Published on May 15th, 2019 📆 | 1610 Views ⚑
0Firms That Promised High-Tech Ransomware Solutions Almost Always Just Pay the Hackers
As ransomware attacks crippled businesses and law enforcement agencies, two U.S. data recovery firms claimed to offer an ethical way out. Instead, they typically paid the ransom and charged victims extra.
From 2015 to 2018, a strain of ransomware known as SamSam paralyzed computer networks across North America and the U.K. It caused more than $30 million in damage to at least 200 entities, including the cities of Atlanta and Newark, New Jersey, the Port of San Diego and Hollywood Presbyterian Medical Center in Los Angeles. It knocked out Atlantaâs online water service requests and billing systems, prompted the Colorado Department of Transportation to call in the National Guard, and delayed medical appointments and treatments for patients nationwide whose electronic records couldnât be retrieved. In return for restoring access to the files, the cyberattackers collected at least $6 million in ransom.
âYou just have 7 days to send us the BitCoin,â read the ransom demand to Newark. âAfter 7 days we will remove your private keys and itâs impossible to recover your files.â
At a press conference last November, then-Deputy Attorney General Rod Rosenstein announced that the U.S. Department of Justice had indicted two Iranian men on fraud charges for allegedly developing the strain and orchestrating the extortion. Many SamSam targets were âpublic agencies with missions that involve saving lives,â and the attackers impaired their ability to âprovide health care to sick and injured people,â Rosenstein said. The hackers âknew that shutting down those computer systems could cause significant harm to innocent victims.â
In a statement that day, the FBI said the âcriminal actorsâ were âout of the reach of U.S. law enforcement.â But they werenât beyond the reach of an American company that says it helps victims regain access to their computers. Proven Data Recovery of Elmsford, New York, regularly made ransom payments to SamSam hackers over more than a year, according to Jonathan Storfer, a former employee who dealt with them.
Although bitcoin transactions are intended to be anonymous and difficult to track, ProPublica was able to trace four of the payments. Sent in 2017 and 2018, from an online wallet controlled by Proven Data to ones specified by the hackers, the money was then laundered through as many as 12 bitcoin addresses before reaching a wallet maintained by the Iranians, according to an analysis by bitcoin tracing firm Chainalysis at our request. Payments to that digital currency destination and another linked to the attackers were later banned by the U.S. Treasury Department, which cited sanctions targeting the Iranian regime.
âI would not be surprised if a significant amount of ransomware both funded terrorism and also organized crime,â Storfer said. âSo the question is, is every time that we get hit by SamSam, and every time we facilitate a payment â and hereâs where it gets really dicey â does that mean we are technically funding terrorism?â
Proven Data promised to help ransomware victims by unlocking their data with the âlatest technology,â according to company emails and former clients. Instead, it obtained decryption tools from cyberattackers by paying ransoms, according to Storfer and an FBI affidavit obtained by ProPublica.
Another U.S. company, Florida-based MonsterCloud, also professes to use its own data recovery methods but instead pays ransoms, sometimes without informing victims such as local law enforcement agencies, ProPublica has found. The firms are alike in other ways. Both charge victims substantial fees on top of the ransom amounts. They also offer other services, such as sealing breaches to protect against future attacks. Both firms have used aliases for their workers, rather than real names, in communicating with victims.
The payments underscore the lack of other options for individuals and businesses devastated by ransomware, the failure of law enforcement to catch or deter the hackers, and the moral quandary of whether paying ransoms encourages extortion. Since some victims are public agencies or receive government funding, taxpayer money may end up in the hands of cybercriminals in countries hostile to the U.S. such as Russia and Iran.
In contrast to Proven Data and MonsterCloud, several other firms, such as Connecticut-based Coveware, openly help clients regain computer access by paying attackers. They assist victims who are willing to pay ransoms but donât know how to deal in bitcoin or donât want to contact hackers directly. At the same time, Coveware seeks to deter cybercrime by collecting and sharing data with law enforcement and security researchers, CEO Bill Siegel said.
Siegel refers to a handful of firms globally, including Proven Data and MonsterCloud, as âransomware payment mills.â They âdemonstrate how easily intermediaries can prey on the emotions of a ransomware victimâ by advertising âguaranteed decryption without having to pay the hacker,â he said in a blog post. âAlthough it might not be illegal to obfuscate how encrypted data is recovered, it is certainly dishonest and predatory.â
MonsterCloud chief executive Zohar Pinhasi said that the companyâs data recovery solutions vary from case to case. He declined to discuss them, saying they are a trade secret. MonsterCloud does not mislead clients and never promises them that their data will be recovered by any particular method, he said.
âThe reason we have such a high recovery rate is that we know who these attackers are and their typical methods of operation,â he said. âThose victims of attacks should never make contact themselves and pay the ransom because they donât know who they are dealing with.â
On its website, Proven Data says it âdoes not condone or support paying the perpetratorâs demands as they may be used to support other nefarious criminal activity, and there is never any guarantee to obtain the keys, or if obtained, they may not work.â Paying the ransom, it says, is âa last resort option.â
However, chief executive Victor Congionti told ProPublica in an email that paying attackers is standard procedure at Proven Data. âOur mission is to ensure that the client is protected, their files are restored, and the hackers are not paid more than the minimum required to serve our clients,â he said. Unless the hackers used an outdated variant for which a decryption key is publicly available, âmost ransomware strains have encryptions that are too strong to break,â he said.
Congionti said that Proven Data paid the SamSam attackers âat the direction of our clients, some of which were hospitals where lives can be on the line.â It stopped dealing with the SamSam hackers after the U.S. government identified them as Iranian and took action against them, he said. Until then, he said, the company did not know they were affiliated with Iran. âUnder no circumstances would we have knowingly dealt with a sanctioned person or entity,â he said.
