As ransomware attacks crippled businesses and law enforcement agencies, two U.S. data recovery firms claimed to offer an ethical way out. Instead, they typically paid the ransom and charged victims extra.

From 2015 to 2018, a strain of ransomware known as SamSam paralyzed computer networks across North America and the U.K. It caused more than $30 million in damage to at least 200 entities, including the cities of Atlanta and Newark, New Jersey, the Port of San Diego and Hollywood Presbyterian Medical Center in Los Angeles. It knocked out Atlanta’s online water service requests and billing systems, prompted the Colorado Department of Transportation to call in the National Guard, and delayed medical appointments and treatments for patients nationwide whose electronic records couldn’t be retrieved. In return for restoring access to the files, the cyberattackers collected at least $6 million in ransom.

“You just have 7 days to send us the BitCoin,” read the ransom demand to Newark. “After 7 days we will remove your private keys and it’s impossible to recover your files.”

At a press conference last November, then-Deputy Attorney General Rod Rosenstein announced that the U.S. Department of Justice had indicted two Iranian men on fraud charges for allegedly developing the strain and orchestrating the extortion. Many SamSam targets were “public agencies with missions that involve saving lives,” and the attackers impaired their ability to “provide health care to sick and injured people,” Rosenstein said. The hackers “knew that shutting down those computer systems could cause significant harm to innocent victims.”

We’re Reporting on Ransomware. Do You Know Something About an Attack? Has your organization been hit by ransomware? Did you hire a data recovery firm? Do you know how an attack works from the inside? Let us know. Want this story emailed to you? We’ve gone deep on this one, and the result is close to 9,000 words long. Enter your email, and we’ll send you a text-only version, as well as ProPublica’s biggest investigations. Sign up to get ProPublica’s investigations delivered to your inbox. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

In a statement that day, the FBI said the “criminal actors” were “out of the reach of U.S. law enforcement.” But they weren’t beyond the reach of an American company that says it helps victims regain access to their computers. Proven Data Recovery of Elmsford, New York, regularly made ransom payments to SamSam hackers over more than a year, according to Jonathan Storfer, a former employee who dealt with them.

Although bitcoin transactions are intended to be anonymous and difficult to track, ProPublica was able to trace four of the payments. Sent in 2017 and 2018, from an online wallet controlled by Proven Data to ones specified by the hackers, the money was then laundered through as many as 12 bitcoin addresses before reaching a wallet maintained by the Iranians, according to an analysis by bitcoin tracing firm Chainalysis at our request. Payments to that digital currency destination and another linked to the attackers were later banned by the U.S. Treasury Department, which cited sanctions targeting the Iranian regime.

“I would not be surprised if a significant amount of ransomware both funded terrorism and also organized crime,” Storfer said. “So the question is, is every time that we get hit by SamSam, and every time we facilitate a payment — and here’s where it gets really dicey — does that mean we are technically funding terrorism?”

Proven Data promised to help ransomware victims by unlocking their data with the “latest technology,” according to company emails and former clients. Instead, it obtained decryption tools from cyberattackers by paying ransoms, according to Storfer and an FBI affidavit obtained by ProPublica.

Another U.S. company, Florida-based MonsterCloud, also professes to use its own data recovery methods but instead pays ransoms, sometimes without informing victims such as local law enforcement agencies, ProPublica has found. The firms are alike in other ways. Both charge victims substantial fees on top of the ransom amounts. They also offer other services, such as sealing breaches to protect against future attacks. Both firms have used aliases for their workers, rather than real names, in communicating with victims.

The payments underscore the lack of other options for individuals and businesses devastated by ransomware, the failure of law enforcement to catch or deter the hackers, and the moral quandary of whether paying ransoms encourages extortion. Since some victims are public agencies or receive government funding, taxpayer money may end up in the hands of cybercriminals in countries hostile to the U.S. such as Russia and Iran.

Tracing Ransom Payments From Proven Data to Iran Although bitcoin transactions are intended to be anonymous and difficult to track, ProPublica was able to trace four payments from New York-based Proven Data Recovery to the SamSam ransomware attackers in Iran. One payment was sent on Nov. 15, 2017, from an online wallet controlled by Proven Data to one specified by the attackers. It was then laundered through 12 bitcoin addresses before reaching a wallet maintained by the Iranians, according to an analysis by bitcoin tracing firm Chainalysis at our request. Payments to that digital currency destination and another linked to the attackers were later banned by the U.S. Treasury Department, which cited sanctions against funding the Iranian regime. Proven Data said it stopped dealing with the SamSam hackers after the U.S. government took action against them, and that until then, it did not know they were affiliated with Iran. Source: ProPublica/Chainalysis. Graphic: Rob Weychert/ProPublica.

In contrast to Proven Data and MonsterCloud, several other firms, such as Connecticut-based Coveware, openly help clients regain computer access by paying attackers. They assist victims who are willing to pay ransoms but don’t know how to deal in bitcoin or don’t want to contact hackers directly. At the same time, Coveware seeks to deter cybercrime by collecting and sharing data with law enforcement and security researchers, CEO Bill Siegel said.

Siegel refers to a handful of firms globally, including Proven Data and MonsterCloud, as “ransomware payment mills.” They “demonstrate how easily intermediaries can prey on the emotions of a ransomware victim” by advertising “guaranteed decryption without having to pay the hacker,” he said in a blog post. “Although it might not be illegal to obfuscate how encrypted data is recovered, it is certainly dishonest and predatory.”

MonsterCloud chief executive Zohar Pinhasi said that the company’s data recovery solutions vary from case to case. He declined to discuss them, saying they are a trade secret. MonsterCloud does not mislead clients and never promises them that their data will be recovered by any particular method, he said.

“The reason we have such a high recovery rate is that we know who these attackers are and their typical methods of operation,” he said. “Those victims of attacks should never make contact themselves and pay the ransom because they don’t know who they are dealing with.”

