back to article Biz tells ransomware victims it can decrypt their files... by secretly paying off the crooks and banking a fat margin

A Scottish managed services provider is running a lucrative sideline in ransomware decryption – however, a sting operation by a security firm appears to show that “decryption” merely means paying off the malware's masterminds. The services provider, Red Mosquito (tagline: “Your IT Department”), advertises itself as doing “all …

  1. vir

    A Necessary Evil?

    It would be one thing if these companies were charged with preventing ransomware attacks and then surreptitiously encouraging them so they could charge for data recovery, but negotiating with ransomers after the fact, handling the payoff, and running the decryption tool is what they're charging for. If the data is strongly encoded, the fastest and easiest way to decrypt it is obtaining the key. Yes, you could wait around for someone to try to find a weakness in the implementation to exploit but "negotiating with criminals v. not making it lucrative for them" is an argument far removed from the boardroom and in the meantime your company is losing money (and try finding a white hat to write a decryption tool for you for $3050). It might cost a pretty penny, but dollars to doughnuts your finance department will prefer this to purchasing bitcoin to send to a mathematically unidentifiable recipient. This way, they get a neat line item to put on the budget and the data comes back, hopefully to be protected better next time.

    As Patrick O'Brian writes: "You might think it is a far cry from...a long-established, eminently respectable firm...to a band of criminals; but the eminently respectable know the less respectable and so down to the very dregs."

    1. DougS Silver badge

      Doesn't matter

      They are lying about how they are recovering your files, and they are padding the bill. Who would pay a middleman a premium to pay a ransom they could easily pay themselves?

      If your wife was kidnapped and they wanted $100K in unmarked bills, would you consider it fine if you paid $300K for someone to "use their elite special forces skills" to get her back and then it turned out all they did was put $100K in unmarked bills in the drop off and picked her up when they divulged her location? This is basically what is happening here, except instead of "elite special forces skills" to recover your wife they are claiming to use "elite hacker/security skills" to decrypt the files.

      This is fraud, IMHO. What's worse, it encourages future ransom attacks by making it more profitable. I kind of wonder if bitcoin's recent resurgeance in price isn't largely due to all the ransomware attacks that require payment in bitcoin. There ought to be a law against paying such ransoms, if everyone was forced to stop paying the attacks would stop. Paying the ransom is a tragedy of the commons...

      1. vir

        Re: Doesn't matter

        To call it lying might be a bit of a stretch. Doing "the technical stuff, properly" does not - to me - imply that they are brute-forcing an AES-256 key or reverse engineering the malware to recover the key. They are being deliberately vague but with that wording their target demographic isn't technically savvy corporations and "technical stuff" is all they need to hear, want to hear, and care to hear. To a company who might not have anyone on staff who knows what bitcoin is less how to purchase it or run a decryption tool on their files, a $3000 premium on $900 spent might sound a little high but as far as profit margins go, it's nowhere near out of the ordinary (when's the last time you bought a bottle of wine in a restaurant?). If they came right out and said "we talk to the guys, negotiate a bit of a discount, purchase bitcoin, send it to them, obtain the decryption tool, run it on your data, and you pay us to do that", then yes, you could have a nice argument over whether you sit by and watch your business go up in flames for the good of the commons or you bite the bullet, pay the 4 grand, write it off as an operating loss, and start backing up your files.

        1. John Brown (no body) Silver badge

          Re: Doesn't matter

          ...and to be fair (sort of!), their FAQ does say "In many cases, paying the ransom may be the only option to get your data recovered and it is best to get an experienced consultant to assist with this process."

          It makes me think that they have a collection of tools from known ransomware attacks and will test them against the supposed sample encrypted files, When that fails, they then try to buy the decryption key from the ransomeware source. They can probably only "fix" stuff that is already fixable yourself if you know where to look on the interwebs. It all sounds a bit dodgy, but probably not illegal. (IANAL)

        2. AIBailey Silver badge

          Re: Doesn't matter

          "we talk to the guys, negotiate a bit of a discount, purchase bitcoin, send it to them, obtain the decryption tool, run it on your data, and you pay us to do that"

          But that's not what they're doing. It's more like "we talk to the guys, negotiate a discount, tell you that we can recover your data, ask you for money, hopefully get a decryption tool and run it".

          In this instance they've already advised the customer that they can recover the data, implying that they've evaluated the files that they've been given. This in itself is a lie, as there's no data to recover. They're chancers, nothing more, and are profiting from blackmail just as much (in fact more so, looking at the margins of their markup) as the scumbags that wrote the code in the first place.

          1. Cynic_999 Silver badge

            Re: Doesn't matter

            How do you know that they have not evaluated the files? Evaluation would consist of attempting to decrypt using several known keys or vulns of various past blackmailers. When all of those fail (as they of course will on random data), then the fallback (which they have stated explicitly) is to pay the ransom. After making what they believe is a deal with the blackmailer, they can honestly report that they are able to provide a solution. If the customer forks out the payment, they will send the bitcoin to the blackmailer in the expectation of getting the means to decrypt the files as promised.