Proven Dataâs policy on disclosing ransom payments to clients has âevolved over time,â Congionti said. In the past, the company told them it would use any means necessary to recover data, âwhich we viewed as encompassing the possibility of paying the ransom,â he said. âThat was not always clear to some customers.â The company informed all SamSam victims that it paid the ransoms and currently is âcompletely transparent as to whether a ransom will be paid,â he said.
âIt is easy to take the position that no one should pay a ransom in a ransomware attack because such payments encourage future ransomware attacks,â he said. âIt is much harder, however, to take that position when it is your data that has been encrypted and the future of your company and all of the jobs of your employees are in peril. It is a classic moral dilemma.â
No U.S. laws prohibit paying ransoms. The FBI frowns on it officially â and winks at it in practice. Ransom payment âencourages continued criminal activity, leads to other victimizations, and can be used to facilitate serious crimes,â an FBI spokesperson told ProPublica in an email. But in 2015, the assistant special agent in charge of the FBIâs cyber program in Boston said at a cybersecurity conference that the bureau will âoften advise people just to pay the ransom,â according to news reports.
Paying a ransom while pretending otherwise to a client, though, could constitute deceptive business practices prohibited by the Federal Trade Commission Act, said former FTC acting chairman Maureen Ohlhausen. âAny claim that a company makes, they can legally be held to that claim,â she said. Neither MonsterCloud nor Proven Data has been cited by the FTC.
Storfer, who worked for Proven Data from March 2017 until September 2018, said in a series of interviews that the company not only paid ransoms to the SamSam hackers, but also developed a mutually beneficial relationship with them. As that relationship developed, he said, Proven Data was able to negotiate extensions on payment deadlines.
âWith SamSam, we could say, hello, this is Proven Data, please keep this portal open while we contact and interact with the customer while moving forward,â Storfer said. âAnd they would remove the timer on the portal. And then they would respond quicker and in many cases would be able to provide things a little bit easier.â
The SamSam attackers didnât identify themselves, he said. While Proven Data generally concealed its identity when responding to ransom demands, âwe were very openâ with the SamSam hackers, âand we would essentially announce ourselves,â Storfer said.
Eventually, the attackers began recommending that victims work with the firm. âSamSam would be like, âIf you need assistance with this, contact Proven Data,ââ said Storfer, who declined to identify clients. Some of them wondered about this endorsement. âHonestly, the weirdest thing was clients would ask us why, and we would have to respond to that, which was not a really fun conversation,â he added.
The referrals indicate the SamSam hackersâ confidence that Proven Data would pay the ransom, said Bart Huffman, a Houston lawyer specializing in privacy and information security. Such prior understandings could be seen as a criminal conspiracy and may violate the U.S. Computer Fraud and Abuse Act, he said.
âThat does seem like you are working for the other side,â Huffman said. âYou are facilitating the payment at the recommendation of SamSam, in the manner suggested by SamSam.â
Proven Data has never been charged with such a violation. The company ânever had a âclose relationshipâ with SamSam attackers,â said Congionti, who didnât comment on the recommendations specifically. âOur contact with attackers is limited to minimizing the attack on the customer. ⊠Anyone can reach out to a hacker and tell them to keep the portal open longer.â
The father of ransomware was Harvard-educated anthropologist Joseph L. Popp Jr. While researching the theory that AIDS originated in green monkeys in East Africa, Popp in 1989 mailed more than 20,000 floppy disks about AIDS education to people interested in public health. When recipients ran the disk, their computers froze, and a message on the screen instructed them to send up to $378 to a post office box in Panama for a second disk that would restore their access.
The FBI arrested Popp before he could carry out his plan to distribute another 2 million disks. U.S. officials extradited him to England, where he was deemed mentally unfit to stand trial, John Kilroy, one of his lawyers, said.
âI believe he sincerely wanted to stop the spread of AIDS,â Kilroy said. âHe lost his way in doing the ransom. I donât think he had a good understanding of the consequences for other people.â
Popp, an Ohio native, returned to the U.S. and settled in Oneonta, New York. There, he helped establish a butterfly conservatory that was named in his honor after he died in a 2006 car accident at age 55, according to a local news clipping and his death certificate.
He didnât live to see his brainchild become one of the worldâs most common types of cybercrime. It wasnât until 2012, when bitcoin began gaining traction, that ransomware took off. The decentralized digital currency made it difficult to trace or block payments.
Since 2016, more than 4,000 ransomware attacks have taken place daily, or about 1.5 million per year, according to statistics posted by the U.S. Department of Homeland Security.
âRansomware continues to spread and is infecting devices around the globe,â the FBI said in a statement. âWe are seeing different kinds of ransomware, different deployment methods, and a coordinated distribution. The FBI considers it one of the top cybercriminal threats.â
Yet the FBIâs Internet Crime Complaint Center counted only 1,493 ransomware victims in 2018 â a figure the bureau itself says represents only a small fraction of total incidents. Victims donât report attacks, perhaps because theyâre embarrassed or reluctant to admit to gaps in their IT security, according to law enforcement officials.
Even when victims do report ransomware, the culprits are rarely caught. The Iranians who allegedly distributed SamSam were the first people ever indicted by the U.S. government for deploying a ransomware scheme, although others have pleaded guilty to money laundering or computer damage in connection with ransomware.