On its website, Proven Data says it “does not condone or support paying the perpetrator’s demands as they may be used to support other nefarious criminal activity, and there is never any guarantee to obtain the keys, or if obtained, they may not work.” Paying the ransom, it says, is “a last resort option.”

However, chief executive Victor Congionti told ProPublica in an email that paying attackers is standard procedure at Proven Data. “Our mission is to ensure that the client is protected, their files are restored, and the hackers are not paid more than the minimum required to serve our clients,” he said. Unless the hackers used an outdated variant for which a decryption key is publicly available, “most ransomware strains have encryptions that are too strong to break,” he said.

Congionti said that Proven Data paid the SamSam attackers “at the direction of our clients, some of which were hospitals where lives can be on the line.” It stopped dealing with the SamSam hackers after the U.S. government identified them as Iranian and took action against them, he said. Until then, he said, the company did not know they were affiliated with Iran. “Under no circumstances would we have knowingly dealt with a sanctioned person or entity,” he said.

Proven Data’s policy on disclosing ransom payments to clients has “evolved over time,” Congionti said. In the past, the company told them it would use any means necessary to recover data, “which we viewed as encompassing the possibility of paying the ransom,” he said. “That was not always clear to some customers.” The company informed all SamSam victims that it paid the ransoms and currently is “completely transparent as to whether a ransom will be paid,” he said.

“It is easy to take the position that no one should pay a ransom in a ransomware attack because such payments encourage future ransomware attacks,” he said. “It is much harder, however, to take that position when it is your data that has been encrypted and the future of your company and all of the jobs of your employees are in peril. It is a classic moral dilemma.”

No U.S. laws prohibit paying ransoms. The FBI frowns on it officially — and winks at it in practice. Ransom payment “encourages continued criminal activity, leads to other victimizations, and can be used to facilitate serious crimes,” an FBI spokesperson told ProPublica in an email. But in 2015, the assistant special agent in charge of the FBI’s cyber program in Boston said at a cybersecurity conference that the bureau will “often advise people just to pay the ransom,” according to news reports.

Paying a ransom while pretending otherwise to a client, though, could constitute deceptive business practices prohibited by the Federal Trade Commission Act, said former FTC acting chairman Maureen Ohlhausen. “Any claim that a company makes, they can legally be held to that claim,” she said. Neither MonsterCloud nor Proven Data has been cited by the FTC.

Storfer, who worked for Proven Data from March 2017 until September 2018, said in a series of interviews that the company not only paid ransoms to the SamSam hackers, but also developed a mutually beneficial relationship with them. As that relationship developed, he said, Proven Data was able to negotiate extensions on payment deadlines.

“With SamSam, we could say, hello, this is Proven Data, please keep this portal open while we contact and interact with the customer while moving forward,” Storfer said. “And they would remove the timer on the portal. And then they would respond quicker and in many cases would be able to provide things a little bit easier.”

The SamSam attackers didn’t identify themselves, he said. While Proven Data generally concealed its identity when responding to ransom demands, “we were very open” with the SamSam hackers, “and we would essentially announce ourselves,” Storfer said.

Eventually, the attackers began recommending that victims work with the firm. “SamSam would be like, ‘If you need assistance with this, contact Proven Data,’” said Storfer, who declined to identify clients. Some of them wondered about this endorsement. “Honestly, the weirdest thing was clients would ask us why, and we would have to respond to that, which was not a really fun conversation,” he added.

The referrals indicate the SamSam hackers’ confidence that Proven Data would pay the ransom, said Bart Huffman, a Houston lawyer specializing in privacy and information security. Such prior understandings could be seen as a criminal conspiracy and may violate the U.S. Computer Fraud and Abuse Act, he said.

“That does seem like you are working for the other side,” Huffman said. “You are facilitating the payment at the recommendation of SamSam, in the manner suggested by SamSam.”

Proven Data has never been charged with such a violation. The company “never had a ‘close relationship’ with SamSam attackers,” said Congionti, who didn’t comment on the recommendations specifically. “Our contact with attackers is limited to minimizing the attack on the customer. … Anyone can reach out to a hacker and tell them to keep the portal open longer.”

The father of ransomware was Harvard-educated anthropologist Joseph L. Popp Jr. While researching the theory that AIDS originated in green monkeys in East Africa, Popp in 1989 mailed more than 20,000 floppy disks about AIDS education to people interested in public health. When recipients ran the disk, their computers froze, and a message on the screen instructed them to send up to $378 to a post office box in Panama for a second disk that would restore their access.

The FBI arrested Popp before he could carry out his plan to distribute another 2 million disks. U.S. officials extradited him to England, where he was deemed mentally unfit to stand trial, John Kilroy, one of his lawyers, said.

“I believe he sincerely wanted to stop the spread of AIDS,” Kilroy said. “He lost his way in doing the ransom. I don’t think he had a good understanding of the consequences for other people.”

Popp, an Ohio native, returned to the U.S. and settled in Oneonta, New York. There, he helped establish a butterfly conservatory that was named in his honor after he died in a 2006 car accident at age 55, according to a local news clipping and his death certificate.

He didn’t live to see his brainchild become one of the world’s most common types of cybercrime. It wasn’t until 2012, when bitcoin began gaining traction, that ransomware took off. The decentralized digital currency made it difficult to trace or block payments.

Since 2016, more than 4,000 ransomware attacks have taken place daily, or about 1.5 million per year, according to statistics posted by the U.S. Department of Homeland Security.

“Ransomware continues to spread and is infecting devices around the globe,” the FBI said in a statement. “We are seeing different kinds of ransomware, different deployment methods, and a coordinated distribution. The FBI considers it one of the top cybercriminal threats.”

