BNMC Blog

By accepting you will be accessing a service provided by a third-party external to https://www.bnmc.net/

“Paying the Ransom” Isn’t a Ransomware Defense

“Paying the Ransom” Isn’t a Ransomware Defense

Ransomware has become a favorite attack vector for hackers - after all, for them, it’s pretty much a no loss game. They either get paid, or they move on to their next target. Unfortunately, cyberattackers that dispatch ransomware often do get paid, and these payments can sometimes come from a surprising source: cybersecurity firms.

What Happened with SamSam

You may recall the SamSam outbreak, which stretched from 2015-to-2018 and racked up $30,000,000 in damages across 200 entities. This large total was partially due to the fact that SamSam knocked out a few sizable municipalities, including the cities of Atlanta and Newark, the port of San Diego, the Colorado Department of Transportation, and medical records across the nation.

The ransom demand sent to Newark gave a one-week deadline to pay up the ransom in Bitcoin, before the attackers would render the files effectively useless.

In November 2018, then deputy attorney general Rod Rosenstein announced that two Iranian men had been indicted on fraud charges by the United States Department of Justice for allegedly developing the SamSam strain and carrying out these attacks with it. As Rosenstein pointed out, many of SamSam’s targets were the kind of public agencies whose primary goal was to save lives - meaning that the hackers responsible knew that their actions could do considerable harm to innocent victims. Unfortunately, those responsible have never been apprehended.

How Some Cybersecurity Firms Just Pay the Ransoms

According to a former employee, Jonathan Storfer, the firm Proven Data Recovery (headquartered in Elmsford, New York) regularly made ransomware payments to SamSam hackers for over a year. ProPublica managed to trace four payments made in 2017 and 2018 from an online wallet controlled by Proven Data, through up to 12 Bitcoin addresses, before finally ending up in a wallet controlled by the Iranians.

This wasn’t a huge revelation to Storfer, who worked for the firm from March 2017 until September 2018.

“I would not be surprised if a significant amount of ransomware both funded terrorism and also organized crime… So, the question is, every time that we get hit by SamSam, and every time we facilitate a payment – and here’s where it gets really dicey – does that mean we are technically funding terrorism?”

According to Proven Data, they assist ransomware victims by using the latest technology to unlock their files. According to Storfer and the FBI, however, Proven Data instead pays ransoms to obtain the decryption tools that their clients need. Storfer actually states that the firm was able to build a business-like relationship with the hackers, negotiating extensions on payment deadlines - and the hackers would actually direct their victims to Proven Data.

Another firm, Florida-based MonsterCloud, follows a few similar ‘strategies,’ according to ProPublica. In addition to paying the ransoms (sometimes without informing the victims), these companies then add an upcharge to the ransom payment.

However, it becomes important to consider where the money that is used to pay these ransoms is actually coming from. In the case of SamSam, many of the victims received some kind of government funding, which means that - if the ransoms were paid - taxpayer money likely wound up in the hands of cybercriminals in countries hostile to the United States.

Differing Accounts from Proven Data Recovery

Proven Data provides the following disclaimer on their website:

“[PROVEN DATA] DOES NOT CONDONE OR SUPPORT PAYING THE PERPETRATOR’S DEMANDS AS THEY MAY BE USED TO SUPPORT OTHER NEFARIOUS CRIMINAL ACTIVITY, AND THERE IS NEVER ANY GUARANTEE TO OBTAIN THE KEYS, OR IF OBTAINED, THEY MAY NOT WORK. UNFORTUNATELY, SOME CASES MAY REQUIRE THE PAYMENT OF THE DEMAND IN HOPES OF OBTAINING THE MEANS TO DECRYPT YOUR DATA. AS A LAST RESORT OPTION, [PROVEN DATA] RESERVES THE RIGHT TO PAY THE DEMAND FOR THE PURPOSE OF RESTORING BUSINESS FUNCTIONALITY AS SOON AS POSSIBLE. THE CLIENT ACKNOWLEDGES THAT THIS WILL BE AN OPTION EXPLORED BY [PROVEN DATA] IF ALL OTHER CONVENTIONAL METHODS ARE NOT POSSIBLE.”