While demands to businesses and municipal governments have reached as high as six figures, the average ransom sought is a few thousand dollars, according to cyberresearch firms. Thatâs well below the thresholds maintained by federal prosecutors to trigger an investigation, said former FBI Deputy Director John Pistole. Local police departments lack the resources to solve cybercrime and themselves are frequently ransomware targets. âIt is a weird gray area where there is a law but it isnât enforced,â said Jeffrey Kosseff, an assistant professor of cybersecurity law at the United States Naval Academy. âRansomware is a real failure of the current legal system. There is not a good remedy.â
European law enforcement agencies have had more success. In March 2018, for example, the Polish Police â in cooperation with the Belgian Federal Police and Europol â arrested a Polish national suspected of having infected several thousand computers with ransomware. European law enforcement officials âjust hang out on Slack channels where we tell them stuff,â said Fabian Wosar, a U.K.-based security researcher, referring to the popular messaging platform.
Asked whether its agents also gather information via Slack, the FBI said that it âmust adhere to rules relating to federal agency recordkeeping, which makes the adoption of more agile communication methods trickier for us than for private sector companies.â
When Wosar discovered servers in the U.S. and the Netherlands that likely contained the attackersâ decryption keys for the ASN1 ransomware strain and could help identify the criminals, he and another researcher notified the FBI and the Dutch National Police. âGreat news,â a member of the Dutch high-tech crime team responded. âWe are eager to start things upâ and âtry to seize the servers.â The FBI replied with basic questions that reflected a lack of understanding of how ransomware works, said Wosar, who is head of research at anti-virus provider Emsisoft.
On another occasion, Wosar had what he called a âvery hot leadâ on the inventor of the ACCDFISA strain. He tried one FBI agent after another and ended up submitting his tip on the âFBI homepage like everyone else,â he said. âIâm sure it got lost among hundreds of thousands of submissions.â The bureau declined to comment on the incidents.
As ransomware proliferated without an effective law enforcement response, an industry sprang up to unlock victimsâ computers. In the U.S., it was dominated by two firms: Proven Data and MonsterCloud. Each says it has assisted thousands of victims.
The companiesâ claims to be able to release files using their own technology aroused Wosarâs curiosity. He and other security experts sometimes find ways to disable ransomware, and they post those fixes online for free. But they can decrypt ransomware only if there are errors in the underlying software or if a security lapse allows the researchers to hack into the attackerâs server, he said; otherwise, itâs essentially bulletproof.
âIf there is a company that claims they broke the ransomware, we are skeptical,â Wosar said. âEverything the ransomware did has been analyzed by other researchers. Itâs incredibly unlikely they were the only ones to break it.â
In December 2016, he devised an experiment dubbed âOperation Bleeding Cloud,â after MonsterCloud and the notorious âHeartbleedâ software vulnerability. He and another researcher created a variant of ransomware and used it to infect one of their own computers. Then they emailed MonsterCloud, Proven Data and several data recovery firms based in the U.K. and Australia, posing as a victim who didnât want to pay a ransom.
Wosar said he sent some sample encrypted files to the firms along with a fake ransom note that he had written. Like many ransom notes, the demand included an email address to contact the attacker for instructions on how to pay. Each note also contained a unique ID sequence for the victim, so Wosar could later identify which firm had contacted him even if it used an anonymous email account.
The firms eagerly agreed to help. âThey all claimed to be able to decrypt ransomware families that definitely werenât decryptable and didnât mention that they paid the ransom,â Wosar said. âQuite the contrary actually. They all seemed very proud not to pay ransomers.â
Soon, the email accounts that heâd set up for the imaginary attacker began receiving emails from anonymous addresses offering to pay the ransom, he said. He traced the requests to the data recovery firms, including MonsterCloud and Proven Data.
âThe victims are getting taken advantage of twice,â he said.
Proven Dataâs Congionti and MonsterCloudâs Pinhasi both said they could not recall this particular case. âIf someone is saying that we promised up front that we would be able to decrypt their files, I am certain that this is inaccurate,â Pinhasi said.
Last year, the research division of Israeli cybersecurity company Check Point Software Technologies used a similar tactic to unmask Dr. Shifro, a Russian company. Dr. Shifro purported to use its own technology to liberate computers locked by ransomware, but it actually negotiated with a security researcher posing as the hacker, according to Check Point. Dr. Shifro did not respond to an email in both Russian and English seeking comment.
Storfer, the former Proven Data ransom negotiator, said he was saddened to read of Dr. Shifroâs tactics. âThatâs basically what I was doing,â he said.
In 2017, Storfer was a year out of college and looking online for a job close to his Westchester County, New York, home when he spotted an opening for an office manager at Proven Data. Heâd never heard of the company, but he applied and was hired.
He thought he would be scheduling meetings, sending out packages and accepting deliveries. But prior jobs at retail stores and restaurants had honed his customer service skills. After a short time at Proven Data, he was given the title of client solutions manager and assigned to negotiate with hackers. Storfer âwas responsible for some of the correspondence with ransomware attackers,â Victor Congionti said. The job, which Storfer said paid a starting salary of about $41,000 a year, provided a unique window onto the rarely glimpsed underworld of cybercrime.
He soon realized that ransomware is a vast global industry. Most attacks on U.S. targets originate from abroad, especially Russia and Eastern Europe. There are hundreds of ransomware strains and thousands of variants of those strains. Some are sidelined as their revenues diminish or cybersecurity researchers devise ways to neutralize them, while new ones are always emerging.
Some ransomware attacks hit millions of computers indiscriminately, hoping to infiltrate them through infected spam email attachments. Others target businesses, government agencies and nonprofit organizations, sometimes with âbrute-forceâ tools that invade computer networks. While individuals are frequently attacked, criminals increasingly extort institutions that have deeper pockets and readily pay the ransom to minimize disruption to their operations.