Yet the FBI’s Internet Crime Complaint Center counted only 1,493 ransomware victims in 2018 — a figure the bureau itself says represents only a small fraction of total incidents. Victims don’t report attacks, perhaps because they’re embarrassed or reluctant to admit to gaps in their IT security, according to law enforcement officials.

Even when victims do report ransomware, the culprits are rarely caught. The Iranians who allegedly distributed SamSam were the first people ever indicted by the U.S. government for deploying a ransomware scheme, although others have pleaded guilty to money laundering or computer damage in connection with ransomware.

While demands to businesses and municipal governments have reached as high as six figures, the average ransom sought is a few thousand dollars, according to cyberresearch firms. That’s well below the thresholds maintained by federal prosecutors to trigger an investigation, said former FBI Deputy Director John Pistole. Local police departments lack the resources to solve cybercrime and themselves are frequently ransomware targets. “It is a weird gray area where there is a law but it isn’t enforced,” said Jeffrey Kosseff, an assistant professor of cybersecurity law at the United States Naval Academy. “Ransomware is a real failure of the current legal system. There is not a good remedy.”

European law enforcement agencies have had more success. In March 2018, for example, the Polish Police — in cooperation with the Belgian Federal Police and Europol — arrested a Polish national suspected of having infected several thousand computers with ransomware. European law enforcement officials “just hang out on Slack channels where we tell them stuff,” said Fabian Wosar, a U.K.-based security researcher, referring to the popular messaging platform.

Asked whether its agents also gather information via Slack, the FBI said that it “must adhere to rules relating to federal agency recordkeeping, which makes the adoption of more agile communication methods trickier for us than for private sector companies.”

When Wosar discovered servers in the U.S. and the Netherlands that likely contained the attackers’ decryption keys for the ASN1 ransomware strain and could help identify the criminals, he and another researcher notified the FBI and the Dutch National Police. “Great news,” a member of the Dutch high-tech crime team responded. “We are eager to start things up” and “try to seize the servers.” The FBI replied with basic questions that reflected a lack of understanding of how ransomware works, said Wosar, who is head of research at anti-virus provider Emsisoft.

On another occasion, Wosar had what he called a “very hot lead” on the inventor of the ACCDFISA strain. He tried one FBI agent after another and ended up submitting his tip on the “FBI homepage like everyone else,” he said. “I’m sure it got lost among hundreds of thousands of submissions.” The bureau declined to comment on the incidents.

As ransomware proliferated without an effective law enforcement response, an industry sprang up to unlock victims’ computers. In the U.S., it was dominated by two firms: Proven Data and MonsterCloud. Each says it has assisted thousands of victims.

The companies’ claims to be able to release files using their own technology aroused Wosar’s curiosity. He and other security experts sometimes find ways to disable ransomware, and they post those fixes online for free. But they can decrypt ransomware only if there are errors in the underlying software or if a security lapse allows the researchers to hack into the attacker’s server, he said; otherwise, it’s essentially bulletproof.

“If there is a company that claims they broke the ransomware, we are skeptical,” Wosar said. “Everything the ransomware did has been analyzed by other researchers. It’s incredibly unlikely they were the only ones to break it.”

In December 2016, he devised an experiment dubbed “Operation Bleeding Cloud,” after MonsterCloud and the notorious “Heartbleed” software vulnerability. He and another researcher created a variant of ransomware and used it to infect one of their own computers. Then they emailed MonsterCloud, Proven Data and several data recovery firms based in the U.K. and Australia, posing as a victim who didn’t want to pay a ransom.

Wosar said he sent some sample encrypted files to the firms along with a fake ransom note that he had written. Like many ransom notes, the demand included an email address to contact the attacker for instructions on how to pay. Each note also contained a unique ID sequence for the victim, so Wosar could later identify which firm had contacted him even if it used an anonymous email account.

The firms eagerly agreed to help. “They all claimed to be able to decrypt ransomware families that definitely weren’t decryptable and didn’t mention that they paid the ransom,” Wosar said. “Quite the contrary actually. They all seemed very proud not to pay ransomers.”

Soon, the email accounts that he’d set up for the imaginary attacker began receiving emails from anonymous addresses offering to pay the ransom, he said. He traced the requests to the data recovery firms, including MonsterCloud and Proven Data.

“The victims are getting taken advantage of twice,” he said.

Proven Data’s Congionti and MonsterCloud’s Pinhasi both said they could not recall this particular case. “If someone is saying that we promised up front that we would be able to decrypt their files, I am certain that this is inaccurate,” Pinhasi said.

Last year, the research division of Israeli cybersecurity company Check Point Software Technologies used a similar tactic to unmask Dr. Shifro, a Russian company. Dr. Shifro purported to use its own technology to liberate computers locked by ransomware, but it actually negotiated with a security researcher posing as the hacker, according to Check Point. Dr. Shifro did not respond to an email in both Russian and English seeking comment.

Storfer, the former Proven Data ransom negotiator, said he was saddened to read of Dr. Shifro’s tactics. “That’s basically what I was doing,” he said.

In 2017, Storfer was a year out of college and looking online for a job close to his Westchester County, New York, home when he spotted an opening for an office manager at Proven Data. He’d never heard of the company, but he applied and was hired.

He thought he would be scheduling meetings, sending out packages and accepting deliveries. But prior jobs at retail stores and restaurants had honed his customer service skills. After a short time at Proven Data, he was given the title of client solutions manager and assigned to negotiate with hackers. Storfer “was responsible for some of the correspondence with ransomware attackers,” Victor Congionti said. The job, which Storfer said paid a starting salary of about $41,000 a year, provided a unique window onto the rarely glimpsed underworld of cybercrime.

He soon realized that ransomware is a vast global industry. Most attacks on U.S. targets originate from abroad, especially Russia and Eastern Europe. There are hundreds of ransomware strains and thousands of variants of those strains. Some are sidelined as their revenues diminish or cybersecurity researchers devise ways to neutralize them, while new ones are always emerging.

