The Ransomware Sausage Factory – Do You Really Want To Know How They Got Your Data Back?

Statistics vary, but a prevalent theme is that ransomware attacks rose by as much as 250% in 2017. Since a considerable number of incidents go unreported, potentially a majority of them in fact, it is difficult to fully understand just how deep the problem goes. That said, we can all agree the problem is bad.

Always on the lookout to fully understand security issues organizations face, we came across an interesting Tweet:

There were several types of initial reactions to this, ranging from “it’s a get-rich-quick scheme” to an outright scam, and even invoking a bit of laughter at the creativity of the solution. Others may think it is a legitimate service, and that recovering data is what they advertise, and that is precisely what they did.

Kevin Collier, a BuzzFeed News cybersecurity correspondent, followed up with links confirming the security company involved is Proven Data Recovery.

Collier referenced their 97.2% success rate, and ties it to Ransomware recovery.  However, that figure does not exclusively mention ransomware. Instead, it appears to cover their entire portfolio of data recovery services, which could include hard drive failure. Looking at the Proven Data Recovery page covering their recovery services, you can see their ransomware service offering and they don’t reference that 97.2% figure.

On PDR’s website they do have two bullet points that speak to when ransomware is in play that are worth highlighting as it relates to evaluating this case:

  • Pay after the ransomware recovery service – We provide you with the peace of mind that we aren’t going to just take your money before getting any data back. We do not bill you until after you’ve verified your data was successfully recovered.
  • After conducting a thorough analysis of the intrusion, Proven Data Recovery, may also offer assistance in helping you pay the ransom as a last resort effort to help you get your data back. Proven Data Recovery makes no claim to cracking RSA 2048 encryption or higher as it is currently mathematically impossible to do so with current technologies.

To many IT and security professionals, on the surface charging someone a lot of money to recover from a Ransomware attack, when the customer could have just paid the ransom themselves, seems shady. But if we look at this deeper, the service isn’t necessarily a bad thing.

Consider the following:

  • Most companies have no clue how to buy Bitcoin or other CryptoCurrency needed to pay the ransom. Bad actors don’t take Paypal or corporate checks. Anyone that has bought CryptoCurrency knows there are exchange and purchase costs in doing so that may be daunting to a first-time buyer. It would take a company a lot of time and cost to figure it out themselves all the while the clock is ticking on the ransom demand.
  • As mentioned, on the Proven Data Recovery website they say they will attempt to decrypt, but they also say they may pay as well. While several varieties of Ransomware can be decrypted, there are many variants cannot.
  • Perhaps the Proven Data Recovery business model figured out that paying in some cases is more cost effective. Hopefully they have extensive experience in knowing when that is the right option and fully explain this to their clients.
  • The company takes the financial risk in not charging for their services until they recover the data (by any means).

The primary concern among some security professionals discussing this business model is how transparent the company is being with clients when they do opt to pay the demand. More specifically, is Proven Data Recovery informing clients the data was recovered by paying the ransom or is that kept confidential, while billing the client with a huge mark-up rate? Based on their Yelp reviews, they have happy customers one way or another. In this case for Herrington and Company, who are real estate agents in Anchorage and based on the timing appear to have a hosting agreement with Liquid Web, Inc. in Alaska, the ransom was apparently $1,600 and the Proven Data Recovery fee was $6,000. Given that the FBI are involved and a search warrant was executed, it appears that someone for some reason was not happy with their services.

Companies hit by Ransomware really only want one thing; their data back and their company operations back to normal as quick as possible. Even though the FBI recommends not paying a ransom – for good reasons – the end result is really what matters, right? Depending on the infection and speed you need the data recovered, it actually may make sense that a company would be prone to pay it. Even the FBI recognizes this fact. Their guidance does not flatly state do not pay under any circumstances. Rather, in their Ransomware Prevention and Response for CISOs document, they state while not encouraging payment, “whether to pay a ransom is a serious decision, requiring the evaluation of all options to protect shareholders, employees and customers. Victims will want to evaluate the technical feasibility, timeliness, and cost of restarting systems from backup.” So in their own unique way, the guidance comes down doing a cost-benefit analysis on whether or not to pay.

One good option to consider when thinking of Ransomware risk reduction is cyber insurance. The days of limiting coverage to data breach events alone are long gone. These policies can now include options that change the financial equation for calculating the pros and cons of paying. Coverage does vary from one policy to the next, but it is possible to buy cyber insurance that can pay elements of both the ransom demand itself as well as recovery costs associated with the event. What’s more, many insurance companies maintain a panel of vetted incident response providers ready to answer the call for help. That offers fast access to assistance along with a level of confidence in the integrity of the provider. Stay tuned for our next installment on ransomware, which takes a closer look at the potential reasons that you should or should not pay, and some actual costs incurred by organizations.

Risk Based Security has the most comprehensive database of breach events including nearly 400 ransomware events that exposed sensitive information in addition to locking up data and systems. The resulting wealth of breach data coupled with actionable security ratings for organizations has made Risk Based Security a leader in vendor risk management, cyber insurance and risk modeling.