Ransomware-busting company turns out to be just a ransom brokering outfit

• A Russian company claiming to provide ransomware decryption services turned out to be just a broker between victims and ransomware developers.
• The company enjoyed a high-profit margin from its scam since 2015 and is estimated to have completed over 300 deals.

Mitigating the effects of a ransomware attack is a top priority for any afflicted organization looking to secure its network and devices. This creates a market for the firms who provide services that help tackle ransomware attacks. However, it is an unfortunate reality that no market is free of scammers and frauds. The market for cybersecurity services is no different from any other market in this regard.

One IT consultancy firm claiming to provide malware decryption services has proved to be a scam. The company claimed to provide ransomware decryption services for those affected by the Dharma/Crisis ransomware. However, there is currently no decryption available for Dharam, which means that the only way to recover data is to purchase for the decryption key from the ransomware developer. This was revealed during an undercover investigation by the security research team at Check Point, Bleeping Computer reported.

High-profit margin scam

The modus operandi of the Russian company Dr. Shifro is fairly straight-forward. It claims to decrypt and recover their customers’ ransomware-infected files. However, the company simply pays a designated amount to the ransomware creator for decrypting the files and adds a hefty margin on top, which then gets passed on to it customer.

The researchers at Check Point suggested that the profit margin for Dr. Shifro could likely be 75 percent and more. During the investigation, Dr. Shifro offered to unlock the affected files for $2,300, of which $1,300 was reserved for the ransom payment and a markup of $1,000 was added on.

• The company seems to be have been active since 2015, according to the researchers.
• Researchers estimate that the company could have brokered over 300 such deals and raked in at least 100 bitcoins.

One of Check Point’s researchers told The Daily Swig that this company is the first example of its kind that Check Point has observed, but it may not be unique.

Reason for caution

The business model employed by companies like Dr. Shifro is easily replicable by other scammers. Even though there are legitimate firms that can help in ransomware cases, they do not make tall claims, unlike the scam artists. They usually only provide decryption services for cases in which the decryption key is available publicly. In cases where there may not be any other option except to pay a ransom, legitimate security firms are obliged to notify their customers about their limited options.

Thus, any company which makes too-good-to-be-true claims could likely be a highly suspicious bet for those seeking ransomware mitigation services.