Some ransomware attacks hit millions of computers indiscriminately, hoping to infiltrate them through infected spam email attachments. Others target businesses, government agencies and nonprofit organizations, sometimes with “brute-force” tools that invade computer networks. While individuals are frequently attacked, criminals increasingly extort institutions that have deeper pockets and readily pay the ransom to minimize disruption to their operations.

Once ransomware penetrates the computer, victims are unable to open their files, which are often renamed with a new extension. Generally, a ransom note pops up on the screen. It may direct victims to a page only accessible through Tor, a dark web browser, or to a hacker’s email address, for information on how to pay. The hackers may offer to decrypt a sample file. When they receive confirmation of payment — usually in bitcoin but sometimes in even less traceable forms of cryptocurrency, such as Dash and Monero — they send the software and key to unlock the files. Most hackers live up to their end of the deal, Storfer said. Otherwise, they are denounced as cheaters on websites frequented by victims, researchers and data recovery firms, and their ransom demands lose credibility, he and others said.

Some attackers warn victims to avoid data recovery firms. “Decryption of your files with the help of third parties may cause increased price (they add their fee to our),” said one ransom note posted on Coveware’s website.

More sophisticated cyberattackers cultivate firms like Proven Data as a source of income. The hackers sometimes offer discounts, which Congionti said the company’s “present policy” is to pass on to clients. The dark website for the GandCrab strain offers a “promo code” box on its ransom checkout page exclusively for data recovery firms. After paying a ransom, the firms receive a code for a discount on a future ransom.

Proven Data’s rival, MonsterCloud, is run by Pinhasi, who describes himself as a former IT security intelligence officer for the Israeli military. He declined ProPublica’s request to visit its South Florida storefront office, saying it was being renovated. Instead, over a mid-February lunch at Shalom Haifa, a nearby restaurant, Pinhasi guardedly discussed his business.

He said MonsterCloud handles up to 30 calls a day and has about 20 employees in South Florida as well as extensive global contacts. “Our network is in the hundreds,” he said. “Because keep in mind that we have people who we are connected to pretty much all over the globe, who are working with us in various cases.” Asked what these people do, he said, “I can’t really dive into it.”

In some cases, he said, MonsterCloud uses its contacts on the darknet — hidden, anonymous networks that communicate over the internet. “Our goal is to restore the data and help the customer. If we need to walk to the moon on broken glass, we will. We don’t care how, what, where, whatever. Our goal is to get the data out.”

MonsterCloud operates out of this storefront office in Hollywood, Florida. One “Ransomware Recovery Expert” at the company used an alias in conversations with victims. (Jeffery Salter, special to ProPublica)

In a video posted online touting MonsterCloud’s services, Pinhasi wears a dark suit and tie and rimless glasses. At lunch, the 43-year-old sported a white long-sleeve T-shirt emblazoned with the logo of teen retailer Abercrombie & Fitch.

Pinhasi said he came to the U.S. in 2002. He told ProPublica that he has led MonsterCloud since 2003, but Florida corporation records show the business began 10 years later. Instead, in 2003, he co-founded a Florida company called PC USA Computer Solutions Providers.

One PC USA client, Maurice Oujevolk, vented his unhappiness on Yelp. Oujevolk hired PC USA for his Sunrise, Florida, model car business, and paid regularly for cloud backup service. In March 2016, his company’s computer system crashed. He called PC USA for help. But Pinhasi told Oujevolk that PC USA’s system had also failed, and complete backups were not available, Oujevolk said. Pinhasi demanded more money to try to recover the files. Oujevolk refused.

“I lost tremendous time and money to rebuild the information that disappeared,” Oujevolk said. He didn’t sue PC USA, he said, because the dispute was impairing his health and he wanted to put it behind him. “I am surprised he can still be doing business in Florida. We were trusting them, and they took our money and disappeared. They had told us we didn’t need to do any backups.”

Pinhasi said that Oujevolk’s was the only complaint he had received in 18 years of service. He said Oujevolk’s “fact recollection was flawed,” and the problem was that the client’s hard drive provided to PC USA for storage was “corrupted.” He said Oujevolk declined PC USA’s offer to send the hard drive to a recovery company in California. Oujevolk said there was no such offer.

Pinhasi flourished financially. Public records show he’s driven three new Mercedes in the past decade and owns two houses in South Florida, including a waterfront home in Hallandale Beach assessed at $1.4 million. Once ransomware took off, he pivoted from cloud services to data recovery.

On its website, MonsterCloud offers “guaranteed results.” It tells prospective clients, “Don’t Pay the Ransom.” Paying the ransom, it says, “doesn’t guarantee you’ll get your data back.” It’s “a risk you don’t want to take. Let our experts handle the situation for you.”

Pinhasi declined to say whether MonsterCloud pays ransoms. “We work in the shadows,” he said. “How we do it, it’s our problem. You will get your data back. Sit back, relax and enjoy the ride.”

The lack of transparency deterred Tim Anderson, an IT consultant based in Houston. When the Nozelesn strain of ransomware attacked one of his clients this past January, he reached out to MonsterCloud. The firm wanted $2,500 for an analysis and up to $25,000 for actual recovery, he said. The ransom was 2 bitcoin, worth about $7,000 at the time.

When Anderson requested an explicit technical description of how MonsterCloud would unlock the files, the firm demurred.

“I immediately smelled a rat,” Anderson said. “How do I know they’re not taking the $25,000 and paying the ransom guy $7,000 of it? The consumer doesn’t know what’s going on.”

He declined MonsterCloud’s services. Instead, his client hired another firm to pay the ransom.

Pinhasi points to MonsterCloud’s ties to law enforcement as evidence of its integrity.

