Biz tells ransomware victims it can decrypt their files... by secretly paying off the crooks and banking a fat margin
It's all in a lucrative day's work for Red Mosquito
A Scottish managed services provider is running a lucrative sideline in ransomware decryption – however, a sting operation by a security firm appears to show that “decryption” merely means paying off the malware's masterminds.
The services provider, Red Mosquito (tagline: “Your IT Department”), advertises itself as doing “all the technical stuff, properly, allowing you to concentrate on your business.”
Some probing by researchers at infosec outfit Emsisoft, however, cast Red Mosquito’s activities in a different light. By setting up two email accounts and using them to pose as both a ransomware author and a victim of ransomware, Emsisoft said it discovered that Red Mosquito’s RM Data Recovery (RMDR) offshoot appears to be negotiating discounts with ransomware-slinging crooks to unlock scrambled files before charging the victims thousands in decryption fees.
Barrister Tim Forte opined to The Register that entering a payoff agreement with a ransomware author could be seen as facilitating blackmail, explaining that it would be “nothing more than an agreement that between them, the author and RMDR, they would continue to seek monies from the victim, with the threat that, absent payment, the data would not be disinfected, released, or decrypted.”
“By their apparent agreement with the author, RMDR are, at least arguably, agreeing on that criminal course of conduct, with a view to obtaining a share of the illicit profits,” Forte, who practises criminal law at 3 Temple Garden chambers in London, added. He also said that as well as blackmail, ransomware authors would be committing criminal offences under the UK's Computer Misuse Act 1990.
Emsisoft CTO Fabian Wosar told El Reg: "Ransomware incident response companies can provide a very valuable service and help minimize downtime and costs, but you should choose carefully and ensure the company is entirely transparent upfront as to how they restore your files and provide a complete breakdown of the costs involved."
Red Mosquito did not respond to multiple emailed and telephoned requests for comment. A phone operative told El Reg that if senior management weren’t responding, they probably weren’t interested.
Baiting the trap
Emsisoft set up two throwaway email inboxes. One posed as the ransomware author. The firm created some junk files that, they explained, would pass superficial inspection by a human as encrypted data even though they were not encrypted and contained nothing but random bytes.
“To be 100% clear here,” Wosar told us, “it is impossible to decrypt the files I provided to the data recovery company at all, because they contain nothing that could be decrypted to begin with. Reason for that is so they don’t try to weasel their way out of it by saying they did find a flaw or that they have a magic decryption tool that only they have that could decrypt it.”
Emsisoft then dressed up these files to appear as though they were scrambled by ransomware made by a fictitious gang called Team Gotcha!, and did some light social media and Google astroturfing to make the fake Gotcha! ransomware outfit look real. Emsisoft also put contact details for their fake ransomware developer persona in the ransom note. Having emailed the files and the note to RMDR as a victim seeking help, they then sat back and waited.
Sure enough, their fake victim email address got a reply from RMDR promising action. Very shortly afterwards, someone using a Protonmail account – firstname.lastname@example.org – contacted the ransomware author.
“How much for decrypt?” asked the one-line email.
“$1200 in Bitcoin. You pay, we provide key and decriptor [sic] to recover data” replied Emsisoft. After some negotiation, to keep it looking real, Emsisoft dropped the price of their fake ransomware decryption to $900.
Meanwhile, RMDR had contacted the victim again. Someone using the name Conor Lairg replied by email, seen by The Register:
I am pleased to confirm that we can recover your encrypted files.
The cost for our data recovery service is as follows:
Priority Recovery Service (estimate 1-3 business days) 3950 USD
Red Mosquito’s email also asked the victim to install Teamviewer, a IT support tool that allows a remote user to take full control of a target machine with the user’s consent.
At the time that El Reg began investigating this, the RM Data Recovery website said, on its FAQ page, that customers could “schedule a secure remote session onto a computer with access to the data” in order to carry out the decryption process. RMDR's FAQ also noted:
We do not recommend dealing with the 'hacker' directly (see advice on our home page). In many cases, paying the ransom may be the only option to get your data recovered and it is best to get an experienced consultant to assist with this process.
That same page even provides a link to an online reviews website full of comments from RMDR customers apparently unaware that RM Data Recovery Ltd was charging whopping great markups on the prices it paid blackmailers to unlock encrypted files.
One reviewer was not so convinced, though. "Chisel" wondered: “But I have to say in all fairness that the cost of about $5000 for approx two hours work (remotely) left me wondering if we were taken advantage of. That's $2500 an hour. I'm grateful that the files are back but at a huge cost.”
Red Mosquito’s “data recovery” business appears to be lucrative. In accounts for fiscal year 2017, RM Data Recovery Ltd had more than £300,000 in the bank, according to Companies House records – several orders of magnitude higher than the £300 in the previous year.
In contrast Red Mosquito Ltd had a relatively measly £100,000 in its coffers for FY2017. Both limited companies are small enough to benefit from accounting exemptions, meaning details of their revenues and profits are not required to be reported, though RM Data Recovery’s reported net assets of £283k compared very favourably with the MSP business’ net worth of just £15k.
Red Mosquito Ltd and RM Data Recovery Ltd share the same directors: Neil Rowney, Derek Smith, and Andrew Stark. Both firms are registered to the same business address in Panorama Business Village, Glasgow.
Next time you consider engaging a third-party decryption service, it's worth bearing this yarn in mind. Emsisoft's Wosar mused: “Using a data recovery service to recover from ransomware is a bit like buying a car. It can help to bring someone experienced along to help with the negotiation, but you want that person to be a trustworthy relative, not a twat waffle shyster who’ll get you to pay more than necessary and split the difference with the salesman.” ®