Once ransomware penetrates the computer, victims are unable to open their files, which are often renamed with a new extension. Generally, a ransom note pops up on the screen. It may direct victims to a page only accessible through Tor, a dark web browser, or to a hackerâs email address, for information on how to pay. The hackers may offer to decrypt a sample file. When they receive confirmation of payment â usually in bitcoin but sometimes in even less traceable forms of cryptocurrency, such as Dash and Monero â they send the software and key to unlock the files. Most hackers live up to their end of the deal, Storfer said. Otherwise, they are denounced as cheaters on websites frequented by victims, researchers and data recovery firms, and their ransom demands lose credibility, he and others said.
Some attackers warn victims to avoid data recovery firms. âDecryption of your files with the help of third parties may cause increased price (they add their fee to our),â said one ransom note posted on Covewareâs website.
More sophisticated cyberattackers cultivate firms like Proven Data as a source of income. The hackers sometimes offer discounts, which Congionti said the companyâs âpresent policyâ is to pass on to clients. The dark website for the GandCrab strain offers a âpromo codeâ box on its ransom checkout page exclusively for data recovery firms. After paying a ransom, the firms receive a code for a discount on a future ransom.
Proven Dataâs rival, MonsterCloud, is run by Pinhasi, who describes himself as a former IT security intelligence officer for the Israeli military. He declined ProPublicaâs request to visit its South Florida storefront office, saying it was being renovated. Instead, over a mid-February lunch at Shalom Haifa, a nearby restaurant, Pinhasi guardedly discussed his business.
He said MonsterCloud handles up to 30 calls a day and has about 20 employees in South Florida as well as extensive global contacts. âOur network is in the hundreds,â he said. âBecause keep in mind that we have people who we are connected to pretty much all over the globe, who are working with us in various cases.â Asked what these people do, he said, âI canât really dive into it.â
In some cases, he said, MonsterCloud uses its contacts on the darknet â hidden, anonymous networks that communicate over the internet. âOur goal is to restore the data and help the customer. If we need to walk to the moon on broken glass, we will. We donât care how, what, where, whatever. Our goal is to get the data out.â
In a video posted online touting MonsterCloudâs services, Pinhasi wears a dark suit and tie and rimless glasses. At lunch, the 43-year-old sported a white long-sleeve T-shirt emblazoned with the logo of teen retailer Abercrombie & Fitch.
Pinhasi said he came to the U.S. in 2002. He told ProPublica that he has led MonsterCloud since 2003, but Florida corporation records show the business began 10 years later. Instead, in 2003, he co-founded a Florida company called PC USA Computer Solutions Providers.
One PC USA client, Maurice Oujevolk, vented his unhappiness on Yelp. Oujevolk hired PC USA for his Sunrise, Florida, model car business, and paid regularly for cloud backup service. In March 2016, his companyâs computer system crashed. He called PC USA for help. But Pinhasi told Oujevolk that PC USAâs system had also failed, and complete backups were not available, Oujevolk said. Pinhasi demanded more money to try to recover the files. Oujevolk refused.
âI lost tremendous time and money to rebuild the information that disappeared,â Oujevolk said. He didnât sue PC USA, he said, because the dispute was impairing his health and he wanted to put it behind him. âI am surprised he can still be doing business in Florida. We were trusting them, and they took our money and disappeared. They had told us we didnât need to do any backups.â
Pinhasi said that Oujevolkâs was the only complaint he had received in 18 years of service. He said Oujevolkâs âfact recollection was flawed,â and the problem was that the clientâs hard drive provided to PC USA for storage was âcorrupted.â He said Oujevolk declined PC USAâs offer to send the hard drive to a recovery company in California. Oujevolk said there was no such offer.
Pinhasi flourished financially. Public records show heâs driven three new Mercedes in the past decade and owns two houses in South Florida, including a waterfront home in Hallandale Beach assessed at $1.4 million. Once ransomware took off, he pivoted from cloud services to data recovery.
On its website, MonsterCloud offers âguaranteed results.â It tells prospective clients, âDonât Pay the Ransom.â Paying the ransom, it says, âdoesnât guarantee youâll get your data back.â Itâs âa risk you donât want to take. Let our experts handle the situation for you.â
Pinhasi declined to say whether MonsterCloud pays ransoms. âWe work in the shadows,â he said. âHow we do it, itâs our problem. You will get your data back. Sit back, relax and enjoy the ride.â
The lack of transparency deterred Tim Anderson, an IT consultant based in Houston. When the Nozelesn strain of ransomware attacked one of his clients this past January, he reached out to MonsterCloud. The firm wanted $2,500 for an analysis and up to $25,000 for actual recovery, he said. The ransom was 2 bitcoin, worth about $7,000 at the time.
When Anderson requested an explicit technical description of how MonsterCloud would unlock the files, the firm demurred.
âI immediately smelled a rat,â Anderson said. âHow do I know theyâre not taking the $25,000 and paying the ransom guy $7,000 of it? The consumer doesnât know whatâs going on.â
He declined MonsterCloudâs services. Instead, his client hired another firm to pay the ransom.
Pinhasi points to MonsterCloudâs ties to law enforcement as evidence of its integrity.
