He's not cracked RSA-1024 encryption, he's a very naughty Belarusian ransomware middleman

Dr Shifro pays ransom, gets discount and adds its own margin, says Check Point


A ransomware decryption service has turned out to be – quelle surprise – a Belarusian middleman who simply pays the ransom and adds his own profit margin to the hapless victim's bill.

Dr Shifro, a Russian-language organisation presenting itself online as a ransomware decryption agency, claims that it's "the only company that specializes in decrypting files", urging users: "Call – we will help!"

Following a sting operation by infosec research biz Check Point, however, it was revealed that Dr Shifro in fact "merely pays the ransomware's creator themselves and passes on the cost to the victim - at a massive profit margin". Check Point also said it found that Dr Shifro's operator was happily emailing scans of their own passport and tax certificate to potential customers of their service.

Two Check Point researchers came across Dr Shifro while looking into the latest strains of the Dharma ransomware. The duo's suspicions were instantly aroused by the company's advertising, which, Check Point said, implied that an unheard-of Russian firm seemingly based in a Moscow back street was capable of breaking RSA-1024 encryption – that is, decrypting data the hard way without the private key.

Estimates vary, but most agreed that doing such a thing with current hardware would take years, if not decades. Nonetheless, Check Point claimed it had "managed to get hold of" correspondence between Dr Shifro and a customer, which showed that Dr Shifro had decrypted ransomware-locked files within two hours of being sent them.

"Could it be possible that Dr Shifro... merely acts as a broker between ransomware operators and their victims for their own financial gain?" mused the researchers. "Such a quick response time could only mean that either Dr. Shifro has RSA private keys for this infection case or he instantly interacts with the ransomware's operator to receive them."

Setting a trap

The two set up a sting operation to find out, using the Dharma encryption algorithm and a freshly generated RSA-1024 public key to encrypt several files, as well as setting up an email address for a fake ransomware creator. They baited their trap by inserting that email address into the filename of the encrypted files before posing as a ransomware victim asking Dr Shifro for help.

Sure enough, they said, Dr Shifro "went silent for two days". Then the fake ransomware creator received an email with the encrypted files attached, asking for help with decryption and offering payment in Bitcoin. Check Point emphasised that only they and Dr Shifro knew the fake ransomware creator's email address, concluding that whomever had contacted them was behind the Russian decryption business.

Following some email exchanges between Dr Shifro and the fake ransomware creator, Check Point summarised the actor's business model by explaining that "he is a mediator and regularly redeems keys for clients, sending Bitcoin without any questions", adding: "He then asked for a discount on the 0.2 BTC we had requested to 0.15 BTC for the key. At this point we stopped communication."

Just to be certain, Check Point then emailed Dr Shifro again, posing as the original victim, asking for a status update. The Russian company replied: "We managed to decrypt your files. Cost of the decryption tool is 150,000 rubles + visit by specialist 5000 rubles (the cost is for Moscow region)."

The firm "had added approximately $1,000 to the initial ransom price asked by our fake 'Ransomware Operator'," said Check Point.

And then it just gets strange

Unbelievably, Check Point was able to track down the real-world identity of Dr Shifro's operator by simply asking for a copy of the contract that the firm offers to potential decryption clients, noting, poker-facedly: "The response we received contained a template of a civil contract and registration documents of the person behind Dr Shifro, including scans of his passport."

Double-checking those details against Dr Shifro's website, Check Point said it found the operator's full name contained in a purported customer satisfaction letter published on the site. The name also checked out against Check Point's own background research, which found that the pseudonymous email address he was using for Dr Shifro had been reused as a handle on enough social media sites for them to pinpoint a Vkontakt profile with the person's real name and mugshot.

His Bitcoin account showed a trade volume of just over 100BTC over the past two years, which at current exchange rates is more than £300,000.

The Register has chosen not to name the man because while what he is doing may be unethical, it does not appear to be illegal. In addition, if he's foolhardy enough to send scans of his passport, his Internal Revenue Service tax certificate and registration of residence to random strangers on the internet, karma will probably catch up with him sooner or later.

Check Point concluded: "Activities such as those carried out by Dr Shifro bring additional losses to ransomware victims due to the increased charges being demanded of them. Furthermore, these unethical activities merely encourage the popularity of ransomware as an attractive method for cyber criminals to use to extort money from the organizations and individuals they attack." ®

Similar topics

Broader topics

Narrower topics


Other stories you might like

  • Running Windows 10? Microsoft is preparing to fire up the update engines

    Winter Windows Is Coming

    It's coming. Microsoft is preparing to start shoveling the latest version of Windows 10 down the throats of refuseniks still clinging to older incarnations.

    The Windows Update team gave the heads-up through its Twitter orifice last week. Windows 10 2004 was already on its last gasp, have had support terminated in December. 20H2, on the other hand, should be good to go until May this year.

    Continue reading
  • Throw away your Ethernet cables* because MediaTek says Wi-Fi 7 will replace them

    *Don't do this

    MediaTek claims to have given the world's first live demo of Wi-Fi 7, and said that the upcoming wireless technology will be able to challenge wired Ethernet for high-bandwidth applications, once available.

    The fabless Taiwanese chip firm said it is currently showcasing two Wi-Fi 7 demos to key customers and industry collaborators, in order to demonstrate the technology's super-fast speeds and low latency transmission.

    Based on the IEEE 802.11be standard, the draft version of which was published last year, Wi-Fi 7 is expected to provide speeds several times faster than Wi-Fi 6 kit, offering connections of at least 30Gbps and possibly up to 40Gbps.

    Continue reading
  • Windows box won't boot? SystemRescue 9 may help

    An ISO image you can burn or drop onto a USB key

    The latest version of an old friend of the jobbing support bod has delivered a new kernel to help with fixing Microsoft's finest.

    It used to be called the System Rescue CD, but who uses CDs any more? Enter SystemRescue, an ISO image that you can burn, or just drop onto your Ventoy USB key, and which may help you to fix a borked Windows box. Or a borked Linux box, come to that.

    SystemRescue 9 includes Linux kernel 5.15 and a minimal Xfce 4.16 desktop (which isn't loaded by default). There is a modest selection of GUI tools: Firefox, VNC and RDP clients and servers, and various connectivity tools – SSH, FTP, IRC. There's also some security-related stuff such as Yubikey setup, KeePass, token management, and so on. The main course is a bunch of the usual Linux tools for partitioning, formatting, copying, and imaging disks. You can check SMART status, mount LVM volumes, rsync files, and other handy stuff.

    Continue reading

Biting the hand that feeds IT © 1998–2022