Russian Ransomware Brokers Scam Victims

Security researchers have discovered cybersecurity scammers in Russia are generating hundreds of thousands of dollars in profits by falsely claiming to be able to unlock encrypted files.

Check Point explained that one ‘IT consultancy’ named Dr Shifro is promising customers it can help them recover from ransomware like Dharma/Crisis, for which there is no known decryption key.

In reality, the firm pays the ransomware author a fee and then passes the cost on to the customer at a 75%+ margin, acting more as a broker than an IT consultancy.

Dr Shifro has been around for over two-and-a-half years and has managed 300 ransomware ‘decryptions’ for its clients.

Typically it adds an extra $1000 fee on top of whatever the cyber-criminal is charging for a decryption key, meaning the firm has been able to drive profits of at least $300,000 over the past couple of years.

Researchers believe that, from the correspondence between Dr Shifro and the ransomware creators that they were able to obtain, the former also tries to negotiate a discount from the ransomware author to further increase its margins, a spokesperson told Infosecurity.

“The first point with services like Dr. Shifro’s is ‘if it sounds too good to be true, it probably is.’ While there are legitimate IT consultancies that can help recover systems and files from a ransomware attack, they will usually not make promises they cannot keep,” the security vendor warned.

“In fact, they will usually only offer to help where decryption keys are already publicly available online, and perform decryption services for those who may be unable to do so themselves. Anyone claiming otherwise should be approached with caution.”

Check Point warned that similar scams could emerge over the coming year as a new way of making money off the back of attacks.

Although there have been reports that cryptomining malware is growing in popularity at the expense of ransomware, a recent Europol report warned that the latter was still the top malware threats facing organizations, and would remain a major risk for years to come.

More targeted variants have started to emerge of late, which are harder for firms to defend against. Two Iranians were recently indicted by the US for masterminding the SamSam attacks over the past three years, causing losses estimated at $30m in North America and the UK.

What’s Hot on Infosecurity Magazine?