How Companies Profit from Restoring Encrypted Files After Ransomware Attacks

So-called “specialists” in restoring encrypted files have teamed up with ransomware operators. Companies that claim to specialize in recovering corporate data after ransomware attacks are actually paying the hackers and charging their clients extra for the service. According to the nonprofit organization ProPublica, at least two American firms—Proven Data Recovery and MonsterCloud—use this approach.

ProPublica investigators were able to track four Bitcoin payments made from Proven Data Recovery’s wallet to the wallet of the SamSam ransomware operators. Notably, last year the U.S. government imposed sanctions on Iranian citizens Ali Khorashadizadeh and Mohammad Ghorbaniyan, who are believed to be behind SamSam. This means that U.S. citizens are prohibited from doing business with them, including paying for the recovery of encrypted data.

Proven Data Recovery claims that it restores clients’ encrypted files using proprietary technology. However, according to former employee Jonathan Storfer, this is completely false—the company actually buys the decryption key directly from the hackers.

Victor Congionti, Senior Director at Proven Data Recovery, says that paying the ransom is a standard procedure carried out on behalf of the company’s clients. Storfer, however, disagrees with this characterization. He explained how Proven Data Recovery managed to “befriend” the ransomware operators and negotiate discounts. As a result, the company keeps the leftover money from the client after paying the ransom. Furthermore, the SamSam operators even recommend that their victims seek help from Proven Data Recovery and sometimes extend the payment deadline for them.

In addition to Proven Data Recovery, another company—MonsterCloud—offers a similar “service.” MonsterCloud also buys the decryption key from cybercriminals but tells its clients (including law enforcement agencies) that it uses its own technology.