Fake ransomware 'cures' actually just pay the scammer
In an interesting new trend some companies are claiming to be able to unlock encrypted files following a ransomware attack, but are in fact simply acting as brokers between victims and attackers.
Researchers at Check Point have discovered a Russian IT consultancy named Dr. Shifro that claims to unlock and recover consumers' and businesses' encrypted files.
In fact, the company simply pays the ransomware's creator themselves and passes the cost onto the victim at a 75 percent-plus profit margin. So victim's files are decrypted, the cybercriminal gets a ransom payment and Dr. Shifro pockets a substantial fee.
In one case researchers followed Dr. Shifro struck a deal to unlock the victim's files in return for a ransom payment of $1300, passing that cost on to the victim with its own fee of $1000 charged on top.
As a business model it seems to be working. Researchers say that Dr. Shifro has been active for over two and a half years and has carried out more than 300 ransomware decryptions for customers. The average value of Bitcoin during Check Point’s investigation was $3000, and the trading volume of Dr. Shifro's account is at least 100 BTC -- which means that they have spent at least $300,000 on decryption key purchases, paying approximately $950 for each key and charging a fee of around $1,000 dollars to the customer.
Check Point researchers point out that, "The business model that Dr. Shifro has created is an attractive one that could easily be replicated by other entrepreneurial scam artists and serves as a new development of the ransomware industry that both individuals and organizations should be wary of."
You can find out more on the Check Point blog.