#MonsterClouds | Explore Tumblr Posts and Blogs

mostlysignssomeportents · 5 years

Text

Grifty "information security" companies promised they could decrypt ransomware-locked computers, but they were just quietly paying the ransoms

Ransomware has been around since the late 1980s, but it got a massive shot in the arm when leaked NSA cyberweapons were merged with existing strains of ransomware, with new payment mechanisms that used cryptocurrencies, leading to multiple ransomware epidemics that locked up businesses, hospitals, schools, and more (and then there are the state-level cyberattacks that pretend to be ransomware).

The boom in ransomware infections is also a boom for companies that provide services to the infected. A lot of these companies are in the business of taking your money, sending some Bitcoin to your attackers, then holding your hand as you use the codes the attackers provide to get your files back (assuming the malware performs according to spec and that the ransomware attackers don't just run off with your dough).

But not everyone wants to pay ransom! There are ethical and political reasons to avoid paying ransom, and the more money ransomware attracts, the more clever programmers will throw themselves at the project of making ransomware even more virulent and widespread.

Some companies advertised that they could decrypt your locked-up files without paying the ransom, using proprietary methods they'd developed in house to undo the attackers' encryption. This isn't outside the realm of possibility (programmers make mistakes) but it's still a bit of a stretch (well-implemented encryption is extremely robust).

Propublica's Renee Dudley and Jeff Kao provide a deep investigative look at two of these "don't pay ransom" companies, Proven Data and MonsterCloud, and reveal that these companies made false representations and had no ability to decrypt their customers' files. Instead, they simply paid the ransoms and deceived their customers about their activities. The reps the customers dealt with turn out to be pseudonymous fake people, and the marketing endorsements on these companies' sites are also almost certainly fabricated.

The companies not only paid ransoms, they effectively became confederates of the ransomware criminals, creating long-term, professional relationships with them that allowed them to negotiate for extra time on their customers' behalf. What's more the criminals began to refer their victims to the companies, advising the victims that if they couldn't figure out how to pay ransom or needed to be convinced that the threat was real, that they should pay these companies for their professional services.

Propublica quotes on-the-record whistleblowers, the executives at the companies, and their customers, and paint a picture of companies that engaged in blatant misrepresentation to the detriment of their customers, peddling lies and snake-oil to people who'd already been victimized. Meanwhile, public records show that the founders of these companies got ridiculously rich, buying multiple luxury homes and luxury cars. These founders deny that they told customers that their data could be decrypted without paying, but their own websites make these claims in plain language.

The grift encompasses people like former FBI director and Mueller crony John Pistole, who produced a still-available promo for MonsterCloud in which he falsely states that "MonsterCloud’s proprietary technology and expertise protects their professional reputations and organizational integrity" and that this allows customers to recover their data without paying ransom -- a claim Pistole admits he knows is false.

Meanwhile, Propublica traces some of the money that the anti-ransomeware companies quietly paid to criminals ended up violating US sanctions against Iran.

https://boingboing.net/2019/05/16/john-pistole-shilled.html

66 notes · View notes

jdpink · 3 years

Text

Fowler and Minder tried to piece together what had happened. The clients insisted that they had never gone to the dark-Web site, much less interacted with the hacker. Then Fowler reminded Minder about a recent post on REvil’s blog, warning about fraudulent middlemen who said that they could decrypt files; instead, the middlemen would secretly negotiate with the hackers before offering the decrypted files at a markup. At the time, it had amused Minder that a cybercrime syndicate was issuing a warning about scammers. But now the clients acknowledged that they had reached out to MonsterCloud, a Florida company that advertises itself as “the world’s leading experts in Cyber Terrorism & Ransomware Recovery.” MonsterCloud’s Web site encouraged victims to use its ransomware-removal services instead of paying a ransom. That pitch likely appealed to the heads of the engineering firm, who were “very, very patriotic,” Minder told me. “It didn’t surprise me at all that they’d rather pay a software company in Florida” than send a ransom to a foreign criminal syndicate.