            The real test of honesty would be if after paying the ransom the blackmailer failed to deliver. An honest company would be obliged to return the payment and swallow the loss of what they paid the blackmailer. Or perhaps their contract with their customer covers this by stating something along the lines that in the event of failure only 75% of the payment will be returned.

            I see nothing whatsoever illegal with what they are doing, and given that they openly state that dealing with the blackmailer is one of the methods they may use to decrypt the files, I don't even see it as even being misleading or dishonest - after all, the blackmail victim will already know how much the blackmailer was asking, so they will have agreed to hire "Red Mosquito" knowing full well that they are being charged much more than the blackmailer is demanding.

            It's really no different to charging someone 4 times the cost of the software to install an OS on their PC. The customer is paying someone for their knowledge of how to do the job.

            1. Trollslayer Silver badge

              Re: Doesn't matter

              Because in this case the files were random bytes.

              RTM dear boy.

            2. AIBailey Silver badge

              Re: Doesn't matter

              The person that set up this trap confirms "It is impossible to decrypt the files I provided to the data recovery company at all, because they contain nothing that could be decrypted to begin with

              A response from RM of "I am pleased to confirm that we can recover your encrypted files. is therefore a complete and utter lie, and is used as a means to fleece the "victim" out of almost $4000. Even saying "...we should be able to recover your encrypted files." would give them a bit of wriggle room.

              There is absolutely no way that the files can be decrypted, because they're not even encrypted in the first place.

              To earn over $3000 in profit for a couple of days work that (even if they were working with a "honest" blackmailer that provided a working decryption tool, consists of nothing more than running a provided decryptor) is ethically questionable. It's nothing more than those dodgy roofing companies you see on TV, that prey on the elderly by replacing a couple of damaged tiles and charging them £10k.

              1. Cynic_999 Silver badge

                Re: Doesn't matter

                "

                A response from RM of "I am pleased to confirm that we can recover your encrypted files. is therefore a complete and utter lie

                "

                No it is not. A lie is a *deliberate* untruth. Red Mosquito believed that they had a genuine encrypted file and that the blackmailer had agreed to provide the key. They therefore believed that they really were in a position to be able to recover the file. The fact that that belief was mistaken does not make it a lie.

                In this case the only person who lied was the bogus customer who claimed that the data provided was an encrypted file when he knew full well that it wasn't.

                If I were to ask you whether you could print me a JPG photograph, you may well tell me that you will be able to do that. If I then give you a file that contains random data rather than a real image, would that make you a liar because I know that you cannot possibly do what you claimed?

                1. AIBailey Silver badge

                  Re: Doesn't matter

                  If I were to ask you whether you could print me a JPG photograph, you may well tell me that you will be able to do that. If I then give you a file that contains random data rather than a real image, would that make you a liar because I know that you cannot possibly do what you claimed?

                  Nope, sorry, they’re very different things.

                  You’re asking me to perform a task, and only after I agree do you give me the information I need. However in your example I'd probably agree, as there shouldn't be anything inherently "dodgy" about a .jpg file - there's an expectation that it should print.

                  That’s not the same scenario. However, let’s rework it to make it a little more relevant.

                  In your example you’ve sent me a file containing garbage and asked me if I can print the picture inside. The file looks like it’s random, but you’ve been told that a bloke down the pub knows how to print it. You don’t want to deal with that bloke however, as you don’t trust him. Instead you send the file to me, because I’ve told you I’m good at “techie stuff”.

                  I can’t make any sense of the data at all, so ask the same dodgy bloke in the pub (that I’ve never met before, and who’s not seen that specific file), whether he can do it. He agrees that it can be printed, and it will cost £10. I then assure you that I can print your picture, and it’ll cost £40. Obviously, I don’t tell you I’ve just asked in the pub, I inform you that I’ve checked the file and am pleased to confirm that I’ll be able to print in within a couple of days. The level of trust between us comes from my reassurance, and my “reputation” as someone that can do this.

                  Regardless of whether you yourself know that the file is invalid, I’ve assured you I can complete your request, whereas in fact I can't open the file and have taken the word of someone that is inherently untrustworthy. The truth is that I can’t print the file, and am relying on someone that I don’t know or trust, and who wants payment up front, in order to complete your request. That person may not even fulfil his part of the bargain. I know that this is a risk, yet I’ve explicitly told you that I can fulfil your request. This, by it’s very nature, is a deception, and therefore a lie.

        3. Prst. V.Jeltz Silver badge

          Re: Doesn't matter

          (when's the last time you bought a bottle of wine in a restaurant?)

          when it was on offer and incredibly cheap - £6

          1. Flywheel Silver badge
            WTF?

            Re: Doesn't matter

            Crikey! Was Hitler dead by then?

          2. Roland6 Silver badge

            Re: Doesn't matter

            Did you do them under the trade descriptions act for misrepresenting a bottle of vinegar?

      2. The Nazz Silver badge

        Re: Doesn't matter

        re Wife kidnapping. Somewhere back in time wasn't there a comedy sketch about this (Two Ronnies maybe) which went something like :

        Kidnappers :" Hey, Mr Nazz, we have you wife, it;s a £100k in used notes to get her back, payable by 3.00pm.

