ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for The Big Story newsletter to receive stories like this one in your inbox.
ProPublica recently reported that two U.S. firms, which professed to use their own data recovery methods to help ransomware victims regain access to infected files, instead paid the hackers.
Now there’s new evidence that a U.K. firm takes a similar approach. Fabian Wosar, a cyber security researcher, told ProPublica this month that, in a sting operation he conducted in April, Scotland-based Red Mosquito Data Recovery said it was “running tests” to unlock files while actually negotiating a ransom payment. Wosar, the head of research at anti-virus provider Emsisoft, said he posed as both hacker and victim so he could review the company’s communications to both sides.
Red Mosquito Data Recovery “made no effort to not pay the ransom” and instead went “straight to the ransomware author literally within minutes,” Wosar said. “Behavior like this is what keeps ransomware running.”
Since 2016, more than 4,000 ransomware attacks have taken place daily, or about 1.5 million per year, according to statistics posted by the U.S. Department of Homeland Security. Law enforcement has failed to stem ransomware’s spread, and culprits are rarely caught. If files encrypted by attackers are not backed up, and a free public decryption tool is unavailable, usually the only way to clear them is paying the ransom, said Michael Gillespie, a software analyst in Illinois whom the FBI has honored with a community leadership award for his help on ransomware. But clients who don’t want to give in to extortion are susceptible to firms that claim to have their own methods of decrypting files. Often, victims are willing to pay more than the ransom amount to regain access to their files if they believe the money is going to a data recovery firm rather than a hacker, Wosar said.
On its website, Red Mosquito Data Recovery calls itself a “one-stop data recovery and consultancy service” and says it has dealt with hundreds of ransomware cases worldwide in the past year. It advertised last week that its “international service” offers “experts who can offer honest, free advice.” It said it offers a “professional alternative” to paying a ransom, but cautioned that “paying the ransom may be the only viable option for getting your files decrypted.”
It does “not recommend negotiating directly with criminals since this can further compromise security,” it added.
Red Mosquito Data Recovery did not respond to emailed questions, and hung up when we called the number listed on its website. After being contacted by ProPublica, the company removed the statement from its website that it provides an alternative to paying hackers. It also changed “honest, free advice” to “simple free advice,” and the “hundreds” of ransomware cases it has handled to “many.”
Besides Red Mosquito Data Recovery’s website, a company called Red Mosquito has its own website. A person answering the phone at the Red Mosquito site said they are “sister” companies and that RMDR, as it is known, specializes in helping ransomware victims. The Red Mosquito site markets a wider array of cyber-services.
The two U.S. firms, Proven Data Recovery of Elmsford, New York, and Hollywood, Florida-based MonsterCloud, both promised to use their own technology to help ransomware victims unlock their data, but instead typically obtained decryption tools from cyberattackers by paying ransoms, ProPublica found.
We also traced ransom payments from Proven Data to Iranian hackers who allegedly developed a strain known as SamSam that paralyzed computer networks across North America and the U.K. The U.S. government later indicted two Iranian men on fraud charges for allegedly orchestrating the extortion, and banned payments to two digital currency destinations associated with them. Proven Data chief executive Victor Congionti told ProPublica in May it paid the SamSam attackers at the direction of clients, and didn’t know they were affiliated with Iran until the U.S. government’s actions. Congionti said that Proven Data’s policy on disclosing ransom payments to clients has “evolved over time” and it is now “completely transparent.”
MonsterCloud chief executive Zohar Pinhasi said in May that its data recovery methods are a trade secret and it doesn’t mislead clients. A spokesperson said Friday that Pinhasi stands by his earlier statements.
For his Red Mosquito Data Recovery experiment, Wosar said he created a fake ransomware, which he named “GOTCHA.” He also drafted a ransom note — laden with typos such as “immidiately” for authenticity, since many attackers aren’t native English speakers — with instructions for contacting the hacker, according to a copy of the note that he provided to ProPublica. Like many actual ransom notes, Wosar’s included a unique ID sequence, and instructed the victim to use it in any reply, the copy shows. Such a sequence helps real hackers know which victim is paying them. Wosar said he inserted it so that he could confirm it was Red Mosquito Data Recovery contacting him at the “hacker” email address, even if the firm didn’t identify itself. The ID sequence was an encrypted version of the company’s own name, he said.