âWe are trusted by law enforcement and intelligence agencies,â he said. âWe recently met with the FBI to share with them our deep knowledge of Ransomware, and we often share with them our cyberintelligence gathering findings. They wouldnât waste their time with us if we were a deceptive company.â
John Pistole, a former deputy director of the FBI under Robert Mueller, is featured in a promotional video on MonsterCloudâs homepage. âPolice departments, government agencies, hospitals, small business and Fortune 500 firms trust MonsterCloud to help recover from attacks and protect against new ones,â Pistole said in the video. âMonsterCloudâs proprietary technology and expertise protects their professional reputations and organizational integrity.â
Pistole, who also headed the Transportation Security Administration under President Barack Obama, is listed on MonsterCloudâs website as the only member of its âCyber Security Advisory Council.â Now president of Anderson University in Indiana, he said in an interview that he became acquainted with Pinhasi after MonsterCloud reached him through a speakerâs bureau. Pistole said that MonsterCloud pays him indirectly through the bureau.
Pistole said his testimonial was scripted by Pinhasi. He is well aware, he said, that in most cases the only way to decrypt computers hit by ransomware is to pay the hackers. Thatâs MonsterCloudâs approach, he said.
âThe model Iâm used to is, you pay the ransom,â he said. âThatâs the business model as I understood it last year when I did my initial look at it after meeting Zohar. ⊠Based on my experience and knowledge, ransom is paid and they facilitate the best practices moving forward.â
Pistole is listed in Florida corporation records as an âauthorized memberâ of another company run by Pinhasi, Skyline Comfort LLC. Pistole said that Skylineâs business plan is putting massage chairs in airports. For a few minutesâ massage, passengers would pay a fee, which Skyline would split with the airport authority. Pistole said that he connects Pinhasi with airport officials and will be paid if the company becomes profitable. A former TSA colleague and Pinhasiâs brother-in-law are also involved in Skyline, he said.
In other testimonials on MonsterCloudâs website, four local law enforcement agencies praise the firm for restoring their data following ransomware attacks. ProPublica spoke with all but the Kaufman, Texas, Police Department, which did not respond to messages. Officials at the three departments we spoke with were all under the impression that MonsterCloud decrypted their computer networks without paying a ransom.
Chief Deputy Ward Calhoun of the Lauderdale County Sheriffâs Office in Meridian, Mississippi, which enlisted MonsterCloud after a ransomware attack in May 2018, said in an interview that other victims seek his advice âonce or twice a month.â He tells them that MonsterCloud can help them. âThe danger is, even if you give money to hackers, you donât know youâre gonna be able to unlock your data anyway,â he said. âWe decided we werenât going to do that. We went with MonsterCloud instead.â
The Trumann, Arkansas, Police Department was another satisfied customer. When its computer system was infected in November, decadesâ worth of data including case notes, witness statements, affidavits and payroll records were frozen. The departmentâs IT manager came across MonsterCloud on a Google search while âfrantically looking for a way to fix the problem,â said the chief of police, Chad Henson.
Henson, who oversees about two dozen officers serving a population of 8,000, said he was reassured about MonsterCloudâs capabilities when he discovered âhow friendly they are to law enforcement and to government entities.â
âThatâs when we made the phone call to them,â he recalled. âThey said: âDonât worry about it. We are pretty sure we can get everything back.ââ
Another reason he chose MonsterCloud, he said, was that it wouldnât pay the ransom. âIâm the one in the seat, the one charged to safeguard the department,â he said. âTo turn around and spend taxpayer money on a ransom â that is absolutely the wrong decision. It is the nuclear option. But with MonsterCloud, we can just remove that option.â
MonsterCloud restored the Police Departmentâs files within 72 hours and assured the department it did not pay a ransom, Henson said. In return for the testimonial, it waived its $75,000 fee.
MonsterCloudâs contract with the Trumann Police, obtained under a public records request, calls its recovery method a âtrade secretâ and says the firm would not explain the âproprietary means and methods by which clientâs files were restored.â It also says that if âall possible means of directly decrypting clientâs files have been exhausted,â the firm would attempt to recover data by âcommunicating with the cyber attacker.â
Pinhasi said that the Trumann department was crippled by the Dharma strain of ransomware. Wosar and Michael Gillespie, a software analyst in Illinois whom the FBI has honored with a community leadership award for his help on ransomware, said there was no known way of decrypting the Dharma ransomware in use at the time. They said MonsterCloud must have paid a hacker.
MonsterCloud also received a testimonial in lieu of a fee from the Lamar County, Texas, Sheriffâs Office. A May 2018 ransom note said: âYou are unlucky! The terrible virus has captured your files!â The sheriffâs office brought in MonsterCloud, which âdid an excellent job,â said Lamar County network administrator Joel Witherspoon.
He said MonsterCloud contacted the hacker, who was demanding 1 bitcoin, worth about $8,000 at the time. Witherspoon then told the company that the county wouldnât pay the ransom. MonsterCloud didnât answer him, he said.
âI donât think they would ever payâ the ransom, Witherspoon said. âThey just said they had a team of specialist engineers working on it.â
Pinhasi declined to say how MonsterCloud retrieved the law enforcement agenciesâ data but noted that it did so for free. âWe provide complimentary services to law enforcement agencies,â he said. âThere has never been one cent of taxpayer money used for any ransom weâve been involved with.â
Witherspoon was especially impressed by his primary contact at MonsterCloud, Zack Green. âZackâs title, dear God, itâs a mile long title. He seems to know a lot.â
Greenâs titles on his email signature include âRansomware Recovery Expert,â âCyber Counterterrorism Expert,â âCyber Crime Prevention Expertâ and âCyber Intelligence Threat Specialist.â We called MonsterCloud asking for Green but were told he was in a meeting. Cybersecurity experts said the credentials he lists are not actual industry designations.
Pinhasi said Green is an alias, but he declined to say for whom. âWe go based on aliases, because weâre dealing with cyberterrorists,â he said.
After we told Witherspoon that Green was an alias, his opinion of MonsterCloud changed. âIt makes me think, âDid we get attacked, or did they attack us?â I am surprised,â he said.