“We are trusted by law enforcement and intelligence agencies,” he said. “We recently met with the FBI to share with them our deep knowledge of Ransomware, and we often share with them our cyberintelligence gathering findings. They wouldn’t waste their time with us if we were a deceptive company.”

John Pistole, a former deputy director of the FBI under Robert Mueller, is featured in a promotional video on MonsterCloud’s homepage. “Police departments, government agencies, hospitals, small business and Fortune 500 firms trust MonsterCloud to help recover from attacks and protect against new ones,” Pistole said in the video. “MonsterCloud’s proprietary technology and expertise protects their professional reputations and organizational integrity.”

Pistole, who also headed the Transportation Security Administration under President Barack Obama, is listed on MonsterCloud’s website as the only member of its “Cyber Security Advisory Council.” Now president of Anderson University in Indiana, he said in an interview that he became acquainted with Pinhasi after MonsterCloud reached him through a speaker’s bureau. Pistole said that MonsterCloud pays him indirectly through the bureau.

Pistole said his testimonial was scripted by Pinhasi. He is well aware, he said, that in most cases the only way to decrypt computers hit by ransomware is to pay the hackers. That’s MonsterCloud’s approach, he said.

“The model I’m used to is, you pay the ransom,” he said. “That’s the business model as I understood it last year when I did my initial look at it after meeting Zohar. … Based on my experience and knowledge, ransom is paid and they facilitate the best practices moving forward.”

Pistole is listed in Florida corporation records as an “authorized member” of another company run by Pinhasi, Skyline Comfort LLC. Pistole said that Skyline’s business plan is putting massage chairs in airports. For a few minutes’ massage, passengers would pay a fee, which Skyline would split with the airport authority. Pistole said that he connects Pinhasi with airport officials and will be paid if the company becomes profitable. A former TSA colleague and Pinhasi’s brother-in-law are also involved in Skyline, he said.

In other testimonials on MonsterCloud’s website, four local law enforcement agencies praise the firm for restoring their data following ransomware attacks. ProPublica spoke with all but the Kaufman, Texas, Police Department, which did not respond to messages. Officials at the three departments we spoke with were all under the impression that MonsterCloud decrypted their computer networks without paying a ransom.

Chief Deputy Ward Calhoun of the Lauderdale County Sheriff’s Office in Meridian, Mississippi, which enlisted MonsterCloud after a ransomware attack in May 2018, said in an interview that other victims seek his advice “once or twice a month.” He tells them that MonsterCloud can help them. “The danger is, even if you give money to hackers, you don’t know you’re gonna be able to unlock your data anyway,” he said. “We decided we weren’t going to do that. We went with MonsterCloud instead.”

The Trumann, Arkansas, Police Department was another satisfied customer. When its computer system was infected in November, decades’ worth of data including case notes, witness statements, affidavits and payroll records were frozen. The department’s IT manager came across MonsterCloud on a Google search while “frantically looking for a way to fix the problem,” said the chief of police, Chad Henson.

Henson, who oversees about two dozen officers serving a population of 8,000, said he was reassured about MonsterCloud’s capabilities when he discovered “how friendly they are to law enforcement and to government entities.”

“That’s when we made the phone call to them,” he recalled. “They said: ‘Don’t worry about it. We are pretty sure we can get everything back.’”

Another reason he chose MonsterCloud, he said, was that it wouldn’t pay the ransom. “I’m the one in the seat, the one charged to safeguard the department,” he said. “To turn around and spend taxpayer money on a ransom — that is absolutely the wrong decision. It is the nuclear option. But with MonsterCloud, we can just remove that option.”

MonsterCloud restored the Police Department’s files within 72 hours and assured the department it did not pay a ransom, Henson said. In return for the testimonial, it waived its $75,000 fee.

MonsterCloud’s contract with the Trumann Police, obtained under a public records request, calls its recovery method a “trade secret” and says the firm would not explain the “proprietary means and methods by which client’s files were restored.” It also says that if “all possible means of directly decrypting client’s files have been exhausted,” the firm would attempt to recover data by “communicating with the cyber attacker.”

Pinhasi said that the Trumann department was crippled by the Dharma strain of ransomware. Wosar and Michael Gillespie, a software analyst in Illinois whom the FBI has honored with a community leadership award for his help on ransomware, said there was no known way of decrypting the Dharma ransomware in use at the time. They said MonsterCloud must have paid a hacker.

MonsterCloud also received a testimonial in lieu of a fee from the Lamar County, Texas, Sheriff’s Office. A May 2018 ransom note said: “You are unlucky! The terrible virus has captured your files!” The sheriff’s office brought in MonsterCloud, which “did an excellent job,” said Lamar County network administrator Joel Witherspoon.

He said MonsterCloud contacted the hacker, who was demanding 1 bitcoin, worth about $8,000 at the time. Witherspoon then told the company that the county wouldn’t pay the ransom. MonsterCloud didn’t answer him, he said.

“I don’t think they would ever pay” the ransom, Witherspoon said. “They just said they had a team of specialist engineers working on it.”

Pinhasi declined to say how MonsterCloud retrieved the law enforcement agencies’ data but noted that it did so for free. “We provide complimentary services to law enforcement agencies,” he said. “There has never been one cent of taxpayer money used for any ransom we’ve been involved with.”

Witherspoon was especially impressed by his primary contact at MonsterCloud, Zack Green. “Zack’s title, dear God, it’s a mile long title. He seems to know a lot.”

Green’s titles on his email signature include “Ransomware Recovery Expert,” “Cyber Counterterrorism Expert,” “Cyber Crime Prevention Expert” and “Cyber Intelligence Threat Specialist.” We called MonsterCloud asking for Green but were told he was in a meeting. Cybersecurity experts said the credentials he lists are not actual industry designations.

