ProPublica: Firms That Promised High-Tech Ransomware Solutions Almost Always Just Pay the Hackers

[Cooked Crack]

Quote

FROM 2015 TO 2018, a strain of ransomware known as SamSam paralyzed computer networks across North America and the U.K. It caused more than $30 million in damage to at least 200 entities, including the cities of Atlanta and Newark, New Jersey, the Port of San Diego and Hollywood Presbyterian Medical Center in Los Angeles. It knocked out Atlanta’s online water service requests and billing systems, prompted the Colorado Department of Transportation to call in the National Guard, and delayed medical appointments and treatments for patients nationwide whose electronic records couldn’t be retrieved. In return for restoring access to the files, the cyberattackers collected at least $6 million in ransom.

“You just have 7 days to send us the BitCoin,” read the ransom demand to Newark. “After 7 days we will remove your private keys and it’s impossible to recover your files.”

Quote

Although bitcoin transactions are intended to be anonymous and difficult to track, ProPublica was able to trace four of the payments. Sent in 2017 and 2018, from an online wallet controlled by Proven Data to ones specified by the hackers, the money was then laundered through as many as 12 bitcoin addresses before reaching a wallet maintained by the Iranians, according to an analysis by bitcoin tracing firm Chainalysis at our request. Payments to that digital currency destination and another linked to the attackers were later banned by the U.S. Treasury Department, which cited sanctions targeting the Iranian regime.

“I would not be surprised if a significant amount of ransomware both funded terrorism and also organized crime,” Storfer said. “So the question is, is every time that we get hit by SamSam, and every time we facilitate a payment — and here’s where it gets really dicey — does that mean we are technically funding terrorism?”

Quote

Another U.S. company, Florida-based MonsterCloud, also professes to use its own data recovery methods but instead pays ransoms, sometimes without informing victims such as local law enforcement agencies, ProPublica has found. The firms are alike in other ways. Both charge victims substantial fees on top of the ransom amounts. They also offer other services, such as sealing breaches to protect against future attacks. Both firms have used aliases for their workers, rather than real names, in communicating with victims.

https://features.propublica.org/ransomware/ransomware-attack-data-recovery-firms-paying-hackers/

[The Sisko]

I experienced this as an employee of one of the targets. It was as devastating to our operations as advertised. Our leadership was adamant pretty much from the beginning that we wouldn’t be paying any ransom. We never got our data back so maybe it did go down that way in our case. However, it would really suck for other victims to pay extra money to take a principled stand against criminals, only to have the ransom paid anyway.🙄

[Renegade7]

Updates and backups, it's really not that hard, people.