In testimonials on MonsterClouds website, four local law enforcement agencies praise the firm for restoring their data following ransomware attacks. Photograph: Jeffery A Salter/Jeffery Salter
Thats when we made the phone call to them, he recalled. They said: Dont worry about it. We are pretty sure we can get everything back.
Another reason he chose MonsterCloud, he said, was that it wouldnt pay the ransom. Im the one in the seat, the one charged to safeguard the department, he said. To turn around and spend taxpayer money on a ransom that is absolutely the wrong decision. It is the nuclear option. But with MonsterCloud, we can just remove that option.
MonsterCloud restored the police departments files within 72 hours, and assured the department it did not pay a ransom, Henson said. In return for the testimonial, it waived its $75,000 fee.
MonsterClouds contract with the Trumann police, obtained under a public records request, calls its recovery method a trade secret and says the firm would not explain the proprietary means and methods by which clients files were restored. It also says that if all possible means of directly decrypting clients files have been exhausted, the firm would attempt to recover data by communicating with the cyber attacker.
Pinhasi said that the Trumann department was crippled by the Dharma strain of ransomware. Wosar and Michael Gillespie, a software analyst in Illinois whom the FBI has honored with a community leadership award for his help on ransomware, said there was no known way of decrypting the Dharma ransomware in use at the time. They said MonsterCloud must have paid a hacker.
Pinhasi declined to say how MonsterCloud retrieved Trumanns data, but noted that it did so for free. We provide complimentary services to law enforcement agencies, he said. There has never been one cent of taxpayer money used for any ransom weve been involved with.
In April 2016, a strain of ransomware called DMA Locker infiltrated the computer files and backups for Leif Herringtons real estate brokerage in Anchorage, Alaska. The ransom note demanded four bitcoin, then worth about $1,680. Herrington called the FBIs office there. They said: Theres thousands of these going on every day, we dont have the resources to do anything, Herrington said.
He called Proven Data Recovery. It told him it could unlock his files for $6,000. They represented that they had proprietary software they developed to unencrypt, Herrington said. They never said anything about paying the ransom.
A January 2018 FBI affidavit, seeking a search warrant to obtain information from Proven Data and its email provider, lays out what happened next. Herringtons IT consultant, Simon Schroeder, gave Proven Data a sample infected file for evaluation. A couple of days later, Schroeder watched as Proven Data unlocked a set of files in 45 minutes.
The firm cleared the files so quickly that Schroeder suspected it paid the ransom. Although Herrington was back in business, he called the FBI again. An agent came to his office to ask about Proven Data, Herrington said, adding that he and Schroeder turned over all their documents.
Herrington told the agent that he didnt know whether Proven Data actually had keys or if they were in cahoots with the ransomware attackers and just collected the money, he said.
The FBI confirmed his hunch. Records provided to the FBI pursuant to a federal grand jury subpoena showed four bitcoin flowing from a Proven Data account to the online wallet that the attackers had designated for payment. An email from the hackers address thanked Proven Data for the payment and included instructions on decrypting Herringtons files.
Subsequent investigation by the FBI confirmed that PDR was only able to decrypt the victims files by paying the subject the ransom amount, the affidavit said. (An FBI spokeswoman said in January that the bureau could not discuss the case because it was active. The US Department of Justice declined this month to identify the target of the investigation or to say if its still ongoing. As yet, no charges have been publicly filed.)
Storfer wondered if the hacker behind DMA Locker was a British soccer fan because his emails contained references to Manchester United including one username of John United and another honoring former team manager Alex Ferguson. The ransom price was in British pounds, an unusual currency in ransomware circles, he said.
Congionti acknowledged that the company paid Herringtons ransom. It was the only option to get his data back, Congionti said. We regret that he felt misled There was obviously a misunderstanding as to how we would solve his problem. We have re-examined all of our practices and procedures to ensure that such a misunderstanding does not occur again.
In 2017, Storfer was a year out of college and looking for a job when he spotted an opening for an office manager at Proven Data Recovery. After a short time there, he was assigned to negotiate with hackers. Storfer was responsible for some of the correspondence with ransomware attackers, Congionti said.