Pinhasi said Green is an alias, but he declined to say for whom. “We go based on aliases, because we’re dealing with cyberterrorists,” he said.

After we told Witherspoon that Green was an alias, his opinion of MonsterCloud changed. “It makes me think, ‘Did we get attacked, or did they attack us?’ I am surprised,” he said.

Some tributes to MonsterCloud on its website may also be fabricated. Under a section titled “Real Testimonials,” MonsterCloud posted 58 five-star Google reviews from clients like “Brad Stevens” and “Sam Smith” — the names of the Boston Celtics coach and a Grammy Award-winning singer, respectively. The reviews were replete with exclamation points and details of MonsterCloud’s heroics. A Google search showed that about half of them were submitted six months ago, when some of those same reviewers, including Stevens and Smith, also raved about a skin-care establishment down the street from MonsterCloud’s office. The two businesses share the same marketing director: Boris Zion.

Under his own name, Zion gave MonsterCloud a five-star Google review and more plaudits on TrustPilot.

“MonsterCloud is #1 ransomware company hands down!” he wrote in October. “I knew them for a while before I became a customer [when] I found myself in situation where my business was attacked.”

Pinhasi and Zion said that the testimonials are legitimate. “We sent out an email to our clients to ask for reviews as many businesses do, so many of our reviews came in around the same time,” Pinhasi said. Zion acknowledged it was “kind of coincidental” that the same customers had praised MonsterCloud and the skin care company. He said that it’s challenging to persuade publicity-shy ransomware victims to post positive reviews. “For the most part, nobody wants to write a review online,” he said. “You don’t tell anybody that you got hacked.”

He said that he couldn’t recall when he was attacked by ransomware, or by which strain. “I’m a marketing guy, not a cybersecurity expert,” he said. He agreed to send us the ransom note but never did.

After defending the reviews, MonsterCloud on Tuesday removed them from its website.

Storfer soon realized that neither his co-workers nor his bosses, brothers Victor and Mark Congionti, had much expertise in writing computer programs to disable ransomware. Before they started Proven Data, Mark Congionti had been a substitute math teacher. Victor Congionti had a more technical background — he had worked as an IT security analyst for an insurance company — but his passion was electronic dance music. Victor was building a side business as a disc jockey and rarely came to the Proven Data office, which was then in Mark’s house in White Plains, New York, Storfer said. The company moved this past March to an office building in Elmsford.

A 2016 resume posted on an archived version of Victor Congionti’s personal webpage said his roles at Proven Data included adding “to existing customer profitability” and “developing new business and strategic partnerships.” In his profile on a roommate-search website, he describes himself as a “foodie,” “fitness junkie” and “party person” who works from home. He told ProPublica that he is no longer a partier now that he has a 4-year-old son and is going to college to study electronic music production.

“We are not coders,” Victor Congionti acknowledged. He said Proven Data uses its network “to research any emerging ransomware variants and the potential for cracking encryptions.”

Richard Moavero, Proven Data’s client services manager, said that Mark Congionti is more involved than Victor in running the company day to day, including negotiating with hackers. “Mark’s really cool about it,” Moavero said. “If it was up to me, I’d punch them through the computer. His demeanor is really good in dealing with these people. Just the way he doesn’t get flustered. … He’s able to take the emotional part out of it.”

The Congionti brothers established Proven Data around 2011 primarily to recover information from broken hard drives and cameras and other hardware. As ransomware proliferated, and calls poured in from prospective clients seeking help releasing their encrypted files, the business model shifted, according to Victor Congionti and a review of the company’s archived web pages.

During his year and a half at Proven Data, Storfer fielded hundreds of these calls. He took a “don’t ask, don’t tell,” approach to informing clients that Proven Data would pay their ransoms.

If they didn’t ask, “it was more of a lie by omission,” he said. If they asked, he told the truth. But some of those clients still requested a non-itemized receipt that didn’t break out the bitcoin ransom price separately.

Get Our Top Investigations Subscribe to the Big Story newsletter Sign up to get ProPublica’s investigations delivered to your inbox. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

“There were people who would ask us specifically not to put the bitcoin price on it,” he said. “By hiring a business like that, it does give you a kind of plausible deniability.”

His predecessors took a different approach. Storfer said he’s been told by the FBI that Proven Data’s staff used to rely on “canned responses” that gave clients two options for data recovery. The first was paying the ransom. The second option was to unlock the files using Proven Data’s technology. Unbeknownst to clients, Storfer said, the second option didn’t exist. If they chose it, Proven Data paid the ransom anyway.

Victor Congionti said that Proven Data employees “did use and still use scripts,” which he also called “canned responses.” Asked about the two options, he didn’t answer directly, but said, “If we have ever found any scripts to be misleading or perceived the wrong way, we would make the necessary changes immediately.”

Some clients became suspicious. After its networks were frozen by ransomware in June 2016, Safford, Arizona, hired Proven Data, said Cade Bryce, the city’s systems administrator.

Proven Data case manager Brad Miller told the city in an email that the company’s engineers had analyzed a sample file and found there was a “high chance for data recovery” by “using our streamlined process and latest technology.” Miller acknowledged the company’s price “can be high” and suggested that the city’s insurance “may cover the cost.”

According to Storfer and Victor Congionti, Brad Miller was an alias that the company used for overseas freelancers. “Their names can be complex,” Victor Congionti said. “We used this alias to simplify things.” He said the company has stopped using the alias “as we saw the confusion it could create. We did not view it as deceptive. It was for convenience.”

About a week later, Proven Data told the city that the “decryption process has completed successfully.” But the city later discovered that some files remained locked, Bryce said. Proven Data opened a new case and insisted on charging the city once more. Safford acquiesced — its insurance company ultimately reimbursed most of the total bill of $8,413 — but Bryce wondered why it had to pay twice if Proven Data already had the solution.