However, the company’s chief executive, Victor Congionti, revealed to ProPublica that their actual standard operating procedures are significantly different. Unless a decryption key is already available (which generally means that the hackers utilized an outdated variant of their attack) Proven Data tends to default to paying the ransom - and is apparently open with their clients about doing so.

According to Congionti, the SamSam attackers were paid upon the direction of their clients, and once it was discovered who the attackers were, Proven Data stopped dealing with them as they had not known they were affiliating with Irani nationals.

Should You Pay the Ransom?

According to Congionti, it would certainly seem so. As he said: “It is easy to take the position that no one should pay a ransom in a ransomware attack because such payments encourage future ransomware attacks. It is much harder, however, to take that position when it is your data that has been encrypted and the future of your company and all of the jobs of your employees are in peril. It is a classic moral dilemma.”

The Federal Bureau of Investigation seems to take a “do as I say here, not as I say there” approach. Some spokespeople (and it seems to depend on who they are talking to) will denounce paying a data ransom. As one FBI spokesperson put it, paying a ransom “encourages continued criminal activity, leads to other victimizations, and can be used to facilitate serious crimes.” However, 2015 news reports quoted the assistant special agent in charge of the FBI’s cyber program as stating that the bureau’s practice is to “often advise people to just pay the ransom.”

At BNMC, it is our position that you should never, ever pay a cybercriminal’s ransom demand. First of all, do you really trust them to return your data once they have received payment, and second, that payment only serves to fund further cybercrime.

Instead, we prefer to take a proactive approach. We do so with a full, isolated backup of your data, allowing you to restore any data that may be encrypted in a ransomware attack. That way, you aren’t paying criminals to maybe get your data back, and you can move on and continue your operations.

To learn more about how we can protect your business against ransomware and other threats, reach out to us at 978-482-2020.

 

Comments

No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Guest
Wednesday, June 03 2020

Captcha Image

Subscribe to Our Blog!

Mobile? Grab this Article!

