-up attack from the same criminals or any other attacker.”
In a statement to CoinGeek, however, a MonsterCloud representative clarified that the company “never claimed to decrypt the data for customers” in its advertising or website.
“We provide a money-back guarantee, which means that the customers are protected if they decide to use our services. We provide cybersecurity insurance that covers the cost of future damages caused by ransomware,” the representative said. “The scenarios where MonsterCloud pays the ransom on behalf of the customer are described on our website under Q&A as well as in our contracts.”
Law enforcement officers, meanwhile, “are always assisted free of charge,” according to the company.
While paying the ransom might be expedient, there are growing concerns these practices could be in part responsible for the rapid growth in crypto ransomware scams worldwide.
Editor’s note: This article has been updated to include the statement from MonsterCloud.
New to Bitcoin? Check out CoinGeek’s Bitcoin for Beginners section, the ultimate resource guide to learn more about Bitcoin—as originally envisioned by Satoshi Nakamoto—and blockchain.