Minder soon learned that, shortly after the REvil hacker demanded sixty-five thousand dollars, a MonsterCloud representative told the engineering firm that it could recover the files for a hundred and forty-five thousand dollars. (MonsterCloud declined to comment.)

According to an investigation by ProPublica, MonsterCloud has a long track record of secretly negotiating with hackers. ProPublica spoke with a number of former clients who believed that their files had been decrypted without their paying a ransom, even though the ransomware strains in question made this outcome highly unlikely; most are impossible to decrypt unless there is an error in the code. MonsterCloud is one of a handful of U.S.-based data-recovery companies that appear to follow a similar business model. By purporting to decrypt files using high-tech tools, these firms allow their clients to believe that ransomware can be addressed without sending funds to criminal syndicates—a strategy that’s particularly appealing to MonsterCloud’s publicly funded clients, such as municipalities or law-enforcement departments. Ransomware groups recognize that data-recovery firms can be lucrative partners; one offers a promo code especially for such firms.

https://www.newyorker.com/magazine/2021/06/07/how-to-negotiate-with-ransomware-hackers

#ransomware

0 notes

eprnews · 4 years

Photo

MonsterCloud Reviews the Top 5 Ransomware Removal Tips for 2020 https://eprnews.com/monstercloud-reviews-the-top-5-ransomware-removal-tips-for-2020-469598/

#ePRNews #eprnews

0 notes

seowebdev-blog1 · 5 years

Text

Counterterrorism expert: Little Health Care Firms are the Brand New ransomware Goals

MonsterCloud CEO states RYUK strikes can be deadly for businesses which can not afford to pay the ransom or to seek support from specialists. Top 5 extra methods to fend off ransomware In 2019, 23 town governments in Texas undergone a coordinated ransomware attack. Tom Merritt [...]

Read full article here 📄 👉 http://bit.ly/32ELxhq

https://www.seowebdev.co/counterterrorism-expert-little-health-care-firms-are-the-brand-new-ransomware-goals/

#Computers #Technology

0 notes

jendotcohen · 7 years

Photo

#Repost @_aloha_stateofmind_ ・・・ Life is short. Smile while you still have teeth 😁☀️❤️ • • #alohastateofmind #smile #alot #cloudz #cloudlover #cloudporn #monstercloud #skylover #crazysky #sunset #sunsetsky #sunsetsniper #behappy #bekind #darksky #darksouls #goodvibes #crazygirls #❤️

0 notes

glencocothemermaid · 7 years

Photo

#clouds #drink #monstercloud

0 notes

griffinmoss · 7 years

Photo

#burpple @instafoodapp #instafood #instafoodapp #instagood #food #foodporn #delicious #eating #foodpics #foodgasm #foodie #tasty #yummy #eat #hungry #love #unitedstates #usa #anaheim #anaheimpackingdistrict #anaheimpackinghouse #monster #minimonster #food #restaurant #day #monstercloud (at Mini Monster)

0 notes

milky-meido · 7 years

Photo

Rainbow Cloud and Monster Cloud! 🌈 ☁️👹☁️ And we got our first lightbulb jars! 💡😊 💕@snowmonsteroc #snowmonster #rainbowcloud #monstercloud #bobatea #boba #lightbulbdrink #lightbulb #cottoncandy #fruitypebbles #milktea #laeats #oceats #foodie #foodiegram (at Snow Monster)

#boba #lightbulbdrink #foodiegram #fruitypebbles #milktea #rainbowcloud #laeats #oceats #snowmonster #foodie #cottoncandy #bobatea #monstercloud #lightbulb

0 notes

jdkinetagiri · 5 years

Text

Counterterrorism expert: Small healthcare companies are the new ransomware targets

MonsterCloud CEO says RYUK attacks can be fatal for businesses that can’t afford to pay the ransom or to get help from experts.

View On WordPress

0 notes

aheliotech · 5 years

Text

Sting Catches Another Ransomware Firm — Red Mosquito — Negotiating With “Hackers”

New Post has been published on https://www.aheliotech.com/blog/sting-catches-another-ransomware-firm-red-mosquito-negotiating-with-hackers/

Sting Catches Another Ransomware Firm — Red Mosquito — Negotiating With “Hackers”

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for The Big Story newsletter to receive stories like this one in your inbox.