Qr Code

Tag Cloud

Tip of the Week Security Best Practices Technology Productivity Business Computing Privacy User Tips Cloud Network Security Email Hosted Solutions Microsoft Hackers Computer Software Efficiency Business Malware Communication Data Google Small Business Workplace Tips IT Services IT Support Mobile Devices Cloud Computing Tech Term Hardware Internet Managed IT Services Data Recovery Backup Ransomware Innovation Outsourced IT Users Smartphone Android Upgrade Saving Money Mobile Device Windows Smartphones Data Backup Miscellaneous Facebook Server Information Phishing communications Business Continuity Disaster Recovery Browser Microsoft Office Business Management Windows 10 VoIP Cybersecurity Social Media Office 365 Managed IT Services Network Productivity Data Management Windows 10 Passwords Internet of Things Word Gadgets Vulnerability Remote Monitoring App Gmail Apps Artificial Intelligence Quick Tips Mobile Office Infrastructure Encryption Managed Service Chrome Managed Service Provider Information Technology Remote Workers Save Money Networking Employer-Employee Relationship Analytics Virtual Reality Access Control VPN Applications Website Router BYOD Money Company Culture IT Support Settings Tip of the week Avoiding Downtime Robot Antivirus Google Drive Development Content Filtering Bandwidth Automation HIPAA YouTube Education Apple BDR Risk Management Storage IT Management Data Security Paperless Office Office Tips Government Virtual Private Network Computers Hacker Data storage Unified Threat Management Big Data Employee-Employer Relationship Display WiFi Collaboration Firewall Maintenance OneNote Monitors Hosted Solution Managed IT Service Vendor Management Humor Customer Relationship Management Data Breach Scam Chromebook Administration Best Practice Document Management IT Mouse Windows 7 Wireless Solid State Drive Software as a Service Break Fix Social Network End of Support Going Green Search Training Mobile Security Remote Computing Hard Disk Drive Printing SaaS Password Server Management Business Technology Touchscreen Business Intelligence iOS Wi-Fi Virtualization Laptop Managed IT Holiday The Internet of Things Tablet Data loss Telephone Systems Retail Alert Conferencing Spam Computing desktop Managed Services Outlook Augmented Reality Bring Your Own Device Operating System MSP Downtime Two-factor Authentication LiFi Managing Stress Marketing Social PowerPoint User Error Chatbots eWaste Laptops Patch Management Tech Support Typing Star Wars Current Events Gamification Wearable Technology Network upgrade Uninterrupted Power Supply Mobility Batteries Specifications Nanotechnology Spyware Alerts File Sharing USB Co-Managed IT Heating/Cooling Multi-Factor Security Social Engineering Motherboard Computer Care Cables IBM Onboarding Time Management GDPR Printer Identity Continuity Halloween Managed Services Provider Websites Cryptocurrency Fraud Cost Management Slack Hard Disk Drives IT solutions COVID-19 Smart Office Print Toner Myths Black Friday Google Docs Screen Reader Identity Theft Charging Hacks Holidays Licensing Dongle Content Servers Huawei Google Calendar Safety Wires Corporate Profile Messaging Emergency Automobile Assessment Digital Signage Network Management Data Warehouse Google Wallet G Suite Solar Scary Stories Entertainment Vendor Dark Web Bitcoin Distribution Monitoring Solid State Drives Network Congestion Remote Work Work Dell Running Cable Shortcuts Mobile Management Cyber Monday Business Growth Smart Tech Payment Card Cooperation Service Level Agreement Cabling Streaming Processor Legislation Legal Voice over Internet Protocol WannaCry Buisness Employee-Employer Relationships Hotspot Internet Exlporer Google Maps Virtual Desktop Troubleshooting Business Analysis SharePoint Writing Unified Communications Drones Compliance Sports Hybrid Cloud Microsoft Excel Windows 8 Logistics Spying National Security Techology IT Technicians Optimization Security Cameras Profiles Smart Technology Connectivity Dark Data Update Mobile Device Management Inventory Staff Leominster Human Error Statistics Memory Deep Learning Modem FinTech Analysis How To Students Lenovo Asset Management Language Value Virus Downloads Regulations Scalability Mail Merge Blockchain VoIP Updates Unified Threat Management Peripheral Mirgation Recycling Shortcut Utility Computing Distributed Denial of Service Politics Alt Codes IoT Digital Payment Superfish Customer Service Shadow IT K-12 Schools Disaster Cybercrime Device Bluetooth Reducing Cost Comparison Work/Life Balance Cookies Digital Firefox Mixed Reality Memes Computing Infrastructure Professional Services LED Threats Office Samsung Budget Social Networking Migration Address Consulting Permissions Health Private Cloud Black Market CCTV Webcam Law Enforcement Financial Notifications Electronic Medical Records Twitter Physical Security Error Emoji Point of Sale Ben McDonald shares Upgrades Gadget Travel Crowdsourcing Personal Information Botnet Cortana 3D Printing Supercomputer Regulation CrashOverride Motion Sickness Staffing Administrator Processors Taxes Machine Learning Web Server what was your? Unsupported Software IT Budget GPS Printers IT Consultant Computer Repair Relocation Cameras Mobile Data Recovery Mobile Computing Meetings How To Tracking Cleaning

What Our Clients Say

  • BNMC has provided us with nothing less than outstanding service and results for all of our IT needs for the past few years. Every member of their staff is professional, knowledgeable, friendly and eager to solve any problem...
  • 1
  • 2
  • 3