Some tributes to MonsterCloud on its website may also be fabricated. Under a section titled âReal Testimonials,â MonsterCloud posted 58 five-star Google reviews from clients like âBrad Stevensâ and âSam Smithâ â the names of the Boston Celtics coach and a Grammy Award-winning singer, respectively. The reviews were replete with exclamation points and details of MonsterCloudâs heroics. A Google search showed that about half of them were submitted six months ago, when some of those same reviewers, including Stevens and Smith, also raved about a skin-care establishment down the street from MonsterCloudâs office. The two businesses share the same marketing director: Boris Zion.
Under his own name, Zion gave MonsterCloud a five-star Google review and more plaudits on TrustPilot.
âMonsterCloud is #1 ransomware company hands down!â he wrote in October. âI knew them for a while before I became a customer [when] I found myself in situation where my business was attacked.â
Pinhasi and Zion said that the testimonials are legitimate. âWe sent out an email to our clients to ask for reviews as many businesses do, so many of our reviews came in around the same time,â Pinhasi said. Zion acknowledged it was âkind of coincidentalâ that the same customers had praised MonsterCloud and the skin care company. He said that itâs challenging to persuade publicity-shy ransomware victims to post positive reviews. âFor the most part, nobody wants to write a review online,â he said. âYou donât tell anybody that you got hacked.â
He said that he couldnât recall when he was attacked by ransomware, or by which strain. âIâm a marketing guy, not a cybersecurity expert,â he said. He agreed to send us the ransom note but never did.
After defending the reviews, MonsterCloud on Tuesday removed them from its website.
Storfer soon realized that neither his co-workers nor his bosses, brothers Victor and Mark Congionti, had much expertise in writing computer programs to disable ransomware. Before they started Proven Data, Mark Congionti had been a substitute math teacher. Victor Congionti had a more technical background â he had worked as an IT security analyst for an insurance company â but his passion was electronic dance music. Victor was building a side business as a disc jockey and rarely came to the Proven Data office, which was then in Markâs house in White Plains, New York, Storfer said. The company moved this past March to an office building in Elmsford.
A 2016 resume posted on an archived version of Victor Congiontiâs personal webpage said his roles at Proven Data included adding âto existing customer profitabilityâ and âdeveloping new business and strategic partnerships.â In his profile on a roommate-search website, he describes himself as a âfoodie,â âfitness junkieâ and âparty personâ who works from home. He told ProPublica that he is no longer a partier now that he has a 4-year-old son and is going to college to study electronic music production.
âWe are not coders,â Victor Congionti acknowledged. He said Proven Data uses its network âto research any emerging ransomware variants and the potential for cracking encryptions.â
Richard Moavero, Proven Dataâs client services manager, said that Mark Congionti is more involved than Victor in running the company day to day, including negotiating with hackers. âMarkâs really cool about it,â Moavero said. âIf it was up to me, Iâd punch them through the computer. His demeanor is really good in dealing with these people. Just the way he doesnât get flustered. ⊠Heâs able to take the emotional part out of it.â
The Congionti brothers established Proven Data around 2011 primarily to recover information from broken hard drives and cameras and other hardware. As ransomware proliferated, and calls poured in from prospective clients seeking help releasing their encrypted files, the business model shifted, according to Victor Congionti and a review of the companyâs archived web pages.
During his year and a half at Proven Data, Storfer fielded hundreds of these calls. He took a âdonât ask, donât tell,â approach to informing clients that Proven Data would pay their ransoms.
If they didnât ask, âit was more of a lie by omission,â he said. If they asked, he told the truth. But some of those clients still requested a non-itemized receipt that didnât break out the bitcoin ransom price separately.
âThere were people who would ask us specifically not to put the bitcoin price on it,â he said. âBy hiring a business like that, it does give you a kind of plausible deniability.â
His predecessors took a different approach. Storfer said heâs been told by the FBI that Proven Dataâs staff used to rely on âcanned responsesâ that gave clients two options for data recovery. The first was paying the ransom. The second option was to unlock the files using Proven Dataâs technology. Unbeknownst to clients, Storfer said, the second option didnât exist. If they chose it, Proven Data paid the ransom anyway.
Victor Congionti said that Proven Data employees âdid use and still use scripts,â which he also called âcanned responses.â Asked about the two options, he didnât answer directly, but said, âIf we have ever found any scripts to be misleading or perceived the wrong way, we would make the necessary changes immediately.â
Some clients became suspicious. After its networks were frozen by ransomware in June 2016, Safford, Arizona, hired Proven Data, said Cade Bryce, the cityâs systems administrator.
Proven Data case manager Brad Miller told the city in an email that the companyâs engineers had analyzed a sample file and found there was a âhigh chance for data recoveryâ by âusing our streamlined process and latest technology.â Miller acknowledged the companyâs price âcan be highâ and suggested that the cityâs insurance âmay cover the cost.â
According to Storfer and Victor Congionti, Brad Miller was an alias that the company used for overseas freelancers. âTheir names can be complex,â Victor Congionti said. âWe used this alias to simplify things.â He said the company has stopped using the alias âas we saw the confusion it could create. We did not view it as deceptive. It was for convenience.â
About a week later, Proven Data told the city that the âdecryption process has completed successfully.â But the city later discovered that some files remained locked, Bryce said. Proven Data opened a new case and insisted on charging the city once more. Safford acquiesced â its insurance company ultimately reimbursed most of the total bill of $8,413 â but Bryce wondered why it had to pay twice if Proven Data already had the solution.
âIf their algorithms did the first one, why couldnât they do the second?â he said in an interview.