He soon realized that ransomware is a vast global industry. Most attacks on US targets originate from foreign countries, especially Russia and eastern Europe. There are hundreds of ransomware strains, and thousands of variants of those strains. Some are sidelined as their financial returns diminish or cybersecurity researchers devise ways to neutralize them, while new ones are always emerging.
Some ransomware attacks hit millions of computers indiscriminately, hoping to infiltrate them through infected spam email attachments. Others target businesses, government agencies, and not-for-profit organizations, sometimes with brute-force tools that invade computer networks. While individuals are frequently attacked, criminals increasingly extort institutions that have deeper pockets and that readily pay the ransom to minimize disruption to their operations.
Once ransomware penetrates the computer, a ransom note pops up on the screen. It may direct victims to a page only accessible through Tor, a dark web browser, or to a hackers email address, for information on how to pay. Once the hackers receive confirmation of payment usually in bitcoin but sometimes in even less traceable forms of cryptocurrency, such as Dash and Monero they send the software and key to unlock the files.
The hackers sometimes offer discounts, which Congionti said Proven Datas present policy is to pass on to clients. The dark website for the GandCrab strain offers a promo code box on its ransom checkout page exclusively for data recovery firms. After paying a ransom, the firms receive a code for a discount on a future ransom.
Proven Data kept a list of hackers who could supply decryption keys quickly and cheaply as needed, Storfer said. He bargain-hunted by stirring up market rate competition among them. Even though one group may have done the hacking, a different group could provide you with the key and unlock the files of Proven Datas client, he said.
Storfer often didnt know who he was dealing with. It could have been the ransomware creator or a middleman. He learned quickly never to use the term hacking. Instead, he would assume his correspondent thinks theyre a businessman, Storfer said. Id say: Look, we cant afford this at this time. Do you mind providing your product at a lower rate? And it worked, he said. Theyre doing a job where everyone hates them, so feeling like they were respected made them work with us. I like to think empathy goes a long way.
The rapport reaped discounts. Once, we were able to get a $5,000 ransom lessened to $3,000 because they knew we could deliver it exactly when we said we were going to get it to them, Storfer said.
Once the attackers agreed to lower the ransom for one client, it was easier to persuade them to reduce it for others as well. Hed tell them: Look, we have another client who you may be able to help. Can you provide this pricing? Their response is: Sure thing.
Storfer rarely revealed his companys name to hackers. Still, by using the same anonymous email address repeatedly, he became familiar to them. The hackers would want to verify that we worked with them before.
And I want to be clear, worked with them being the most accurate term, but I want to say that there is no love in this agreement, Storfer said. And it was something that we would openly talk about about how creepy and crawly we felt in general to have to put yourself on their side and empathize with these individuals to get them to work with you. Because you kind of have to shed your skin afterwards.
Despite Storfers best efforts, sometimes the hackers behaved erratically. Proven Data would pay the requested ransom, but they would not respond. At such times, Storfer would share the attackers email address and details of the snub with other hackers in the same group.
Then the hacker would come back and say: Sorry, Ive been on a coke binge for three weeks, Storfer said.
Storfers conscience was weighing on him. He took a dont ask, dont tell, approach to informing clients that Proven Data would pay their ransoms. If they didnt ask, it was more of a lie by omission, he said. If they asked, he told the truth. He never felt comfortable interacting with cybercriminals. But for the good of helping people that we were dealing with and making their lives easier, I thought it was a real benefit.
Even after Storfer left for a job outside the data recovery industry, Proven Data still paid the SamSam hackers. Chainalysis found that on 16 November 2018, 1.6 bitcoins, or about $9,000 at the time, moved from Proven Datas wallet to a digital currency address associated with the SamSam attackers an intermediary step on the chain to the Iranian-controlled wallet. Twelve days later, the Iranians were indicted, and payments into their wallets were banned.
Today, hardly any money is left in those Iranian wallets.