How Cybersecurity Firms Overcome Ransomware Attacks

You just got infected with SamSam crypto-ransomware.  What if I told you I had a secret process that guarantees I can recover your files that have been encrypted by a ransomware attack.  Would you pay me to get your files back?

Brian Krebs tweeted on May 16 about ProPublica’s investigative article about how two cybersecurity firms have successfully “restored” files that have been encrypted by crypto-ransomware attacks.  I suppose this was inevitable, since the “solution” seems so obvious.

Florida-based MonsterCloud and Proven Data Recovery of Elmsford, New York have become quite successful at restoring files of companies who have suffered a ransomware attack.  They claim to be using “advanced technologies,” but all they are really doing is paying the ransom asked for by the cyber-criminals and charging their customers  enough extra to provide a generous profit margin.

I don’t really have a problem with this solution, or the additional money the firms charge.  Handling bit-coin transactions, getting the encryption key from the bad guys, and performing the subsequent decryption tasks is worth the money being charged.  And evidently the customers are delighted with the results.

There are a couple of ethical problems, though.  First, how about you just disclose your “secret process” to your customers up front.  Something simple like “we pay the ransom, get the encryption key, and restore your files.”

The second issue has to due with just who is getting paid.  Some of the more recent crypto-ransomware attacks such as the SamSam exploit are being attributed to Iran, and could be funding terrorism or other actions that the client may not want to be funding.  The U.S. government has indicted a pair of Iranian cyber army members for developing and releasing SamSam.

It has been my experience when dealing with ransomware attacks, my clients have definitely NOT wanted to pay the bad guys, for reasons such as “they’re bad guys’ and “if we pay them, it just encourages them to do it again.”

What’s my take-away?  If you are working with a company that “fixes” ransomware problems, just be sure you know how they get their results.


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.