In mid-August, Proven Data gave up. âWe havenât had any luck decrypting this remaining variant and contact to the hackers has not yielded any results as well,â it said in an email.
Wosar and Gillespie said the most likely explanation was that Proven Data paid the ransom, but that bugs in the ransomware permanently damaged the files.
Sam Napier, the cityâs IT administrator, shared the companyâs update with Bryce. âI think you were right about them working with the hackers and adding a fee,â Napier wrote. Victor Congionti declined to comment on the Safford case.
One part of Storferâs job was listening sympathetically to panicked IT managers who were confused and ashamed about the attacks on their organizations and fearful of losing their jobs. Another was bonding with cybercriminals, in the hope of reducing the ransom price.
Often, the victims who contacted Proven Data had already berated their attackers. Annoyed, some hackers would demand more money, and others would disappear, Storfer said.
âPeople would get into a pissing contest with the hacker and try to incite them,â he said. âBecause they have all the power, they donât take nicely to antagonistic behavior. You really want to unfortunately befriend them in some way or ingratiate yourself because you want to try to find some empathy.â
Moavero, the client services manager, agreed. âItâs not like one of those things where you can just get on and vent with them, because then theyâll just shut right off,â he said. âYou have to treat them with kid gloves sometimes.â
Storfer often didnât know who he was dealing with. It could have been the ransomware creator or a middleman. Some of the people or crime organizations that develop ransomware strains also handle functions such as infecting computer networks, sending ransom notes and collecting payments. Others license the ransomware to intermediaries for a fee. From clues in their emails, such as video game references, he could sometimes tell which attackers came from the same hacker group.
Storfer said Proven Data kept a list of hackers who could supply decryption keys quickly and cheaply as needed. He bargain-hunted by stirring up âmarket rate competitionâ among them. âEven though one group may have done the hacking, a different group could provide you with the key,â he said.
âThere are some hackers who would charge 1 bitcoin, which at its peak when they were doing this was about $10,000, to decrypt one machine,â he said. âAnother hacker might have been able to do it for $4,000.â
In such cases, the interlopers would not supply Proven Data with a master key, which would have enabled the company to clear future incursions of the same ransomware for free. Instead, they would send a decryption key for the specific attack and victim. The attackers might never know they had been bypassed for payment, because some donât track each victim among the thousands targeted.
Storfer learned quickly never to use the term âhacking.â Instead, he would assume his correspondent âthinks theyâre a businessman,â Storfer said. âIâd say: âLook, we canât afford this at this time. Do you mind providing your product at a lower rate?â And it worked,â he said. âTheyâre doing a job where everyone hates them, so feeling like they were respected made them work with us. I like to think empathy goes a long way.â
The rapport sometimes reaped discounts. âWe were able to get a $5,000 ransom lessened to $3,000 because they knew we could deliver it exactly when we said we were going to get it to them,â Storfer said.
Once the attackers agreed to lower the ransom for one client, it was easier to persuade them to reduce it for others, as well. Heâd tell them, ââLook, we have another client who you may be able to help. Can you provide this pricing?â Their response is: âSure thing.ââ
Though successful, his tactics made Storfer uneasy. âItâs one of the weird kind of gray areas that I never felt comfortable with â that I had to interact and almost befriend these individuals,â he said. âBut for the good of helping people that we were dealing with and making their lives easier, I thought it was a real benefit.â
Storfer usually didnât reveal his company to hackers. Still, by using the same anonymous email address repeatedly, he became familiar to them. The hackers would âwant to verify that we worked with them before.â
âAnd I want to be clear, âworked with themâ being the most accurate term, but I want to say that there is no love in this agreement,â Storfer said. âIâm using terms like âworking with themâ but itâs the skin-crawliest way to describe it, because we truly hate them. And it was something that we would openly talk about â about how creepy and crawly we felt in general to have to put yourself on their side and empathize with these individuals to get them to work with you. Because you kind of have to shed your skin afterwards.â
Despite Storferâs best efforts, sometimes the hackers behaved erratically. Proven Data would pay the requested ransom, but they would not respond. At such times, Storfer would share the attackerâs email address and details of the snub with other hackers in the same group.
Then the hacker âwould come back and say, âSorry, Iâve been on a coke binge for three weeks.ââ Storfer said.
For the FBI, retracing individual victimsâ ransom payments has rarely been a priority. But Proven Dataâs startling success in decrypting ransomware drew the attention of a bureau office in Anchorage, Alaska.
In April 2016, a strain of ransomware called DMA Locker infiltrated the computer files and backups for Leif Herringtonâs real estate brokerage in Anchorage. The ransom note demanded 4 bitcoin, then worth about $1,680. Herrington called the FBI. âThey said, âThereâs thousands of these going on every day, we donât have the resources to do anything,ââ Herrington said.
Herringtonâs son looked into the attack, discovered there was no known way to decrypt the files and suggested his father pay the ransom. After unsuccessful attempts to pay the ransom on his own and through a local IT firm, Herrington called Proven Data. It told him it could unlock his files for $6,000.
âThey represented that they had proprietary software they developed to unencrypt,â Herrington said. âThey never said anything about paying the ransom.â
A January 2018 FBI affidavit, seeking a search warrant to obtain information from Proven Data and its email provider, lays out what happened next. Herringtonâs IT consultant, Simon Schroeder, gave Proven Data a sample infected file for evaluation. During a follow-up appointment a couple of days later, Schroeder granted remote access to Proven Data and watched as it unlocked a set of files in 45 minutes.
The firm cleared the files so quickly that Schroeder suspected it paid the ransom. Although Herrington was back in business, he called the FBI again. An agent came to his office to ask about Proven Data, Herrington said, adding that he and Schroeder turned over all their documents.
