"Specialists" in recovering encrypted files have teamed up with the operators of the ransomware.
Companies that specialize in recovering corporate data from ransomware attacks are actually paying the ransomware and charging themselves extra for it. According to the non-profit organization ProPublica, at least two American firms, Proven Data Recovery and MonsterCloud, adhere to similar tactics.
ProPublica traced four money transfers from Proven Data Recovery's bitcoin wallet to the wallet of SamSam ransomware operators. It is noteworthy that last year the US government imposed sanctions on Iranian citizens Ali Khorashadizadeh and Mohammad Gorbanian, who are SamSam operators. This means that US citizens are prohibited from doing business with them (including paying for encrypted data recovery).
According to the assurance of representatives of Proven Data Recovery, the company recovers the encrypted files of its customers using proprietary technology. However, according to the testimony of its former employee Jonathan Storfer, this is a complete lie, and in fact the company is buying the decryption key from the ransomware themselves.
According to Victor Congionti, senior director of Proven Data Recovery, paying the ransom is a standard procedure carried out on behalf of the company's customers. However, Storfer disagrees with this wording. A former employee told how Proven Data Recovery managed to "make friends" with the operators of ransomware and get discounts. As a result, the company keeps the clients' money remaining after the payment of the ransom. Moreover, SamSam operators recommend their victims to seek help from Proven Data Recovery and even extend the payment term for them.
In addition to Proven Data Recovery, another company, MonsterCloud, is practicing a similar "service". The company also buys the decryption key from cybercriminals, and tells its clients (including law enforcement agencies) that it uses its own technology.