        Nazz : "It's Ok, i don't have that sort of money, you keep her. But let me just say, looking at the calendar the next few days may be difficult for you."

        Five hours later :

        K : "Ok Mr Nazz we'll let you have her back for £20,000 payable within the hour."

        Nazz : "It's Ok, she left me a freezer full of ready cooked meals, you keep her."

        One hour later

        K : "Ok, Mr Nazz, you can have her for £500, at least that covers our expenses."

        Nazz : "It's Ok, besides the ATM is down and i can't get the cash."

        Five minutes later

        K : "FFS Mr Nazz, we'll pay you £50,000 to take her off our hands."

        Nazz : "No ta, you keep her. Have a nice day."

        1. Anonymous Coward
          Anonymous Coward

          Re: Doesn't matter

          It was also the plot of the rather amusing Ruthless People (1986).

          1. Michael Wojcik Silver badge

            Re: Doesn't matter

            It was also the plot of the rather amusing Ruthless People (1986).

            And before that the O. Henry story "The Ransom of Red Chief" (1907, and very widely adapted since). I suspect the trope was not entirely novel even then.

      3. Anonymous Coward
        Anonymous Coward

        Re: it encourages future ransom attacks by making it more profitable

        perhaps it's the same people? Stranger things have happened :)

      4. Robert Helpmann?? Silver badge
        Childcatcher

        Re: Doesn't matter

        This is fraud, IMHO.

        Yes and conspiracy as well. They need to be stopped as much as do the crims that are pushing the ransomware.

        1. Cynic_999 Silver badge

          Re: Doesn't matter

          "

          Yes and conspiracy as well. They need to be stopped as much as do the crims that are pushing the ransomware.

          "

          It is neither. The company stated clearly that paying the blackmailer is one option that they may have to take so there is no fraud. The customer will be well aware that they are being asked for several times the amount that the blackmailer is demanding so know full well what the markup is. Paying off a blackmailer on behalf of the victim is definitely not illegal or can be said to be a conspiracy (unless the company was in some way involved in the original blackmail, which nobody is suggesting and nor are there any grounds to believe might be the case)

          1. Robert Helpmann?? Silver badge
            Childcatcher

            Re: Doesn't matter

            It is neither. The company stated clearly that paying the blackmailer is one option that they may have to take so there is no fraud.

            That simply is not the way that works. I had to look this up because IANAL, but conspiracy to defraud is defined as "....an agreement by two or more [persons] by dishonesty to deprive a person of something which is his or to which he is or would be or might be entitled [or] an agreement by two or more by dishonesty to injure some proprietary right of his suffices to constitute the offence...." This company has made a business model of simply paying off the ransom. They present it as one possibility of many, but do they ever pursue any other route? Do they offer any sort of warranty of their actions? What would happen if these professional negotiators pay the ransom and the hackers fail to restore the data? There are certainly more ways to mislead and thus commit fraud than a simple falsehood. There are more ways to conspire than to sit down with someone and go through all the details of a plan. Where do those lines fall in this instance?

      5. Anonymous Coward
        Anonymous Coward

        Re: Doesn't matter

        @DougS

        re: "if everyone was forced to stop paying the attacks would stop"

        Yeah right - because you say so?

        LOL

        1. DougS Silver badge

          Re: Doesn't matter

          No, because it is obvious. If no one pays then holding files for ransom makes no money. The scammers will go back to sending 419 spam or whatever they were doing previously.

          You really think they will keep doing this if suddenly everyone stopped paying?

          1. Camilla Smythe

            Re: Doesn't matter

            Uhm... I have an old e-mail address that daily receives at least 10 attempts to deliver spam. Each one gets a 450 client host rejected, recipient unknown or similar. All the associated IP addresses end up as xxx.xxx.xxx.0/24 in IPTables via a scripted cron job. You would think that they might eventually get the idea but.... no. They just move on to different IP addresses that get added to the list. Did I mention I still have an old e-mail address that daily receives at least 10 attempts to deliver spam. No doubt tomorrow I will still have an old e-mail address that daily receives at least 10 attempts to deliver spam.

            1. Tomato Krill

              Re: Doesn't matter

              'They' are not going to get the idea based on one person binning emails. But that's not what the poster said, the suggestion was that *everyone* stopped and in that scenario yes of course they would stop, who would pay the bills?

              1. CountCadaver

                Re: Doesn't matter

                Ignores human nature entirely and the need for the data - all your company data inc backups are locked out by ransomware, without data your company goes to the wall, losing multi million pound contracts, you then lay off a lot of people, you then get investigated due to the furore over the job losses, you then get banned from being a company director or worse your not a limited liability company and you lose everything literally.

          2. Michael Wojcik Silver badge

            Re: Doesn't matter

            No, because it is obvious. If no one pays then holding files for ransom makes no money.

            If no one ever pays ransom this is true, but it's very difficult to ensure that 1) no one ever pays ransom, and 2) ransomware users believe this.

            People are in general not good at behaving as rational economic actors. That's why lotteries and casinos continue to be wildly profitable.