Herrington told the agent that he didnât know whether Proven Data âactually had keys or if they were in cahoots with the ransomware attackers and just collected the money,â he said. âI suggested to the FBI that they would want to investigate them, whether they were somehow in partnership with the ransomware people.â
The FBI confirmed his hunch. Records provided to the FBI pursuant to a federal grand jury subpoena showed 4 bitcoin flowing from a Proven Data account to the online wallet that the attackers had designated for payment. An email from the hackerâs address thanked Proven Data for the payment and included instructions on decrypting Herringtonâs files.
âSubsequent investigation by the FBI confirmed that PDR was only able to decrypt the victimâs files by paying the subject the ransom amount,â the affidavit said.
The bureau interviewed Proven Dataâs co-owners, the Congionti brothers. Mark Congionti acknowledged that at the time of the attack, there was no known way to unlock the files aside from paying the hacker, the affidavit said. (An FBI spokeswoman said in January that the bureau could not discuss the case because it was active. The U.S. Department of Justice declined this month to identify the target of the investigation or to say if itâs still ongoing. As yet, no charges have been publicly filed.)
Victor Congionti acknowledged that the company paid Herringtonâs ransom. âIt was the only option to get his data back,â he said. âWe regret that he felt misled. ⊠There was obviously a misunderstanding as to how we would solve his problem. We have re-examined all of our practices and procedures to ensure that such a misunderstanding does not occur again.â
The FBI agent discussed the possible legal nuances with Herrington. âThe FBI did explain if they were up front, that was legal, but that if they represented they had the technology to do it, it might not be,â Herrington said. âThey were not being up front about it. They said they had technological expertise.â
Also at issue was whether Proven Data had âany working relationship with the ransomware people,â Herrington recalled the agent saying. âThe FBI was concerned that even if these companies were paying the ransom, it is encouraging the ransom people. By paying, theyâre effectively keeping these guys in business.â
Proven Data had several hundred email exchanges with the addresses associated with DMA Locker attacks, according to the FBI affidavit. As with the SamSam hackers, Proven Data used its own email addresses with DMA Locker. âWe interacted directly with them,â Storfer said.
Victor Congionti said Proven Data later determined that using its own address with hackers was ânot advisableâ and abandoned the practice.
Storfer wondered if the hacker behind DMA Locker was a British soccer fan because his emails contained references to Manchester United including one username of âJohn Unitedâ and another honoring former team manager Alex Ferguson. The ransom price was in British pounds, an unusual currency in ransomware circles, he said.
âDMA was actually a very good, nice negotiator for the most part,â Storfer said. âHe was very clear, straightforward,â and wrote âvery proper English. And he had a tool that worked impeccably well, and he would even troubleshoot for you.â
Normally, attackers donât send the key until theyâre notified that the ransom has been paid, typically via a bitcoin transaction ID number. But the DMA Locker hacker was so familiar with Proven Dataâs wallet IDs that sometimes he sent a decryption key as soon as he saw the bitcoin transaction post on the Blockchain, the electronic public ledger of transactions.
âOne of the weird benefits was that he knew our wallets enough that every time we sent him a payment, he would send us a key before we could send a transaction ID,â Storfer said. âHe would literally sit on the blockchain, and just be like, âOh ya, Proven, let me give you guys some keys.ââ
Victor Congionti said he wasnât âaware of this type of familiarity. If it did occur, we had no control over it.â
When the hacker decided to retire from the ransomware business, he let Proven Data know â and proposed one last deal.
âHe literally said: âHey, Iâm shutting down service. Do you have any other clients that need keys? Iâm doing this super discount for any of them,ââ Storfer said. âI actually consider that one of the benefits of being friendly with â the biggest air quotations â the hackers.â
Proven Data raised Storferâs salary, he said. But his conscience was weighing on him, especially after the FBI began questioning Proven Data employees in the Alaska case.
He worried that he was abetting a sophisticated form of organized crime. He struggled to justify his line of work to his family and friends, some of whom teased him for answering late-night hacker emails.
âDo I miss ever having to explain what my job is to anyone else? No,â Storfer said. âHaving that conversation and trying to explain, oh what do you do? Oh, I negotiate with hackers for a living. ⊠It is a very weird business, and it is one of the reasons I couldnât stay in the field.â
After a year and a half at Proven Data, he decided to leave the industry. But he wavered in this resolve when Coveware, the Connecticut firm that is transparent about paying ransoms, sought to recruit him. Siegel, who co-founded Coveware in 2018, said he wanted to hire Storfer because of his familiarity with ransomware.
In the end, Storfer chose a job outside the data recovery industry. âI just decided that I wanted to get out of the space because I felt uncomfortable. ⊠The realm where Proven Data and MonsterCloud and Coveware and all these groups act in is the Wild West. They set their own rules.â Victor Congionti confirmed that Storfer left voluntarily.
Moavero, who joined Proven Data soon after Storfer left, also had no background in cybersecurity. âI responded to an online ad looking for a head of customer service,â he said. âI had no clue what Proven Data did. ⊠Ransomware? I had to go home and look up ransomware. Itâs been a whirlwind.â
Even after Storfer left Proven Data, it still paid the SamSam hackers. Chainalysis found that on November 16, 2018, 1.6 bitcoin, or about $9,000 at the time, moved from Proven Dataââs wallet to a digital currency address associated with the SamSam attackers â an intermediary step on the chain to the Iranian-controlled wallet. Twelve days later, the Iranians were indicted, and payments into their wallets were banned.
Today, hardly any money is left in those Iranian wallets.
Garen Hartunian contributed to this report.
Gloss