Don’t want to pay the ransom? Pay us, and we’ll pay it for you!

Being hit by ransomware must be bad enough when you don’t have a secure backup of your critical data that you can turn to. Just imagine how it feels to then be ripped off a second time by the data recovery firm you turn to for help in your moment of panic.

It seems there are firms out there who are charging ransomware victims a hefty premium for the safe return of your data – when all that’s actually happening is they are paying the ransom on your behalf.

The DMA Locker ransomware has been doing the rounds since early 2016, spreading to victims’ computers by exploiting installations of Windows Remote Desktop with weak passwords. The FBI has been actively investigating who might be behind the DMA Locker ransomware for the last two years, after it was contacted by a victim – Alaska-based real estate agency Herrington & Company.

DMA Locker typically requests a ransom of between three and 10 bitcoins if you want to decrypt the files on your hard drive that it has garbled. In the case of the attack on Herrington & Company, the ransomware requested four bitcoins, which at the time of the attack in April 2016 was equivalent to about US $1700.

Simon Schroeder, an IT consultant hired by Herrington & Company to remediate the ransomware problem, had reached out to an email address supplied by DMA Locker’s authors to confirm that they would be able to recover the encrypted files.

At about the same time, the owner of Herrington & Company contacted a New York-based firm called Proven Data Recovery to see if they could possibly help. Proven Data Recovery quoted a price of US $6,000 to restore access to the encrypted files.

As part of its investigation, the FBI has applied for a search warrant to examine email accounts at a US ISP, and it’s that document which shares some details as to what happened next between Herrington & Company and Proven Data Recovery (PDR):

“Following a consultation with a client manager from PDR, Schroeder provided PDR with a sample file for evaluation. PDR then scheduled an appointment a couple days later. During the appointment, Schroeder first moved the encrypted files to a backup computer system. Schroeder then granted remote access to PDR so it could access the infected computer system, which contained a subset of the encrypted files. Schroeder observed PDR work on Herrington & Company’s computer system using the command prompt for approximately 45 minutes, after which the tiles were decrypted. Schroeder later provided PDR remote access to the computer workstation at Herrington & Company that contained the remainder of the encrypted files. PDR then decrypted those files using a similar process.”

Schroeder says he was unable to determine how Proven Data Recovery had recovered the files, but believed that they had simply paid the original four Bitcoin ransom.

The FBI says that its investigation confirms that Proven Data Recovery can have only decrypted the victim’s files by paying the ransom demand, and obtaining an official decryption key from the criminals.

When questioned, one of the owners of Proven Data Recovery confirmed that they had contacted DMA Locker’s author. And, in fact, had had “several hundred” email exchanges related to 200 or more client cases of DMA Locker attacks. And it’s this information which has led to the FBI seeking information from the ISP, which might – potentially – help shed some light on who is behind the attacks.

This isn’t the first time that Proven Data Recovery has found themselves in the spotlight for charging a pretty penny by paying a ransom on their client’s behalf.

Back in 2015, for instance, the Dinbits blog published a transcript of a conversation it had had with a Proven Data Recovery support technician who was asking them to pay US $5,000 to restore data on a ransomware-hit drive where the extortionists were only asking US $300. And, as the transcript showed, Proven Data Recovery weren’t revealing that they would simply pay the extortionists.

Such practices by data recovery firms may not be illegal, but they certainly don’t feel entirely ethical. Maybe there are reasons why a company would not want to play a blackmailer directly, and would prefer for a proxy payment to be made on their behalf, but if the only way to recover data after a ransomware attack is to pay the extortionists, well… then that’s what victims should be told.

I don’t think it’s right to dress up the truth of what you’re going to do, and add such a handsome mark-up. That, it feels to me, is just further extorting panicking victims of ransomware attacks.

Hat-tip: @SeamusHughes

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.