New research from Check Point has revealed a new ransomware business model where companies claim to legitimately unlock encrypted files, but instead simply act as a broker between the attacker and the victim.
The cybersecurity firm’s researchers discovered a Russian IT consultancy named Dr. Shifro that claims it is capable of unlocking files scrambled by the Dharma/Crisis ransomware.
However, no decryption key is currently available for this strain of ransomware which led Check Point to investigate further.
They found that Dr. Shifro was actually contacting the ransomware’s creator themselves and negotiating a deal to unlock the victim’s files in return for the ransom payment. The Russian IT consultancy then passes that cost on to the victim along with their own fee which means that the victims actually end up paying twice.
Correspondence between Dr. Shifro and a ransomware creator was found that revealed that Dr. Shifro’s is actually a broker between the victim and attacker:
“I’m an intermediary. We redeem keys for clients since 2015 on a regular basis. Send bitcoins tight, don’t ask dumb questions. Clients frequently addressed under recommendation. Could you give a discount to 0.15 btc?”
From 2015 to the present, Dr. Shifro is estimated to have completed over 300 ransomware decryptions for customers. Typically customers pay an additional $1,000 on top of the ransom to unlock their files.
Dr. Shifro’s business model could easily be replicated by other cybercriminals and it serves as a new development of the ransomware industry that both consumers and businesses should be aware of.