On April 17, posing as prospective client “Joe Mess,” Wosar sought RMDR’s help, according to emails he provided to ProPublica. Attaching the ransom note and sample files, he wrote in an email, “Two days ago I found my home server to be hacked by someone and all my pictures, documents, videos, and other files have been renamed to .gotcha files and encrypted… I don’t have any backups but I do not want to pay those assholes.”
“I am very confident we will be able to recover your files,” someone identifying himself as Conor Lairg replied later that day from a Red Mosquito email address, copies of the correspondence show. “We are now running tests and I will be in touch as soon as possible with an update.”
Two minutes later, Wosar’s hacker email account lit up with a response from “[email protected].” The subject line contained the unique ID he had assigned to the victim, which meant the message could only come from Red Mosquito Data Recovery or someone that the company shared it with.
“How much for decrypt?” the respondent asked.
Meanwhile, “Joe Mess” pressed Lairg for confirmation that Red Mosquito wouldn’t pay the ransom: “So you think you may be able to help without me having to pay the ransom?”
“We are still investigating and will get back to you as soon as possible,” Lairg responded.
Less than an hour later, Wosar, posing as the hacker, began negotiating with “[email protected],” the correspondence shows.
“$1200 in Bitcoin,” he wrote. “You pay, we provide key and decriptor (sic) to recover data.”
The respondent sought a better deal. “Can you do for 500 USD,” it replied.
Wosar’s hacker alter ego agreed to lower the price. “$900. Take it or kiss data bye bye,” he wrote. “We don’t run chairity (sic) here.”
The contact told him it would try to obtain the Bitcoin needed.
The next day, documents show, Lairg wrote to Wosar’s victim email address, saying he was “pleased to confirm that we can recover your encrypted files” for $3,950 — four times as much as the agreed-upon ransom. Lairg said the firm would recover the files within an estimated three business days. Payment would be required before recovery began, but the money would be returned if they couldn’t recover any of the files, he wrote.
Posing as the victim, Wosar asked: “How did you do it?” Lairg did not answer, instead providing details of how to handle payment and outlining steps to prepare for the recovery, such as disabling anti-virus software that could interfere with decryption, according to the documents. Wosar said he stopped communications after that.
No one named Conor Lairg is listed on the contact pages of either Red Mosquito website or on LinkedIn. Calls to both Red Mosquito companies did not reach him.
In its investigation, ProPublica found that both MonsterCloud and Proven Data used aliases in dealing with customers.
Using the same ruse, Wosar said, he also contacted Proven Data, MonsterCloud, and a company outside the U.S. with which his experiment is still in progress. Proven Data was “very open about paying ransoms so no point to following up after that,” Wosar said. He said MonsterCloud, which currently serves businesses and government agencies hit by ransomware rather than home users, did not respond.
“Wosar is well respected in the cyber security community, and we take no issue with him poking and prodding various cyber security companies,” Pinhasi, the MonsterCloud CEO, said in a statement Monday. “MonsterCloud did not respond to his inquiry simply because we do not serve individual consumers – there was no action to be taken. However, it’s my strong preference that oversight and regulation be done through appropriate bodies – industry and/or government organizations that are both peer reviewed for proper checks and balances and also utilize proper scientific method, study methodology, and processes.”
This is the second time that Wosar has targeted Red Mosquito, he said. In 2016, he said this year, he and another researcher created a variant of ransomware and used it to infect one of their own computers. Then they emailed Red Mosquito, as well as MonsterCloud and Proven Data, posing as a victim who didn’t want to pay a ransom, he said.
The firms eagerly agreed to help, claiming the ability to decrypt ransomware strains that were not actually breakable — and they didn’t mention that they paid ransom, Wosar said. The email accounts that he’d set up for the imaginary attacker began receiving emails from anonymous addresses offering to pay the ransom, he said. He traced the requests to the data recovery firms. Wosar said he no longer has the email correspondence from the 2016 sting.
Congionti and Pinhasi both said they could not recall the particular case. Red Mosquito did not respond to an emailed question about it.
“Ransomware victims need to be aware that there’s no silver bullet when it comes to restoring their data,” Wosar said. “There is also no shame for a data recovery company in paying the ransom, as long as they are open and transparent about it.”