Researchers from leading cybersecurity vendor Check Point have uncovered a Russian IT consultancy named Dr. Shifro (http://www.dr-shifro.ru/) that claims to unlock and recover consumers’ and businesses’ encrypted files. But in fact, the company simply pays the ransomware’s creator themselves and passes the cost onto the victim at a 75%-plus profit margin.
Dr. Shifro offers only one service – helping ransomware victims unlock their files. It claims to be able to unlock files scrambled by the Dharma/Crisis ransomware (for which no decryption key is available), among others, which is suspicious. This caused the Check Point researchers to investigate.
They found that Dr. Shifro was actually making contact with the ransomware’s creator themselves and making a deal to unlock the victim’s files in return for the ransom payment (in the case the researchers followed, $1300). Dr. Shifro then passes that cost on to the victim, with their own fee charged on top (another $1000).
The researchers found correspondence between Dr. Shifro and a ransomware creator which shows how Dr. Shifro’s ‘consultancy’ works. By connecting directly with the threat actor to collect the decryption key, in return for payment, Dr. Shifro simply acts as a broker between victim and attacker:
“I’m an intermediary. We redeem keys for clients since 2015 on a regular basis. Send bitcoins tight, don’t ask dumb questions. Clients frequently addressed under recommendation. Could you give a discount to 0.15 btc?”
As a result, the victim has their files decrypted, the cybercriminal gets his ransom payment and Dr. Shifro, at a significant markup earns a handsome ‘broker’ fee. Dr Shifro is estimated to have done over 300 ransomware decryptions for customers. The average value of Bitcoin during Check Point’s investigation was $3000, and the trading volume of Dr. Shifro’s account is at least 100 BTC – which means that they have spent at least $300,000 on key purchase, paying approximately $950 for each key and charging a fee of around $1,000 dollars to the customer.
The first point with services like Dr. Shifro’s is “if it sounds too good to be true, it probably is.” While there are legitimate IT consultancies that can help recover systems and files from a ransomware attack, they will usually not make promises they cannot keep. In fact, they will only usually only offer to help where decryption keys are already publicly available online, and perform decryption services for those who may be unable to do so themselves. Anyone claiming otherwise should be approached with caution.
The business model that Dr. Shifro has created is an attractive one that could easily be replicated by other entrepreneurial scam artists and serves as a new development of the ransomware industry that both individuals and organizations should be wary of.
Organizations should consider using anti-ransomware prevention solutions across their network in order to avoid being infected in the first place. Check Point recommends solutions that do not rely on signatures to identify the various ransomware strains, and are able to extract suspicious files in a virtual sandbox and automatically recover encrypted files. Those affected by ransomware should visit Europol’s https://www.nomoreransom.org/ site for further advice and ways to unlock encrypted files.
The average ransom demand to businesses is around $10,000. According to Europol’s 2018 Internet Organized Crime Threat Assessment, the ransomware industry is now worth an estimated $5 billion annually.