            Moreover, it's not clear that disbelieving the proposition "ransom will never be paid" and infecting systems with ransomware anyway is an irrational economic move, because the cost of using ransomware is extremely low. It exists, so it can be used without development cost. Infection is nearly or entirely automatic, and consumes vanishingly small resources for the attacker, so use cost is minimal. Very few ransomware users are ever brought to justice, so the risk is low. It's a trivial investment so the rate of return can be very, very low and the process still be profitable if used widely enough.

            In fact, banning paying ransom is an inducement to use ransomware more, because the rate of return drops.

            And, of course, some proportion of infections are almost certainly done by botnets which are no longer under anyone's direct control. There may or may not be some human eventually checking the associated Bitcoin wallets.

          3. Anonymous Coward
            Anonymous Coward

            Re: Doesn't matter

            @DougS

            No it's not obvious - everyone won't stop paying, that's the whole point.

            Imagine you had priceless data (economic or sentimental) that you couldn't live without, you'd do anything to get it back. For some, ransomware would just be the cost of doing business.

      6. LucreLout Silver badge

        Re: Doesn't matter

        If your wife was kidnapped and they wanted $100K in unmarked bills, would you consider it fine if you paid $300K for someone to "use their elite special forces skills" to get her back and then it turned out all they did was put $100K in unmarked bills in the drop off and picked her up when they divulged her location?

        You got the outcome you wanted for a price you were willing to pay. So, yes, pretty much. This isn't spectacularly different to wholesalers selling to retailers who sell to the customer.

        There ought to be a law against paying such ransoms, if everyone was forced to stop paying the attacks would stop.

        I agree the attacks would reduce - some corporates aren't above illegal behavior when the alternative is closure. Its a rehash of the "if people were forced to patch their machines there wouldn't be botnets" thing, and yet, even though patching is damn near automatic these days for many OSes, we still have botnets.

    2. Just Enough

      Re: A Necessary Evil?

      "It would be one thing if these companies were charged with preventing ransomware attacks and then surreptitiously encouraging them so they could charge for data recovery"

      Which is exactly what they are doing. Do you know a better way of encouraging ransomware attacks than giving money to those who organise them? They're ensuring the ransomware business model delivers and will be repeated on the next victim.

      1. Cynic_999 Silver badge

        Re: A Necessary Evil?

        "

        Do you know a better way of encouraging ransomware attacks than giving money to those who organise them?

        "

        Unfortunately that is the problem with blackmail. You can either pay up and encourage further blackmail, or you refuse and suffer whatever loss the blackmailer will cause. Which is the best option depends very much on which will cause you the most loss. At least this company is effectively saying, "We will attempt to recover your data without paying the blackmailer, but if we cannot do so then paying is the only option left."

        The bogus customer in the article was told that paying the blackmailer was a possibility, and did not tell the company that they should only recover the data if they could do so without paying the blackmailer.

        1. Michael Wojcik Silver badge

          Re: A Necessary Evil?

          Which is the best option depends very much on which will cause you the most loss

          I don't think you're going to convince any of your interlocutors here. Ideological purity is a tremendous defense against having to consider economic reality.

  2. myhandler

    You think that's a good way to do business?

    1. vir

      I do not but that may be why I'm not a CEO. If the argument is: we don't have or want to allocate the budget for an IT department, managed IT services, offsite backups, or any/everything else that goes into making our company resistant to ransomware and it only costs us $4000 if - if - we get hit and we can write most of that off at the end of the year anyway, then we're going to cross our fingers and it's business as usual. As far as corporations encouraging the proliferation of ransomware and enriching some undeserving people, replace "encouraging the proliferation of ransomware" with "polluting the environment" and "undeserving people" with "undeserving people" and...you see where I'm going with this.

      1. Anonymous Coward
        Anonymous Coward

        That still won't fly, because you're floating this on a resident assumption that (a) the criminals are honest enough to give you back your data for the ransom (if they were that honest they would not be criminals) and (b) that they won't have left a backdoor to sink you twice.

        Just say no and put some effort in.

    2. phuzz Silver badge
      Trollface

      I'm slightly surprised they didn't decide to cut out the middleman, and just infect people with ransomware directly.

      You could call yourself a 'full service' business then, their (internal) motto could be "Infect. Defraud. Decrypt."

      1. Cynic_999 Silver badge

        "

        I'm slightly surprised they didn't decide to cut out the middleman, and just infect people with ransomware directly.

        "

        Are you similarly surprised that the IT guy who is paid to remove viruses on people's computers doesn't cut out the middleman and spread viruses himself?

        Maybe there are also some motor mechanics who deliberately cause road accidents to increase their repair business.

    3. Roland6 Silver badge

      Well...

      For some reason in my El Reg topics list this recent headline caught my attention Less than half of paying ransomware targets get their files back

      It would be interesting to know whether Red Mosquito were doing better than this...

  3. Chris G Silver badge

    While technically probably not aiding, they are certainly abetting the perpetrators of ransomeware and it appears they are making more money from the crime than the so called criminals.

  4. steviebuk Silver badge

    Bit of an odd one

    Because recently you had an article about security consultants suggesting companies do just what the article mentions, paying the ransom. Mainly by Paying an IT consultant to get the key off whoever and restore data.

