Biz tells ransomware victims it can decrypt their files... by secretly paying off the crooks and banking a fat margin

You think that's a good way to do business?

While technically probably not aiding, they are certainly abetting the perpetrators of ransomeware and it appears they are making more money from the crime than the so called criminals.

Bit of an odd one

Because recently you had an article about security consultants suggesting companies do just what the article mentions, paying the ransom. Mainly by Paying an IT consultant to get the key off whoever and restore data.

So this doesn't seem all that nuts:

"We do not recommend dealing with the 'hacker' directly (see advice on our home page). In many cases, paying the ransom may be the only option to get your data recovered and it is best to get an experienced consultant to assist with this process."

Curious to see people defending this (senior management offering their comments belatedly, maybe?). The key takeaways for me appear to be:

1) They quoted $3950, of which $3050 was pure profit, just to send a few emails, install a decrypt tool and run it (regardless of overheads, that's a seriously steep markup)

2) They quoted for a decrypt and gave an ETA before first establishing that the key worked and the tool was legit. (what would happen if it the stuff provided by 'Team Gotcha!' didn't work?)

3) They didn't give the victim any indication that they'd simply be paying the ransom: 'data recovery service' and 'Priority Recovery Service' seem deliberately misleading.

The thing is, I'd have no issue at all with their methods if they were transparent about them. Hype up your threat detection on the decrypt tools, your negotiating skills and your extensive library of common encrypt/decrypt tools, upsell consultation on prevention strategies and give loyalty points to the numpties who don't heed the advice, but for heaven's sake, tell the buyer what they're ultimately paying for with an itemised quote. I dare say most small businesses would want to negotiate the 300% markup, but a lot of places wouldn't mind paying *some* sort of extra wedge to cover overheads and such, if only to avoid getting their own hands dirty.

Trust

My problem with this way of doing business (by RMDR) is about trust. They would, if the scenario had been played out to the last, have taken receipt of "decriptor" software from an unknown source, logged in with admin privileges to their client's systems, and run that dodgy software. Yeah, they might have run some AV tests on it first, but you still wouldn't know whether it would (a) work within or (b) degrade, damage or destroy, the target system. I'd want to know some details of RMDR's liability insurance before I shelled out the ransom+tip, and gave them the admin credentials.

Also, why not just be transparent with the customer? 'Conor Lairg' could easily have told his customer that there was no white-hat decryption available and they recommended ransom, with an agent fee and insurance cost. In looking up Emsisoft, I found their about page, which says "Emsisoft is convinced that treating our customers in an honest and respectful manner is the foundation of sustainable business." Yup.

Red Mosquito did not respond to multiple emailed and telephoned requests for comment

have they filed for bankruptcy yet? If not, this is going to happen as soon as it starts getting a little too "tight" for them.

SO, IN THE LIGHT OF THIS DEVELOPMENT, I have a perfect business proposition: by pure chance I am able to provide services to facilitate smooth cooperation between investigating authorities and those being investigated. Yes, t;here's a cost involved, but what's five hundred bitcoins in exchange for being able to walk freely on the street? OK, four hundred.

Playing Devil's Advocate

Since the files supplied could not be decrypted because they were random garbage perhaps the company tried to decrypt them, couldn't and so went for the last option - contacting the hacker. Perhaps if the test had involved real encrypted files they would not have had to resort to paying.

The website's still up

Anyone want to take bets on how long it stays there - and how long they stay answering the phone?

The point is that the company is using deceptive wording on their website. They say they use various techniques etc but they don't actually say outright that "we negotiate with the blackmailers". They should say something along the lines of "we negotiate on your behalf with the blackmailers to get the best possible outcome for your data", But then they need to make their pricing transparent. Like quoting a fixed fee of, say, £500 for up to 5 hours work, and then £150 an hour thereafter.

Yes, the customer could do it themselves, BUT it's not always so simple. What if it's a server environment, with several PCs and a server, and online backups affected? The decryption algorithms don't always work properly, and the customer may need their hands held. If they can do it themselves, then they should do it themselves, but there's nothing wrong with a company advertising a service where they'll do it for you. Just not like this company in the article does it!

