A ransomware decryption service has turned out to be – quelle surprise – a Belarusian middleman who simply pays the ransom and adds his own profit margin to the hapless victim's bill.
Dr Shifro, a Russian-language organisation presenting itself online as a ransomware decryption agency, claims that it's "the only company that specializes in decrypting files", urging users: "Call – we will help!"
Following a sting operation by infosec research biz Check Point, however, it was revealed that Dr Shifro in fact "merely pays the ransomware's creator themselves and passes on the cost to the victim - at a massive profit margin". Check Point also said it found that Dr Shifro's operator was happily emailing scans of their own passport and tax certificate to potential customers of their service.
Two Check Point researchers came across Dr Shifro while looking into the latest strains of the Dharma ransomware. The duo's suspicions were instantly aroused by the company's advertising, which, Check Point said, implied that an unheard-of Russian firm seemingly based in a Moscow back street was capable of breaking RSA-1024 encryption – that is, decrypting data the hard way without the private key.
Estimates vary, but most agreed that doing such a thing with current hardware would take years, if not decades. Nonetheless, Check Point claimed it had "managed to get hold of" correspondence between Dr Shifro and a customer, which showed that Dr Shifro had decrypted ransomware-locked files within two hours of being sent them.
"Could it be possible that Dr Shifro... merely acts as a broker between ransomware operators and their victims for their own financial gain?" mused the researchers. "Such a quick response time could only mean that either Dr. Shifro has RSA private keys for this infection case or he instantly interacts with the ransomware's operator to receive them."
Setting a trap
The two set up a sting operation to find out, using the Dharma encryption algorithm and a freshly generated RSA-1024 public key to encrypt several files, as well as setting up an email address for a fake ransomware creator. They baited their trap by inserting that email address into the filename of the encrypted files before posing as a ransomware victim asking Dr Shifro for help.
Sure enough, they said, Dr Shifro "went silent for two days". Then the fake ransomware creator received an email with the encrypted files attached, asking for help with decryption and offering payment in Bitcoin. Check Point emphasised that only they and Dr Shifro knew the fake ransomware creator's email address, concluding that whomever had contacted them was behind the Russian decryption business.
Following some email exchanges between Dr Shifro and the fake ransomware creator, Check Point summarised the actor's business model by explaining that "he is a mediator and regularly redeems keys for clients, sending Bitcoin without any questions", adding: "He then asked for a discount on the 0.2 BTC we had requested to 0.15 BTC for the key. At this point we stopped communication."
Just to be certain, Check Point then emailed Dr Shifro again, posing as the original victim, asking for a status update. The Russian company replied: "We managed to decrypt your files. Cost of the decryption tool is 150,000 rubles + visit by specialist 5000 rubles (the cost is for Moscow region)."
The firm "had added approximately $1,000 to the initial ransom price asked by our fake 'Ransomware Operator'," said Check Point.
And then it just gets strange
Unbelievably, Check Point was able to track down the real-world identity of Dr Shifro's operator by simply asking for a copy of the contract that the firm offers to potential decryption clients, noting, poker-facedly: "The response we received contained a template of a civil contract and registration documents of the person behind Dr Shifro, including scans of his passport."
Double-checking those details against Dr Shifro's website, Check Point said it found the operator's full name contained in a purported customer satisfaction letter published on the site. The name also checked out against Check Point's own background research, which found that the pseudonymous email address he was using for Dr Shifro had been reused as a handle on enough social media sites for them to pinpoint a Vkontakt profile with the person's real name and mugshot.
His Bitcoin account showed a trade volume of just over 100BTC over the past two years, which at current exchange rates is more than £300,000.
The Register has chosen not to name the man because while what he is doing may be unethical, it does not appear to be illegal. In addition, if he's foolhardy enough to send scans of his passport, his Internal Revenue Service tax certificate and registration of residence to random strangers on the internet, karma will probably catch up with him sooner or later.
Check Point concluded: "Activities such as those carried out by Dr Shifro bring additional losses to ransomware victims due to the increased charges being demanded of them. Furthermore, these unethical activities merely encourage the popularity of ransomware as an attractive method for cyber criminals to use to extort money from the organizations and individuals they attack." ®