author photo
By SecureWorld News Team
Tue | Jun 25, 2019 | 11:08 AM PDT

Red Mosquito Data Recovery was just caught, well, red-handed.

The company had a reputation for recovering data that had been encrypted in ransomware attacks.

However, according to ProPublica, a sting operation revealed that the UK-based firm lied about how it recovered data for ransomware victims.

The company's method? Secretly pay the ransom.

Fabian Wosar, a cybersecurity researcher, performed this revealing  investigation:

Red Mosquito Data Recovery said it was "running tests" to unlock files while actually negotiating a ransom payment. Wosar, the head of research at anti-virus provider Emsisoft, said he posed as both hacker and victim so he could review the company’s communications to both sides.

Red Mosquito Data Recovery "made no effort to not pay the ransom" and instead went "straight to the ransomware author literally within minutes," Wosar said.

Red Mosquito's final move was simple. As the middleman, it hiked up the price for the victim. 

The next day, documents show, a Red Mosquito rep wrote to Wosar’s victim email address, saying he was "pleased to confirm that we can recover your encrypted files" for $3,950—four times as much as the agreed-upon ransom.

How's that for a markup?

Growing market: security firms that are really ransomware middlemen

When it comes to data recovery firms like these, Red Mosquito is just one example from the swarm.

(Though they might just have the best name for making puns.)

SecureWorld previously reported about Graham Cluley's take on the growth of "ransomware middlemen":

Just imagine how it feels to then be ripped off a second time by the data recovery firm you turn to for help in your moment of panic.

Such practices by data recovery firms may not be illegal, but they certainly don’t feel entirely ethical. Maybe there are reasons why a company would not want to play a blackmailer directly, and would prefer for a proxy payment to be made on their behalf, but if the only way to recover data after a ransomware attack is to pay the extortionists, well… then that’s what victims should be told.

Organizations are negotiating ransom terms with hackers

Responding to his Red Mosquito investigation, Wosar explained:

"Ransomware victims need to be aware that there’s no silver bullet when it comes to restoring their data. There is also no shame for a data recovery company in paying the ransom, as long as they are open and transparent about it."

He's right. Negotiating with a hacker might protect you and save money.

Just look at a Canadian municipality in Quebec which managed to lower its ransom payment by 55% through negotiations:

In order to regain access to its data, the regional municipality of Mekinac was told to deposit eight units of the digital currency Bitcoin into a bank account—roughly equivalent to $65,000. Mekinac’s IT department eventually negotiated the cyber extortionists down and paid $30,000 in Bitcoin.

Or how about the City of Valdez, Alaska? The city paid hackers in full, but not before receiving a proof of concept:

The city demanded a POC and the hackers agreed: "Negotiation terms required demonstration of successful decryption of multiple City documents and verification the decryption key would not reinfect our system." Over a period of several weeks, city IT personnel used the tool to successfully decrypt all city data infected by the ransomware. 

[Related: $18M Later: Why Baltimore Decided Not to Pay the Ransom]

How your decryption could be free

And who knows? You may not have to pay your hackers anything.

With the growing number of free ransomware removal tools, you might be able to save your company a pretty penny and the stress of negotiations.

Comments