In defence...

I am guessing that. like insurance, the mark up is for those deals that don't go to plan. I don't know how many ransomware slingers DON'T decrypt your files after you have paid the ransom, so are this outfit taking on a risk that needs to be compensated?

Don't get me wrong...this is pure facilitation of criminal activity...

Red Mosquito - our experience

Had a business get their server encrypted.

Tried all known decrypt tools (after files submitted for analysis on various a/v sites). None worked.

Then one a/v identified as Dharma/cezar and no decrypt possible without original key.

Found Red Mos & contacted them for decrypt.

Their price was cheaper than criminals wanted, so went with them on no decrypt no fee basis.

They got the decrypt done via TeamLink

Suspected they were a middleman as mooted on various forums.

We thought more chance of a decrypt by going through them, rather than criminals direct and hassles of doing Bitcoin for the first time, with no guarantee criminals wouldn't just take money and run.

If they were more open about what they were doing would be better as then a known reliable intermediate.

As ever, ensure you & your customer systems patched up to date etc. etc. ...

Surely they are aiding and abetting the crime then?

Sounds like an open and shut case under the Proceeds of Crime act.

And that's almost how Apple operates.

Your iCrap breaks, all your stuff is in its memory, and...

1. They could de-solder the flash memory chip from your iCrap and weld it to another functioning iCrap, and charge you for the pleasure;

2. You know they won't bother at all, tell you the iCrap is stuffed, and offer you a discount on a fresh iCrap. Your data is still gone.

BUT the right answer would be number 3: Just take a look at the couple burned-out capacitors, broken USB connector pins, replace them, and get you back a working phone with all your stuff for lunch money.

Anon because it is based on real cases.

If they take the risk (pay up front) of not getting decryption key from the ransom wearers - id be impressed,

but I suspect it'll be a case of:

"Right we've tried our "technical stuff" and , surprise surprise , got nowhere . We need you to give us £100k to negotiate with.

"how'd it go"

"We sent the bitcoin , they didnt reply. Soooo anyway , nice working with you , sorry we didnt get a result this time , but do call us if it happens again . bye"

Same thing's happened in the Art world for years.

Somebody nicks something worth say £10M - that's what the premiums were paid for, and that's what the insurer has to pay out on.

Thieves can't actually shift the art for £10M though - traditionally you'd get a very small percentage to give it to a hooky investor who'd look at it in his vault, or just used as portable collateral for criminal deals.

Point is - painting is only worth £10M to the insurer who paid out the £10M.

So art recovery specialists exist.

They'll 'manage to recover the art through opaque means' for say 20% of the value. Now maybe they're more resourceful and have greater powers than our police services... or maybe it's just that they can discreetly say they'll hand over a million in cold-hard-cash for the recovery, no questions asked.

Everybody's happy - except I guess people paying premiums on their art..

Owner gets their art back, insurer saves 80%, recovery specialists have a million profit, criminals have cash and nobody still coming after them.

Important piece is the art-recovery specialist, as the third-party that bridges between the legal and criminal side. Gives a nice legal line item in the insurer's accounts.

Does this mean

That work done by hostage negotiators for money is illegal?

Risk/Reward

This is a high-risk $900 gamble. There's little more than the trust of a criminal's word that you'd actually get a usable decryptor tool. It's not like there's a Reviews site of satisfied customers saying the criminals' decryptor is legit.

$3000 profit on a transaction that could easily turn into a burn is not steep at all, in my opinion. Thumbs up to this company for offering such a service to desperate companies with nowhere else to go to acquire and handle the Bitcoin Transaction.

Just a thought...

Does this constitute commercial use of TeamViewer? I hope that Teamviewer get paid the appropriate licence fee. Who pays that one - Red Mosquito, the client, or the criminals?

Is making money from a crime by being an accomplice legal?

If so then RM business is legal.

Mosquitoes drink blood from their victims and are disease transmitters. It seems this company chose well the image that would symbolize its activities.