ProPublica recently reported that two U.S. firms, which professed to use their own data recovery methods to help ransomware victims regain access to infected files, instead paid the hackers.

Now there’s new evidence that a U.K. firm takes a similar approach. Fabian Wosar, a cyber security researcher, told ProPublica this month that, in a sting operation he conducted in April, Scotland-based Red Mosquito Data Recovery said it was “running tests” to unlock files while actually negotiating a ransom payment. Wosar, the head of research at anti-virus provider Emsisoft, said he posed as both hacker and victim so he could review the company’s communications to both sides.

Red Mosquito Data Recovery “made no effort to not pay the ransom” and instead went “straight to the ransomware author literally within minutes,” Wosar said. “Behavior like this is what keeps ransomware running.”

Since 2016, more than 4,000 ransomware attacks have taken place daily, or about 1.5 million per year, according to statistics posted by the U.S. Department of Homeland Security. Law enforcement has failed to stem ransomware’s spread, and culprits are rarely caught. If files encrypted by attackers are not backed up, and a free public decryption tool is unavailable, usually the only way to clear them is paying the ransom, said Michael Gillespie, a software analyst in Illinois whom the FBI has honored with a community leadership award for his help on ransomware. But clients who don’t want to give in to extortion are susceptible to firms that claim to have their own methods of decrypting files. Often, victims are willing to pay more than the ransom amount to regain access to their files if they believe the money is going to a data recovery firm rather than a hacker, Wosar said.

On its website, Red Mosquito Data Recovery calls itself a “one-stop data recovery and consultancy service” and says it has dealt with hundreds of ransomware cases worldwide in the past year. It advertised last week that its “international service” offers “experts who can offer honest, free advice.” It said it offers a “professional alternative” to paying a ransom, but cautioned that “paying the ransom may be the only viable option for getting your files decrypted.”

It does “not recommend negotiating directly with criminals since this can further compromise security,” it added.

Red Mosquito Data Recovery did not respond to emailed questions, and hung up when we called the number listed on its website. After being contacted by ProPublica, the company removed the statement from its website that it provides an alternative to paying hackers. It also changed “honest, free advice” to “simple free advice,” and the “hundreds” of ransomware cases it has handled to “many.”

Besides Red Mosquito Data Recovery’s website, a company called Red Mosquito has its own website. A person answering the phone at the Red Mosquito site said they are “sister” companies and that RMDR, as it is known, specializes in helping ransomware victims. The Red Mosquito site markets a wider array of cyber-services.

The two U.S. firms, Proven Data Recovery of Elmsford, New York, and Hollywood, Florida-based MonsterCloud, both promised to use their own technology to help ransomware victims unlock their data, but instead typically obtained decryption tools from cyberattackers by paying ransoms, ProPublica found.

We also traced ransom payments from Proven Data to Iranian hackers who allegedly developed a strain known as SamSam that paralyzed computer networks across North America and the U.K. The U.S. government later indicted two Iranian men on fraud charges for allegedly orchestrating the extortion, and banned payments to two digital currency destinations associated with them. Proven Data chief executive Victor Congionti told ProPublica in May it paid the SamSam attackers at the direction of clients, and didn’t know they were affiliated with Iran until the U.S. government’s actions. Congionti said that Proven Data’s policy on disclosing ransom payments to clients has “evolved over time” and it is now “completely transparent.”

MonsterCloud chief executive Zohar Pinhasi said in May that its data recovery methods are a trade secret and it doesn’t mislead clients. A spokesperson said Friday that Pinhasi stands by his earlier statements.

For his Red Mosquito Data Recovery experiment, Wosar said he created a fake ransomware, which he named “GOTCHA.” He also drafted a ransom note — laden with typos such as “immidiately” for authenticity, since many attackers aren’t native English speakers — with instructions for contacting the hacker, according to a copy of the note that he provided to ProPublica. Like many actual ransom notes, Wosar’s included a unique ID sequence, and instructed the victim to use it in any reply, the copy shows. Such a sequence helps real hackers know which victim is paying them. Wosar said he inserted it so that he could confirm it was Red Mosquito Data Recovery contacting him at the “hacker” email address, even if the firm didn’t identify itself. The ID sequence was an encrypted version of the company’s own name, he said.