“If their algorithms did the first one, why couldn’t they do the second?” he said in an interview.

In mid-August, Proven Data gave up. “We haven’t had any luck decrypting this remaining variant and contact to the hackers has not yielded any results as well,” it said in an email.

Wosar and Gillespie said the most likely explanation was that Proven Data paid the ransom, but that bugs in the ransomware permanently damaged the files.

Sam Napier, the city’s IT administrator, shared the company’s update with Bryce. “I think you were right about them working with the hackers and adding a fee,” Napier wrote. Victor Congionti declined to comment on the Safford case.

One part of Storfer’s job was listening sympathetically to panicked IT managers who were confused and ashamed about the attacks on their organizations and fearful of losing their jobs. Another was bonding with cybercriminals, in the hope of reducing the ransom price.

Often, the victims who contacted Proven Data had already berated their attackers. Annoyed, some hackers would demand more money, and others would disappear, Storfer said.

“People would get into a pissing contest with the hacker and try to incite them,” he said. “Because they have all the power, they don’t take nicely to antagonistic behavior. You really want to unfortunately befriend them in some way or ingratiate yourself because you want to try to find some empathy.”

Moavero, the client services manager, agreed. “It’s not like one of those things where you can just get on and vent with them, because then they’ll just shut right off,” he said. “You have to treat them with kid gloves sometimes.”

Storfer often didn’t know who he was dealing with. It could have been the ransomware creator or a middleman. Some of the people or crime organizations that develop ransomware strains also handle functions such as infecting computer networks, sending ransom notes and collecting payments. Others license the ransomware to intermediaries for a fee. From clues in their emails, such as video game references, he could sometimes tell which attackers came from the same hacker group.

Storfer said Proven Data kept a list of hackers who could supply decryption keys quickly and cheaply as needed. He bargain-hunted by stirring up “market rate competition” among them. “Even though one group may have done the hacking, a different group could provide you with the key,” he said.

“There are some hackers who would charge 1 bitcoin, which at its peak when they were doing this was about $10,000, to decrypt one machine,” he said. “Another hacker might have been able to do it for $4,000.”

In such cases, the interlopers would not supply Proven Data with a master key, which would have enabled the company to clear future incursions of the same ransomware for free. Instead, they would send a decryption key for the specific attack and victim. The attackers might never know they had been bypassed for payment, because some don’t track each victim among the thousands targeted.

Storfer learned quickly never to use the term “hacking.” Instead, he would assume his correspondent “thinks they’re a businessman,” Storfer said. “I’d say: ‘Look, we can’t afford this at this time. Do you mind providing your product at a lower rate?’ And it worked,” he said. “They’re doing a job where everyone hates them, so feeling like they were respected made them work with us. I like to think empathy goes a long way.”

The rapport sometimes reaped discounts. “We were able to get a $5,000 ransom lessened to $3,000 because they knew we could deliver it exactly when we said we were going to get it to them,” Storfer said.

Once the attackers agreed to lower the ransom for one client, it was easier to persuade them to reduce it for others, as well. He’d tell them, “‘Look, we have another client who you may be able to help. Can you provide this pricing?’ Their response is: ‘Sure thing.’”

Though successful, his tactics made Storfer uneasy. “It’s one of the weird kind of gray areas that I never felt comfortable with — that I had to interact and almost befriend these individuals,” he said. “But for the good of helping people that we were dealing with and making their lives easier, I thought it was a real benefit.”

Storfer usually didn’t reveal his company to hackers. Still, by using the same anonymous email address repeatedly, he became familiar to them. The hackers would “want to verify that we worked with them before.”

“And I want to be clear, ‘worked with them’ being the most accurate term, but I want to say that there is no love in this agreement,” Storfer said. “I’m using terms like ‘working with them’ but it’s the skin-crawliest way to describe it, because we truly hate them. And it was something that we would openly talk about — about how creepy and crawly we felt in general to have to put yourself on their side and empathize with these individuals to get them to work with you. Because you kind of have to shed your skin afterwards.”

Despite Storfer’s best efforts, sometimes the hackers behaved erratically. Proven Data would pay the requested ransom, but they would not respond. At such times, Storfer would share the attacker’s email address and details of the snub with other hackers in the same group.

Then the hacker “would come back and say, ‘Sorry, I’ve been on a coke binge for three weeks.’” Storfer said.

For the FBI, retracing individual victims’ ransom payments has rarely been a priority. But Proven Data’s startling success in decrypting ransomware drew the attention of a bureau office in Anchorage, Alaska.

In April 2016, a strain of ransomware called DMA Locker infiltrated the computer files and backups for Leif Herrington’s real estate brokerage in Anchorage. The ransom note demanded 4 bitcoin, then worth about $1,680. Herrington called the FBI. “They said, ‘There’s thousands of these going on every day, we don’t have the resources to do anything,’” Herrington said.

Herrington’s son looked into the attack, discovered there was no known way to decrypt the files and suggested his father pay the ransom. After unsuccessful attempts to pay the ransom on his own and through a local IT firm, Herrington called Proven Data. It told him it could unlock his files for $6,000.

“They represented that they had proprietary software they developed to unencrypt,” Herrington said. “They never said anything about paying the ransom.”

A January 2018 FBI affidavit, seeking a search warrant to obtain information from Proven Data and its email provider, lays out what happened next. Herrington’s IT consultant, Simon Schroeder, gave Proven Data a sample infected file for evaluation. During a follow-up appointment a couple of days later, Schroeder granted remote access to Proven Data and watched as it unlocked a set of files in 45 minutes.

The firm cleared the files so quickly that Schroeder suspected it paid the ransom. Although Herrington was back in business, he called the FBI again. An agent came to his office to ask about Proven Data, Herrington said, adding that he and Schroeder turned over all their documents.

