How Cybersecurity Firms Overcome Ransomware Attacks

You just got infected with SamSam crypto-ransomware.  What if I told you I had a secret process that guarantees I can recover your files that have been encrypted by a ransomware attack.  Would you pay me to get your files back?

Brian Krebs tweeted on May 16 about ProPublica’s investigative article about how two cybersecurity firms have successfully “restored” files that have been encrypted by crypto-ransomware attacks.  I suppose this was inevitable, since the “solution” seems so obvious.

Florida-based MonsterCloud and Proven Data Recovery of Elmsford, New York have become quite successful at restoring files of companies who have suffered a ransomware attack.  They claim to be using “advanced technologies,” but all they are really doing is paying the ransom asked for by the cyber-criminals and charging their customers  enough extra to provide a generous profit margin.

I don’t really have a problem with this solution, or the additional money the firms charge.  Handling bit-coin transactions, getting the encryption key from the bad guys, and performing the subsequent decryption tasks is worth the money being charged.  And evidently the customers are delighted with the results.

There are a couple of ethical problems, though.  First, how about you just disclose your “secret process” to your customers up front.  Something simple like “we pay the ransom, get the encryption key, and restore your files.”

The second issue has to due with just who is getting paid.  Some of the more recent crypto-ransomware attacks such as the SamSam exploit are being attributed to Iran, and could be funding terrorism or other actions that the client may not want to be funding.  The U.S. government has indicted a pair of Iranian cyber army members for developing and releasing SamSam.

It has been my experience when dealing with ransomware attacks, my clients have definitely NOT wanted to pay the bad guys, for reasons such as “they’re bad guys’ and “if we pay them, it just encourages them to do it again.”

What’s my take-away?  If you are working with a company that “fixes” ransomware problems, just be sure you know how they get their results.

0

About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Owner of the WyzCo Group Inc. In addition to consulting on security products and services, Bob also conducts security audits, compliance audits, vulnerability assessments and penetration tests. Bob also teaches Cybersecurity Awareness Training classes. Bob works as an instruction for CompTIA’s non-profit IT-Ready Program in the Twin Cities. IT-Ready is a tuition free 8-week program designed to teach students of all ages the fundamentals of IT support to prepare them for an entry level position in Information Technology Support. Graduates of the classes take the exams to become CompTIA A+ certified. Bob is a frequent speaker at conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. Bob has been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com

Add a Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.