On April 17, posing as prospective client “Joe Mess,” Wosar sought RMDR’s help, according to emails he provided to ProPublica. Attaching the ransom note and sample files, he wrote in an email, “Two days ago I found my home server to be hacked by someone and all my pictures, documents, videos, and other files have been renamed to .gotcha files and encrypted… I don’t have any backups but I do not want to pay those assholes.”

“I am very confident we will be able to recover your files,” someone identifying himself as Conor Lairg replied later that day from a Red Mosquito email address, copies of the correspondence show. “We are now running tests and I will be in touch as soon as possible with an update.”

Two minutes later, Wosar’s hacker email account lit up with a response from “tony7877(Replace this parenthesis with the @ sign)protonmail.com.” The subject line contained the unique ID he had assigned to the victim, which meant the message could only come from Red Mosquito Data Recovery or someone that the company shared it with.

“How much for decrypt?” the respondent asked.

Meanwhile, “Joe Mess” pressed Lairg for confirmation that Red Mosquito wouldn’t pay the ransom: “So you think you may be able to help without me having to pay the ransom?”

“We are still investigating and will get back to you as soon as possible,” Lairg responded.

Less than an hour later, Wosar, posing as the hacker, began negotiating with “tony7877(Replace this parenthesis with the @ sign)protonmail.com,” the correspondence shows.

“$1200 in Bitcoin,” he wrote. “You pay, we provide key and decriptor (sic) to recover data.”

The respondent sought a better deal. “Can you do for 500 USD,” it replied.

Wosar’s hacker alter ego agreed to lower the price. “$900. Take it or kiss data bye bye,” he wrote. “We don’t run chairity (sic) here.”

The contact told him it would try to obtain the Bitcoin needed.

The next day, documents show, Lairg wrote to Wosar’s victim email address, saying he was “pleased to confirm that we can recover your encrypted files” for $3,950 — four times as much as the agreed-upon ransom. Lairg said the firm would recover the files within an estimated three business days. Payment would be required before recovery began, but the money would be returned if they couldn’t recover any of the files, he wrote.

Posing as the victim, Wosar asked: “How did you do it?” Lairg did not answer, instead providing details of how to handle payment and outlining steps to prepare for the recovery, such as disabling anti-virus software that could interfere with decryption, according to the documents. Wosar said he stopped communications after that.

No one named Conor Lairg is listed on the contact pages of either Red Mosquito website or on LinkedIn. Calls to both Red Mosquito companies did not reach him.

In its investigation, ProPublica found that both MonsterCloud and Proven Data used aliases in dealing with customers.

Using the same ruse, Wosar said, he also contacted Proven Data, MonsterCloud, and a company outside the U.S. with which his experiment is still in progress. Proven Data was “very open about paying ransoms so no point to following up after that,” Wosar said. He said MonsterCloud, which currently serves businesses and government agencies hit by ransomware rather than home users, did not respond.

“Wosar is well respected in the cyber security community, and we take no issue with him poking and prodding various cyber security companies,” Pinhasi, the MonsterCloud CEO, said in a statement Monday. “MonsterCloud did not respond to his inquiry simply because we do not serve individual consumers – there was no action to be taken. However, it’s my strong preference that oversight and regulation be done through appropriate bodies – industry and/or government organizations that are both peer reviewed for proper checks and balances and also utilize proper scientific method, study methodology, and processes.”

This is the second time that Wosar has targeted Red Mosquito, he said. In 2016, he said this year, he and another researcher created a variant of ransomware and used it to infect one of their own computers. Then they emailed Red Mosquito, as well as MonsterCloud and Proven Data, posing as a victim who didn’t want to pay a ransom, he said.

