Resources

Ransomware Read Me First: Don't Get Scammed... Twice

Written by Editorial Team | Jan 11, 2021 1:45:00 PM

You were hit with ransomware. You panic. You search “ransomware response” or “ransomware repair” and among the top results is a link that reads “Recover Encrypted Files - Guaranteed.” Sounds like you found the solution! None of us wants to pay the ransomware operators. If there is a legitimate solution that avoids sending tens of thousands (if not millions) of dollars via cryptocurrency to threat actors overseas, it’s worth paying for.

Caveat Emptor... you know that old saying: if it looks too good to be true…

GroupSense assists in ransomware response and negotiation. As a result, we have seen some dirty tricks. Ransomware gangs have upped their game, employed new clever tactics, and been successful in exfiltrating not just organizational data, but millions of US dollars. Since many ransomware operators use templatized and playbook tactics, we are seldom caught off guard. We occasionally see the n00b operator who flails around messily or the lone operator who has a sense of entitlement: “...I worked hard on this!...”, but for the most part, this is a business for professional ransomware actors, and we treat each engagement as such.

A couple of weeks ago we ran into a new level of exploitation; one that we believe may become more prevalent - and it starts with the duckduckgo search above. (Use duckduckgo, folks.) Look, we don’t want to pay the operators any more than you or the victims do. The idea of paying a legitimate cybersecurity company with the technology and means to decrypt the ransomware-affected files is appealing. The victim does not have to go on some sketchy dark web site, and they don’t have to put their financial accounts at risk by transferring large sums of money to a digital wallet that will be used to pay known criminals. (The SEC doesn’t like this.) Ideally, you can keep this transaction right here...in the good ol’ USA! Sounds great.  

But how does a company guarantee that they can decrypt your files if they haven't seen them yet? We visited one of these companies’ sites and there was a video testimonial from a public figure stating “...and once we have cleaned up your files, we will make sure it NEVER happens again.” If you have operated in the cybersecurity industry for any meaningful amount of time, you know that superlatives aren’t a great idea. 

In the case that arose a couple of weeks ago, the victim contacted one of these companies claiming to be able to decrypt the ransomware files. The company asked for a $2,500 retainer, two sample encrypted files, and the ransomware note. A couple of days later, they returned the two files, successfully decrypted. When the victim asked how much they would charge to decrypt the remaining files, the company fell silent for days.

Before We Continue, here are a few details that are important to know.

When you are hit with ransomware, the operators will often leave a text file on your systems.  That text file explains the situation: “We have locked your files; you must contact us to get them back.” The note will often contain a dark web site address that is specific to your infection, urging you to visit that site. Depending on the operator, these sites can vary. In many cases, the site has a few fundamental functions. First, it has a clock. The clock starts when you visit the site and counts down to zero. Then, there is a threat associated with that clock, “You have XX hours/days to make payment. If you do not make a payment by the time the clock reaches zero, we will double the price.” Sometimes they make threats about dumping critical information to embarrass your company all at once or on a cadence: “We will release 1% of your critical data publicly until you pay…” and so on. The second function is a tutorial and FAQ on how to make the digital currency transaction. Third, there is a chat function so that you may ask the threat actors questions, negotiate, and generally communicate with your attackers. Finally, and here is the kicker, there is a “proof of life” section where you can upload up to….wait for it…..two files to be decrypted for free to prove that the ransomware gang has the necessary decryption keys to decrypt your files. Maybe you see where we are going here…  

Back to the victim. We engaged with the victim, went through our process to onboard, and agreed to engage with the threat actors. But, alas, when our analyst team visited the ransomware dark-net website, the timer had been going for days...two files had been uploaded, and someone had engaged in a negotiation with the threat actors on the site’s chat feature without the victim’s knowledge or consent. We retrieved the transcript of that chat and, after reviewing it, found the negotiation to have taken a negative turn culminating in a hard position from the threat actor, demanding a large sum to decrypt the victim’s files. Meanwhile, the company that claimed to be able to decrypt the files contacted the victim with a new proposal. They claimed they could decrypt the customer's files for a price $80,000 higher than what was negotiated on the ransomware operator’s dark-net site. The victim, a small business, could not afford either price and because the negotiation was executed so poorly, they were left in a bind. 

We worked with the client on their post-breach efforts, monitoring for data exfiltration and release, and identity protection for its staff and executives. All best practices in the case of a ransomware incident.

Ironically, our team had seen warnings of this kind of scam in previous engagements, from the threat actors themselves. In one case, a ransomware group posted warnings about companies pretending to decrypt the files while simply having the ransomware group do so, then marking up the price. It's almost worth laughing about… almost.

How to Respond in the event you need to deal with a ransomware attack.

If you are hit with ransomware, reach out to a reputable incident response firm or breach specialist from your external counsel. Both will have worked with a trustworthy ransomware response company, like GroupSense, and will be able to make introductions. Also consider downloading this ransomware negotiation guide. Save your duckduckgo searches for pictures of cats or something.