    So this doesn't seem all that nuts:

    "We do not recommend dealing with the 'hacker' directly (see advice on our home page). In many cases, paying the ransom may be the only option to get your data recovered and it is best to get an experienced consultant to assist with this process."

    1. DropBear Silver badge
      Stop

      Re: Bit of an odd one

      Not really odd, no. What these muppets are doing wrong is not going "look, we tried and failed to decrypt, you're either paying the ransom or you're hosed. The ransom would be $900, and we would be happy to mediate on your behalf, for a fee of $3050. Would you like us to do that?". Legal minutiae aside, they definitely wouldn't be in the news if they did that. You don't get to charge a fee for the exact same thing your client could have done themselves unless you're very much up-front about that being all you do and they know that's what they pay you for. Pretending to be a security company and paying off a protection racket behind your client's back is still just participating in a protection racket...

  5. bish

    Curious to see people defending this (senior management offering their comments belatedly, maybe?). The key takeaways for me appear to be:

    1) They quoted $3950, of which $3050 was pure profit, just to send a few emails, install a decrypt tool and run it (regardless of overheads, that's a seriously steep markup)

    2) They quoted for a decrypt and gave an ETA before first establishing that the key worked and the tool was legit. (what would happen if it the stuff provided by 'Team Gotcha!' didn't work?)

    3) They didn't give the victim any indication that they'd simply be paying the ransom: 'data recovery service' and 'Priority Recovery Service' seem deliberately misleading.

    The thing is, I'd have no issue at all with their methods if they were transparent about them. Hype up your threat detection on the decrypt tools, your negotiating skills and your extensive library of common encrypt/decrypt tools, upsell consultation on prevention strategies and give loyalty points to the numpties who don't heed the advice, but for heaven's sake, tell the buyer what they're ultimately paying for with an itemised quote. I dare say most small businesses would want to negotiate the 300% markup, but a lot of places wouldn't mind paying *some* sort of extra wedge to cover overheads and such, if only to avoid getting their own hands dirty.

    1. Anonymous Coward
      Anonymous Coward

      Point 2

      Gives me a great idea for a business venture.

    2. bish

      A downvote? Conor Lairg, is that you?

    3. holmegm Bronze badge

      I won't "defend" it, but I can say (at least tongue in cheek) that saving face and letting someone else do your payoff without you knowing might actually make some crazy kind of business sense, and be worth something ...

      1. Cynic_999 Silver badge

        "

        I won't "defend" it, but I can say (at least tongue in cheek) that saving face and letting someone else do your payoff without you knowing might actually make some crazy kind of business sense, and be worth something ...

        "

        I can assure you that "Paid (legitimate) data recovery company for IT services" will not raise nearly as many eyebrows when the company accounts are submitted than "Bought Bitcoin to pay blackmailer"

        Remembering that company accounts are audited, and blackmailers usually do not issue receipts or leave an audit trail, so for a company to pay a blackmailer is problematic.

        1. The Original Steve

          Buying Bitcoin from a legit broker is fine, and you can legitimacy say that transaction was ultimately for data recovery services.

          What's the difference? Still get a VAT receipt for what HMRC would register as an asset you brought.

          P. S. They paying you freelance for this defence or are you a permie after a promotion?

      2. bish

        Absolutely right (and the people below you too) - as I said, being transparent about operating this way doesn't mean you'll lose all of your customers, some people are happy to pay to make the bad things go away. But not being transparent about it is also the difference between a legitimate IT service and a possible case of fraud.

    4. LeahroyNake Silver badge

      Ummm

      I don't make that good or a profit but I wouldn't tell the customer how to fix the issue unless they paid me.

      Fancy fixing an SC501 on a copier? No, almost nobody here knows what that means. Phone me up as your first Google search (I wish).

      That's £75 for 30 seconds work. (if they have a service contract they don't pay for call outs or maintenance)

      99% of the time it's a sheet of paper stuck behind the paper tray..... Just saying :/

  6. Jonathan Richards 1

    Trust

    My problem with this way of doing business (by RMDR) is about trust. They would, if the scenario had been played out to the last, have taken receipt of "decriptor" software from an unknown source, logged in with admin privileges to their client's systems, and run that dodgy software. Yeah, they might have run some AV tests on it first, but you still wouldn't know whether it would (a) work within or (b) degrade, damage or destroy, the target system. I'd want to know some details of RMDR's liability insurance before I shelled out the ransom+tip, and gave them the admin credentials.

    Also, why not just be transparent with the customer? 'Conor Lairg' could easily have told his customer that there was no white-hat decryption available and they recommended ransom, with an agent fee and insurance cost. In looking up Emsisoft, I found their about page, which says "Emsisoft is convinced that treating our customers in an honest and respectful manner is the foundation of sustainable business." Yup.

    1. AIBailey Silver badge

      Re: Trust

      They would, if the scenario had been played out to the last, have taken receipt of "decriptor" software from an unknown source, logged in with admin privileges to their client's systems, and run that dodgy software.

      Not necessarily. Surely a much more logical approach would be for the client to send over the files that need decrypting, and for RMDM to either use a re-imagable non networked computer or, more likely a VM to run the decryption process?