Herrington told the agent that he didn’t know whether Proven Data “actually had keys or if they were in cahoots with the ransomware attackers and just collected the money,” he said. “I suggested to the FBI that they would want to investigate them, whether they were somehow in partnership with the ransomware people.”

The FBI confirmed his hunch. Records provided to the FBI pursuant to a federal grand jury subpoena showed 4 bitcoin flowing from a Proven Data account to the online wallet that the attackers had designated for payment. An email from the hacker’s address thanked Proven Data for the payment and included instructions on decrypting Herrington’s files.

“Subsequent investigation by the FBI confirmed that PDR was only able to decrypt the victim’s files by paying the subject the ransom amount,” the affidavit said.

The bureau interviewed Proven Data’s co-owners, the Congionti brothers. Mark Congionti acknowledged that at the time of the attack, there was no known way to unlock the files aside from paying the hacker, the affidavit said. (An FBI spokeswoman said in January that the bureau could not discuss the case because it was active. The U.S. Department of Justice declined this month to identify the target of the investigation or to say if it’s still ongoing. As yet, no charges have been publicly filed.)

Victor Congionti acknowledged that the company paid Herrington’s ransom. “It was the only option to get his data back,” he said. “We regret that he felt misled. … There was obviously a misunderstanding as to how we would solve his problem. We have re-examined all of our practices and procedures to ensure that such a misunderstanding does not occur again.”

The FBI agent discussed the possible legal nuances with Herrington. “The FBI did explain if they were up front, that was legal, but that if they represented they had the technology to do it, it might not be,” Herrington said. “They were not being up front about it. They said they had technological expertise.”

Also at issue was whether Proven Data had “any working relationship with the ransomware people,” Herrington recalled the agent saying. “The FBI was concerned that even if these companies were paying the ransom, it is encouraging the ransom people. By paying, they’re effectively keeping these guys in business.”

Proven Data had several hundred email exchanges with the addresses associated with DMA Locker attacks, according to the FBI affidavit. As with the SamSam hackers, Proven Data used its own email addresses with DMA Locker. “We interacted directly with them,” Storfer said.

Victor Congionti said Proven Data later determined that using its own address with hackers was “not advisable” and abandoned the practice.

Storfer wondered if the hacker behind DMA Locker was a British soccer fan because his emails contained references to Manchester United including one username of “John United” and another honoring former team manager Alex Ferguson. The ransom price was in British pounds, an unusual currency in ransomware circles, he said.

“DMA was actually a very good, nice negotiator for the most part,” Storfer said. “He was very clear, straightforward,” and wrote “very proper English. And he had a tool that worked impeccably well, and he would even troubleshoot for you.”

Normally, attackers don’t send the key until they’re notified that the ransom has been paid, typically via a bitcoin transaction ID number. But the DMA Locker hacker was so familiar with Proven Data’s wallet IDs that sometimes he sent a decryption key as soon as he saw the bitcoin transaction post on the Blockchain, the electronic public ledger of transactions.

“One of the weird benefits was that he knew our wallets enough that every time we sent him a payment, he would send us a key before we could send a transaction ID,” Storfer said. “He would literally sit on the blockchain, and just be like, ‘Oh ya, Proven, let me give you guys some keys.’”

Victor Congionti said he wasn’t “aware of this type of familiarity. If it did occur, we had no control over it.”

When the hacker decided to retire from the ransomware business, he let Proven Data know — and proposed one last deal.

“He literally said: ‘Hey, I’m shutting down service. Do you have any other clients that need keys? I’m doing this super discount for any of them,’” Storfer said. “I actually consider that one of the benefits of being friendly with — the biggest air quotations — the hackers.”

Proven Data raised Storfer’s salary, he said. But his conscience was weighing on him, especially after the FBI began questioning Proven Data employees in the Alaska case.

He worried that he was abetting a sophisticated form of organized crime. He struggled to justify his line of work to his family and friends, some of whom teased him for answering late-night hacker emails.

“Do I miss ever having to explain what my job is to anyone else? No,” Storfer said. “Having that conversation and trying to explain, oh what do you do? Oh, I negotiate with hackers for a living. … It is a very weird business, and it is one of the reasons I couldn’t stay in the field.”

After a year and a half at Proven Data, he decided to leave the industry. But he wavered in this resolve when Coveware, the Connecticut firm that is transparent about paying ransoms, sought to recruit him. Siegel, who co-founded Coveware in 2018, said he wanted to hire Storfer because of his familiarity with ransomware.

In the end, Storfer chose a job outside the data recovery industry. “I just decided that I wanted to get out of the space because I felt uncomfortable. … The realm where Proven Data and MonsterCloud and Coveware and all these groups act in is the Wild West. They set their own rules.” Victor Congionti confirmed that Storfer left voluntarily.

Moavero, who joined Proven Data soon after Storfer left, also had no background in cybersecurity. “I responded to an online ad looking for a head of customer service,” he said. “I had no clue what Proven Data did. … Ransomware? I had to go home and look up ransomware. It’s been a whirlwind.”

Even after Storfer left Proven Data, it still paid the SamSam hackers. Chainalysis found that on November 16, 2018, 1.6 bitcoin, or about $9,000 at the time, moved from Proven Data’’s wallet to a digital currency address associated with the SamSam attackers — an intermediary step on the chain to the Iranian-controlled wallet. Twelve days later, the Iranians were indicted, and payments into their wallets were banned.

Today, hardly any money is left in those Iranian wallets.

Garen Hartunian contributed to this report.

Renee Dudley is a senior reporter at ProPublica, covering technology. Before joining ProPublica in 2018, she was a member of the enterprise team at Reuters and a reporter in New York for Bloomberg News.

Jeff Kao is a computational journalist at ProPublica. He previously worked as a machine learning engineer at Atrium LTS, where he developed natural language processing systems for legal services.

Illustrations by Adam Maida for ProPublica.