The firms eagerly agreed to help, claiming the ability to decrypt ransomware strains that were not actually breakable — and they didn’t mention that they paid ransom, Wosar said. The email accounts that he’d set up for the imaginary attacker began receiving emails from anonymous addresses offering to pay the ransom, he said. He traced the requests to the data recovery firms. Wosar said he no longer has the email correspondence from the 2016 sting.

Congionti and Pinhasi both said they could not recall the particular case. Red Mosquito did not respond to an emailed question about it.

“Ransomware victims need to be aware that there’s no silver bullet when it comes to restoring their data,” Wosar said. “There is also no shame for a data recovery company in paying the ransom, as long as they are open and transparent about it.”

The post Sting Catches Another Ransomware Firm — Red Mosquito — Negotiating With “Hackers” appeared first on Emsisoft | Security Blog.

0 notes

heckyeahlucilleballilovelucy · 5 years

Text

Ransomware recovery firms often just pay attackers’ ransom demands

Companies advertising ransomware recovery services often simply pay the attackers their ransom demand in exchange for the decryption keys, an investigation into the sector has revealed.

A former employee at Proven Data Recovery of Elmsford, New York, tells ProPublica that the firm “regularly made ransom payments to SamSam hackers over more than a year.”

Instead of using specialized decryption tools, as one would imagine, the company (and others like it) resorted to simply paying the attackers to decrypt the data, according to Jonathan Storfer, who worked at Proven Data Recovery.

The firm hasn’t always been very transparent about its practices, but it does openly admit to paying ransomware demands as a last resort. From the company’s website:

“Our goal as one of the first companies to become involved with Ransomware recovery is to restore business functionality as soon as possible while preventing future ransomware occurrences. Whether it’s reverse engineering the malware, restoring from backups, or as a last resort option paying the ransom, we’re standing by to get you up and running as soon as possible.”

MosterCloud is another example offered in the ProPublica report. Despite professing to use its own data recovery technology, the Florida-based firm pays ransoms, “sometimes without informing victims such as local law enforcement agencies,” according to the report.

Like Proven Data Recovery, MonsterCloud charges victims fees that exceed the actual ransom amounts. Both firms also use aliases for their workers in communicating with victims.

Some players in the ransomware recovery industry are very open about their practices:

“In contrast to Proven Data and MonsterCloud, several other firms, such as Connecticut-based Coveware, openly help clients regain computer access by paying attackers. They assist victims who are willing to pay ransoms but don’t know how to deal in bitcoin or don’t want to contact hackers directly. At the same time, Coveware seeks to deter cybercrime by collecting and sharing data with law enforcement and security researchers, CEO Bill Siegel said.”

Proven Data Chief Executive Victor Congionti defends the practice. He says it’s easy to blame those who give in to a ransomware attack, but, when it’s your data, your business, and potential lives at stake, it’s not so black and white.

“It is easy to take the position that no one should pay a ransom in a ransomware attack because such payments encourage future ransomware attacks,” he said. “It is much harder, however, to take that position when it is your data that has been encrypted and the future of your company and all of the jobs of your employees are in peril. It is a classic moral dilemma.”

It’s an even bigger moral predicament when one realizes that many ransomware operators, such as those behind the SamSam ransomware strain, are essentially enemy states.

“Since some victims are public agencies or receive government funding, taxpayer money may end up in the hands of cybercriminals in countries hostile to the U.S. such as Russia and Iran,” the report notes.

Investigators said the practice underscores the lack of options for ransomware victims, including the failure of law enforcement to catch or deter attackers.

As we’ve said before on this blog, the best option to prevent a ransomware infection is just that – to keep it from happening in the first place. Keep regular, offline backups of your most sensitive, business-critical data in case disaster strikes.

from HOTforSecurity http://bit.ly/2HpLn63

#HOTforSecurity

0 notes

click2watch · 5 years

Text

Study Finds Most Ransomware Solutions Just Pay Out Crypto

A study by ProPublica found that most ransomware solutions providers have one weird trick for getting rid of hackers – paying them off.

Ransomware activity is growing weekly according to experts at Coveware . The result? Companies who just want to pay the ransom and move on.