      1. bish

        Re: Trust

        Hm. The bit where they requested that the client install TeamViewer suggests they had no intention of running the decrypt on their own systems. Of course, you can use TeamViewer to send and receive files, but you'd be daft to use it for a large transfer. Then again, perhaps they wanted to remote into the machine to upload the files to some cloud instance - I suppose, if this entailed a full clone of the host disk(s), the absurd $3k premium might begin to look less scandalous - but my money is on them simply running the decrypt on the client's machine, with all the risks that entails.

        1. AIBailey Silver badge
          Pint

          Re: Trust

          Fair points you make there. I'm obviously confusing this "business" with a reputable and ethical one.

      2. Cynic_999 Silver badge

        Re: Trust

        "

        Surely a much more logical approach would be for the client to send over the files that need decrypting, and for RMDM to either use a re-imagable non networked computer or, more likely a VM to run the decryption process?

        "

        Not necessarily. In general it is faster and more efficient to do any file data processing on the computer that contains the files rather than copying the files to a different medium and sending them off to be processed on a different computer. If, for example, you had many GB of database files that you needed converting to a different format, would you rather send those files to a company that could do the conversion and wait for the converted files to be returned, or have the files converted in-situ on your computer (after making backups of course)?

    2. DropBear Silver badge

      Re: Trust

      "They would, if the scenario had been played out to the last, have taken receipt of "decriptor" software from an unknown source, logged in with admin privileges to their client's systems, and run that dodgy software."

      Minor quibble, but we don't actually know that. They might just as well log into the client, just image his disk, and run the tool they received inside the most locked down of VMs they can construct at home. Still, a really poor business practice overall and of course we don't know what they would have actually done with that login.

  7. Anonymous Coward
    Anonymous Coward

    Red Mosquito did not respond to multiple emailed and telephoned requests for comment

    have they filed for bankruptcy yet? If not, this is going to happen as soon as it starts getting a little too "tight" for them.

    SO, IN THE LIGHT OF THIS DEVELOPMENT, I have a perfect business proposition: by pure chance I am able to provide services to facilitate smooth cooperation between investigating authorities and those being investigated. Yes, t;here's a cost involved, but what's five hundred bitcoins in exchange for being able to walk freely on the street? OK, four hundred.

  8. iron Silver badge

    Playing Devil's Advocate

    Since the files supplied could not be decrypted because they were random garbage perhaps the company tried to decrypt them, couldn't and so went for the last option - contacting the hacker. Perhaps if the test had involved real encrypted files they would not have had to resort to paying.

    1. DavCrav Silver badge

      Cross-examining Devil's Advocate

      It was the bit where they said they could decrypt it, and you just had to transfer the money first. That's the fraud. The massive markup would be acceptable if it's their own money on the line, as in they paid the hacker first and then charged you once they saw that the tool worked. This looks like just straight-up fraud (in the sense of obtaining a money transfer by deception).

      1. Cynic_999 Silver badge

        Re: Cross-examining Devil's Advocate

        "

        It was the bit where they said they could decrypt it, and you just had to transfer the money first. That's the fraud.

        "

        They had an honest belief that they would be able to do what was contracted so it is not fraud. It's no different to a mechanic who says he can fix your car but then encounters unforeseen problems so is unable to do so. Asking for some or all of the payment up-front is neither illegal nor particularly uncommon when a bespoke service is being undertaken. In such a situation it would depend on the contract whether some of all of the money must be refunded.

        1. DavCrav Silver badge

          Re: Cross-examining Devil's Advocate

          "They had an honest belief that they would be able to do what was contracted so it is not fraud."

          Bollocks. As we know, and surely as 'experts' they would also know, that it's a roll of the dice as to whether the hackers can decrypt your files after you pay them, or whether their decrypt tool will do even more damage. There was no attempt to ascertain that the tool existed, for example by having the hacker decrypt a small test file as proof. So, there's no honest belief here.

        2. Anonymous Coward
          Anonymous Coward

          Re: Cross-examining Devil's Advocate

          Giving you benefit of the doubt that you're not one of those otherwise reticent senior managers at RMDR, the weakness in that argument is the words "honest belief that *they would be able* to" - in this case they *knew* that they were not able, and had quietly subcontracted an expert they *hoped* might be. If your mechanic can't actually fix your car, but knows someone who might be able to, so quotes three times the expert's fee, without telling you that the bulk of the work will be performed by a different mechanic from a different garage, with no guarantee that the different mechanic can fix the car and won't just make things worse, your mechanic is defrauding you.

          1. DavCrav Silver badge

            Re: Cross-examining Devil's Advocate

            " in this case they *knew* that they were not able, and had quietly subcontracted an expert they *hoped* might be."

            Thinking about it more, it's actually much worse than that. It's like going to a locksmith because your car key doesn't work. They cannot fix the lock, but they can get in touch with the guy you know broke your lock in the first place. For a bit of cash, and their skim, he---as a car thief---can break into your car for you.

            Now given that they wanted TeamViewer installed, what they were suggesting is to just hand over your car to him and hope he breaks into it, nice and gentle like, and then lets you back in it, rather than stealing it.

