From 2015 to 2018, a strain of ransomware known as SamSam paralyzed computer networks across North America and the UK It caused more than $30 million in damage to at least 200 entities, including the cities of Atlanta and Newark, New Jersey, the Port of San Diego and Hollywood Presbyterian Medical Center in Los Angeles. It knocked out Atlanta’s online water service requests and billing systems, prompted the Colorado Department of Transportation to call in the National Guard, and delayed medical appointments and treatments for patients nationwide whose electronic records couldn’t be retrieved. In return for restoring access to the files, the cyberattackers collected at least $6 million in ransom.

“You just have 7 days to send us the BitCoin,” read the ransom demand to Newark. “After 7 days we will remove your private keys and it’s impossible to recover your files.”

At a press conference last November, then-Deputy Attorney General Rod Rosenstein announced that the US Department of Justice had indicted two Iranian men on fraud charges for allegedly developing the strain and orchestrating the extortion. Many SamSam targets were “public agencies with missions that involve saving lives,” and the attackers impaired their ability to “provide health care to sick and injured people,” Rosenstein said. The hackers “knew that shutting down those computer systems could cause significant harm to innocent victims.”

In a statement that day, the FBI said the “criminal actors” were “out of the reach of US law enforcement.” But they weren’t beyond the reach of an American company that says it helps victims regain access to their computers. Proven Data Recovery of Elmsford, New York, regularly made ransom payments to SamSam hackers over more than a year, according to Jonathan Storfer, a former employee who dealt with them.

Although bitcoin transactions are intended to be anonymous and difficult to track, ProPublica was able to trace four of the payments. Sent in 2017 and 2018, from an online wallet controlled by Proven Data to ones specified by the hackers, the money was then laundered through as many as 12 bitcoin addresses before reaching a wallet maintained by the Iranians, according to an analysis by bitcoin tracing firm Chainalysis at our request. Payments to that digital currency destination and another linked to the attackers were later banned by the US Treasury Department, which cited sanctions targeting the Iranian regime.

“I would not be surprised if a significant amount of ransomware both funded terrorism and also organized crime,” Storfer said. “So the question is, is every time that we get hit by SamSam, and every time we facilitate a payment—and here’s where it gets really dicey—does that mean we are technically funding terrorism?”

Proven Data promised to help ransomware victims by unlocking their data with the “latest technology,” according to company emails and former clients. Instead, it obtained decryption tools from cyberattackers by paying ransoms, according to Storfer and an FBI affidavit obtained by ProPublica.

Another US company, Florida-based MonsterCloud, also professes to use its own data recovery methods but instead pays ransoms, sometimes without informing victims such as local law enforcement agencies, ProPublica has found. The firms are alike in other ways. Both charge victims substantial fees on top of the ransom amounts. They also offer other services, such as sealing breaches to protect against future attacks. Both firms have used aliases for their workers, rather than real names, in communicating with victims.

The payments underscore the lack of other options for individuals and businesses devastated by ransomware, the failure of law enforcement to catch or deter the hackers, and the moral quandary of whether paying ransoms encourages extortion. Since some victims are public agencies or receive government funding, taxpayer money may end up in the hands of cybercriminals in countries hostile to the US such as Russia and Iran.

Tracing Ransom Payments From Proven Data to Iran Although bitcoin transactions are intended to be anonymous and difficult to track, ProPublica was able to trace four payments from New York-based Proven Data Recovery to the SamSam ransomware attackers in Iran. One payment was sent on Nov. 15, 2017, from an online wallet controlled by Proven Data to one specified by the attackers. It was then laundered through 12 bitcoin addresses before reaching a wallet maintained by the Iranians, according to an analysis by bitcoin tracing firm Chainalysis at our request. Payments to that digital currency destination and another linked to the attackers were later banned by the US Treasury Department, which cited sanctions against funding the Iranian regime. Proven Data said it stopped dealing with the SamSam hackers after the US government took action against them, and that until then, it did not know they were affiliated with Iran.

In contrast to Proven Data and MonsterCloud, several other firms, such as Connecticut-based Coveware, openly help clients regain computer access by paying attackers. They assist victims who are willing to pay ransoms but don’t know how to deal in bitcoin or don’t want to contact hackers directly. At the same time, Coveware seeks to deter cybercrime by collecting and sharing data with law enforcement and security researchers, CEO Bill Siegel said.

Siegel refers to a handful of firms globally, including Proven Data and MonsterCloud, as “ransomware payment mills.” They “demonstrate how easily intermediaries can prey on the emotions of a ransomware victim” by advertising “guaranteed decryption without having to pay the hacker,” he said in a blog post. “Although it might not be illegal to obfuscate how encrypted data is recovered, it is certainly dishonest and predatory.”

MonsterCloud chief executive Zohar Pinhasi said that the company’s data recovery solutions vary from case to case. He declined to discuss them, saying they are a trade secret. MonsterCloud does not mislead clients and never promises them that their data will be recovered by any particular method, he said.

“The reason we have such a high recovery rate is that we know who these attackers are and their typical methods of operation,” he said. “Those victims of attacks should never make contact themselves and pay the ransom because they don’t know who they are dealing with.”

On its website, Proven Data says it “does not condone or support paying the perpetrator’s demands as they may be used to support other nefarious criminal activity, and there is never any guarantee to obtain the keys, or if obtained, they may not work.” Paying the ransom, it says, is “a last resort option.”

However, chief executive Victor Congionti told ProPublica in an email that paying attackers is standard procedure at Proven Data. “Our mission is to ensure that the client is protected, their files are restored, and the hackers are not paid more than the minimum required to serve our clients,” he said. Unless the hackers used an outdated variant for which a decryption key is publicly available, “most ransomware strains have encryptions that are too strong to break,” he said.

Congionti said that Proven Data paid the SamSam attackers “at the direction of our clients, some of which were hospitals where lives can be on the line.” It stopped dealing with the SamSam hackers after the US government identified them as Iranian and took action against them, he said. Until then, he said, the company did not know they were affiliated with Iran. “Under no circumstances would we have knowingly dealt with a sanctioned person or entity,” he said.

Proven Data’s policy on disclosing ransom payments to clients has “evolved over time,” Congionti said. In the past, the company told them it would use any means necessary to recover data, “which we viewed as encompassing the possibility of paying the ransom,” he said. “That was not always clear to some customers.” The company informed all SamSam victims that it paid the ransoms and currently is “completely transparent as to whether a ransom will be paid,” he said.

“It is easy to take the position that no one should pay a ransom in a ransomware attack because such payments encourage future ransomware attacks,” he said. “It is much harder, however, to take that position when it is your data that has been encrypted and the future of your company and all of the jobs of your employees are in peril. It is a classic moral dilemma.”