According to Coveware, ransomware attacks were up in Q1 2019:

In Q1 of 2019, the average ransom increased by 89% to $12,762, as compared to $6,733 in Q4 of 2018. The ransom increase reflects increased infections of more expensive types of ransomware such as Ryuk, Bitpaymer, and Iencrypt. These types of ransomware are predominantly used in bespoke targeted attacks on larger enterprise targets.

Once hackers encrypt an infected computer, however, the real question is how to unlock your data. ProPublica found that many data recovery firms simply pay the ransom and then charge a premium for their trouble.

Proven Data promised to help ransomware victims by unlocking their data with the “latest technology,” according to company emails and former clients. Instead, it obtained decryption tools from cyberattackers by paying ransoms, according to Storfer and an FBI affidavit obtained by ProPublica.

Another U.S. company, Florida-based MonsterCloud, also professes to use its own data recovery methods but instead pays ransoms, sometimes without informing victims such as local law enforcement agencies, ProPublica has found. The firms are alike in other ways. Both charge victims substantial fees on top of the ransom amounts. They also offer other services, such as sealing breaches to protect against future attacks. Both firms have used aliases for their workers, rather than real names, in communicating with victims.

Going up

Ransomware is getting worse.

After US Attorney General traced and indicted two Iranian hackers for releasing ransomware called SamSam, authorities hoped the prevalence of attacks would fall. Instead, it rose, beating 2018 levels considerably.

The reason, many believe, is because ransomware is so lucrative. Hackers can launch an attack and then, when the victims discover the hack, they negotiate briefly with companies like MonsterCloud and others to unlock the computers. However, many of these companies offer recovery methods and many security researchers work on free methods this one for the popular WannaCry ransomware.

Unfortunately, the hacks are getting worse and the software necessary is getting more complex.

Coveware admits to actually negotiating with scammers. They’ve found it to be one of the simplest methods for getting data back. The concern, however, is that these efforts are inadvertently funding terrorism. Further, they write, it is taking longer to decrypt hacked computers, thanks to new versions of the ransomeware. In Q1 2019, wrote Coveware, the “average downtime increased to 7.3 days, from 6.2 days in Q4 of 2018.”

Pattern recognition

Coveware CEO Bill Siegel has found that the average ransomware recovery isn’t really a negotiation with “terrorists” as US Government officials believe. They’ve negotiated a “few hundred” ransomware cases this year and find that each hacker is different and often just frustrated.

“Our sense based on our study of the industry and experience is that the vast vast majority are relatively normal people that don’t have legal economic prospects that match their technical abilities,” Siegel said. “They also live in parts of the world that are beyond the jurisdiction of Western law enforcement, and are ambivalent about stealing from the West.”

Their process for talking with the hackers is also quite precise.

“We study their communications patterns so that we can build up a database of experience. There is a surprisingly small group of threat actors that are active at any given time, so identifying them is relatively straight forward. From there, we have scripts and tactics that we have honed over our experience. We draw on those to develop a negotiation strategy on behalf of our client. We know the hackers based on the profile and patterns they exhaust. We don’t communicate with them outside of representing our clients in a negotiation. All of the data exhaust we create from our cases is provided to law enforcement on a quarterly basis as well.”

Zohar Pinhasi of MonsterCloud said his company worked hard to use both methods – recovery and ransom.

The recovery process varies from case to case depending on the scope and nature of the cyber attack. Our methods for achieving data recovery and protection are the product of years of technical experience and expertise and we do not disclose the process to the public or to our customers. That is communicated clearly up front. However, what I can tell you is that we are a cyber security company, not a data recovery company. We have vast knowledge and experience dealing with these criminals, and we spend countless hours staying atop their evolving methods in order to provide our clients with protections against all future attackers, not just the one infiltrating their data at the time they come to us. We offer a money back guarantee to any client if we are unable to recover their data, and to date we have not had a single client report a follow-up attack from the same criminals or any other attacker.

While sending a few thousand BTC to a strange address might not sit well with many victims, it still looks like the best way to reduce downtimes. After all, it’s the organization’s fault for catching the ransomware bug in the first place. Prevention, as they say, is often better than the cure.

Image via Coindesk archive.

This news post is collected from CoinDesk