            As well as the whole legal problems of now being tied to organized crime rather than to a supposedly bona fide security company, you are also unknowingly funding the very people you were trying to avoid. (One example of a legal problem is banks' 'know your customer' regulations. Have you paid a company a few thousand pounds that has lots of very dodgy bitcoin payments to known criminals? Sorry, we no longer want your custom.)

            So yeah, Knacker of the Yard time.

  9. Alan Brown Silver badge

    The website's still up

    Anyone want to take bets on how long it stays there - and how long they stay answering the phone?

    1. Anonymous Coward
      Anonymous Coward

      Re: The website's still up

      I bet the bags are already packed, cause somebody's knocking. If it's not the police, the clients, then, perhaps, business competitors with certain tools of persuasion? While I despite them per se, I kind of admire quick thinking to spot business opportunities. Now, if this thinking were combined with a bit of ethics... but hey, we're talking real humans here...

  10. anthonyhegedus Silver badge

    The point is that the company is using deceptive wording on their website. They say they use various techniques etc but they don't actually say outright that "we negotiate with the blackmailers". They should say something along the lines of "we negotiate on your behalf with the blackmailers to get the best possible outcome for your data", But then they need to make their pricing transparent. Like quoting a fixed fee of, say, £500 for up to 5 hours work, and then £150 an hour thereafter.

    Yes, the customer could do it themselves, BUT it's not always so simple. What if it's a server environment, with several PCs and a server, and online backups affected? The decryption algorithms don't always work properly, and the customer may need their hands held. If they can do it themselves, then they should do it themselves, but there's nothing wrong with a company advertising a service where they'll do it for you. Just not like this company in the article does it!

  11. Anonymous Coward
    Anonymous Coward

    In defence...

    I am guessing that. like insurance, the mark up is for those deals that don't go to plan. I don't know how many ransomware slingers DON'T decrypt your files after you have paid the ransom, so are this outfit taking on a risk that needs to be compensated?

    Don't get me wrong...this is pure facilitation of criminal activity...

    1. Prst. V.Jeltz Silver badge

      Re: In defence...

      I don't know how many ransomware slingers DON'T decrypt your files after you have paid the ransom

      I do - 50% , there was an article about it ,on here , yesterday :p

      So that 400% markup is probably sufficient to cover the fails , not that hey will be putting their own money on the line.

      1. Cynic_999 Silver badge

        Re: In defence...

        "

        So that 400% markup is probably sufficient to cover the fails , not that hey will be putting their own money on the line.

        "

        How do you know they are not putting their own money on the line? If the contract states that they will give a full refund in the event they fail to decrypt the files, then they certainly would be putting their own money on the line. But as the article does not give any details of the contract, we have no way of knowing.

  12. Anonymous Coward
    Anonymous Coward

    Red Mosquito - our experience

    Had a business get their server encrypted.

    Tried all known decrypt tools (after files submitted for analysis on various a/v sites). None worked.

    Then one a/v identified as Dharma/cezar and no decrypt possible without original key.

    Found Red Mos & contacted them for decrypt.

    Their price was cheaper than criminals wanted, so went with them on no decrypt no fee basis.

    They got the decrypt done via TeamLink

    Suspected they were a middleman as mooted on various forums.

    We thought more chance of a decrypt by going through them, rather than criminals direct and hassles of doing Bitcoin for the first time, with no guarantee criminals wouldn't just take money and run.

    If they were more open about what they were doing would be better as then a known reliable intermediate.

    As ever, ensure you & your customer systems patched up to date etc. etc. ...

    1. Test Man

      Re: Red Mosquito - our experience

      > Their price was cheaper than criminals wanted, so went with them on no decrypt no fee basis.

      Except in the article RM routinely negotiates a better price that is far lower than the initial price. So in your case they then give you a price ever so slightly "cheaper" than the initial price, decrypt and pocket difference.

      YOU could have negotiated a much cheaper price and got the decrypt key yourself!

      At best this is as dodgy as those companies that state they can get you your PIP money back.... for a price, when you can do it yourself for free.

      1. Cynic_999 Silver badge

        Re: Red Mosquito - our experience

        "

        YOU could have negotiated a much cheaper price and got the decrypt key yourself!

        "

        Yes. In the same way a business owner can easily set up his own servers and computer security. After all, installing a few bits of software is surely even easier than negotiating deals with blackmailers, so he would be daft to pay £1000's for an IT professional to do the same thing, wouldn't he?

  13. Crisp Silver badge

    Surely they are aiding and abetting the crime then?

    Sounds like an open and shut case under the Proceeds of Crime act.

    1. Anne-Lise Pasch

      Re: Surely they are aiding and abetting the crime then?

      You could consider a defence for them as contractually approved 'Hostage Negotiators'.

  14. Anonymous Coward
    Anonymous Coward

    And that's almost how Apple operates.

    Your iCrap breaks, all your stuff is in its memory, and...

    1. They could de-solder the flash memory chip from your iCrap and weld it to another functioning iCrap, and charge you for the pleasure;

    2. You know they won't bother at all, tell you the iCrap is stuffed, and offer you a discount on a fresh iCrap. Your data is still gone.

    BUT the right answer would be number 3: Just take a look at the couple burned-out capacitors, broken USB connector pins, replace them, and get you back a working phone with all your stuff for lunch money.

    Anon because it is based on real cases.

  15. Prst. V.Jeltz Silver badge

    If they take the risk (pay up front) of not getting decryption key from the ransom wearers - id be impressed,

    but I suspect it'll be a case of:

    "Right we've tried our "technical stuff" and , surprise surprise , got nowhere . We need you to give us £100k to negotiate with.

    "how'd it go"

    "We sent the bitcoin , they didnt reply. Soooo anyway , nice working with you , sorry we didnt get a result this time , but do call us if it happens again . bye"

    1. Cynic_999 Silver badge

      "

      "We sent the bitcoin , they didnt reply. Soooo anyway , nice working with you , sorry we didnt get a result this time , but do call us if it happens again . bye"

      "

      There is absolutely no evidence for such an allegation. Perhaps it's how you would do things, but that does not mean that this company would behave the same way.

      1. Anonymous Coward
        Anonymous Coward

        From their FAQ linked to in the Reg article itself:

        "Our 'No Recovery No Fee' policy means that if we cannot recover some of your files then we will immediately refund the fee on a pro-rata basis:

        EXAMPLE: if we can only recover 90% of your files, we will refund 10% of money paid.

        If we cannot recover any of your files then we will immediately refund 100% of money paid.

        This policy assumes that we are given access full access to your encrypted files in order to complete the recovery."

        1. Prst. V.Jeltz Silver badge

          ok , i stand corrected , colour me impressed.

          Although in another post someone noted their fee was 4x the ransom , so i guess they're covered.

          1. Anonymous Coward
            Anonymous Coward

            And according to the wayback machine, that text has been in the FAQ since at least 2017.

            It does change the story somewhat!

  16. goldcd

    Same thing's happened in the Art world for years.

    Somebody nicks something worth say £10M - that's what the premiums were paid for, and that's what the insurer has to pay out on.

    Thieves can't actually shift the art for £10M though - traditionally you'd get a very small percentage to give it to a hooky investor who'd look at it in his vault, or just used as portable collateral for criminal deals.

    Point is - painting is only worth £10M to the insurer who paid out the £10M.

    So art recovery specialists exist.

    They'll 'manage to recover the art through opaque means' for say 20% of the value. Now maybe they're more resourceful and have greater powers than our police services... or maybe it's just that they can discreetly say they'll hand over a million in cold-hard-cash for the recovery, no questions asked.

    Everybody's happy - except I guess people paying premiums on their art..

    Owner gets their art back, insurer saves 80%, recovery specialists have a million profit, criminals have cash and nobody still coming after them.

    Important piece is the art-recovery specialist, as the third-party that bridges between the legal and criminal side. Gives a nice legal line item in the insurer's accounts.

  17. Anonymous Coward
    Anonymous Coward

    Does this mean

    That work done by hostage negotiators for money is illegal?

  18. RubyJedi

    Risk/Reward

    This is a high-risk $900 gamble. There's little more than the trust of a criminal's word that you'd actually get a usable decryptor tool. It's not like there's a Reviews site of satisfied customers saying the criminals' decryptor is legit.

    $3000 profit on a transaction that could easily turn into a burn is not steep at all, in my opinion. Thumbs up to this company for offering such a service to desperate companies with nowhere else to go to acquire and handle the Bitcoin Transaction.

    1. maffski

      Re: Risk/Reward

      'It's not like there's a Reviews site of satisfied customers saying the criminals' decryptor is legit.'

      The first of these malware groups to get 5* reviews on Trust Pilot is going to coin it in.

      1. Prst. V.Jeltz Silver badge

        Re: Risk/Reward

        I can see that happening - the trust pilot thing.

        The first thing i'd do if faced with a dozen encrypted servers is see if i can identify the malware and then see if theres any evidence of those particular pirates coming good on the decryption key.

        I'd rather do that and pay it myself than pay some dodgy middle man 4 times the price.

        Maybe its ok on a $900 bill but what if its $50,000 ? pay this firm 200k?

  19. Trollslayer Silver badge
    Pint

    Looks like RMDR have gone!

    The link for RMDR in the article does not connect.

    Nice one El Reg!

    1. Anonymous Coward
      Anonymous Coward

      Re: Looks like RMDR have gone!

      it works for me

      https://www.rm-ransomwarerecovery.com/

      https://www.rm-ransomwarerecovery.com/faq

  20. knottedhandkerchief
    Holmes

    Reminds me of fake data recovery services

    Rather similar, except that you've encrypted/corrupted the data yourself ;-)

    https://www.youtube.com/watch?v=31rsjemi2Sg

    They then charge you the earth for making things worse.

    Maybe related people, moved on?

  21. Alan Ferris

    Just a thought...

    Does this constitute commercial use of TeamViewer? I hope that Teamviewer get paid the appropriate licence fee. Who pays that one - Red Mosquito, the client, or the criminals?

  22. This post has been deleted by its author

  23. Potemkine! Silver badge

    Is making money from a crime by being an accomplice legal?

    If so then RM business is legal.

    Mosquitoes drink blood from their victims and are disease transmitters. It seems this company chose well the image that would symbolize its activities.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019