Note: To protect the identity of the individuals involved in these events, some details of the ransomware attack and recovery company have been altered.

Summary:

In the course of a recent threat actor communications engagement (also known as a ransomware negotiation), GuidePoint’s Research and Intelligence Team observed the intervention of a third party into a distinct chat portal with the negotiating ransomware affiliate. Based on the observed messages and the past interaction of the client with a nominal “ransomware decryption and recovery company,” we assess with a high degree of confidence that the third party was a representative of the recovery company, operating without the consent or knowledge of the client in an attempt to opportunistically secure a share of a ransom payment.

Historical reporting of similar occurrences with MonsterCloud and Proven Data circa 2017-2019 shows that this behavior is not altogether novel. According to ProPublica, both organizations framed their services using terms such as “Don’t Pay the Ransomware” because “paying doesn’t get your data back” – despite negotiating with and paying the threat actors indirectly in at least some portion of cases. Reporting on these cases highlights the technicalities and grey areas on which such “data recovery” companies may rely and the often confused or misled clients that they have impacted along the way. Nonetheless, in 2024, the behavior apparently continues under new firms, and firms that have faced such accusations in the past continue to operate.

Key Takeaways:

·  Unfortunately, opportunistic actors remain prevalent and ready to take advantage of ransomware victims through omission or deception.

·  Be extremely wary of any “data recovery company” that claims to be able to decrypt data encrypted as a result of ransomware. There are a few outlier cases where decryption can be achieved due to a vulnerability in specific encryptors, but there is no known “universal” method of decryption – especially not with a “99% success rate”

·  Vet any potential vendors, including by considering the authenticity of reviews and ratings. The recovery company involved in this instance claimed international media coverage and acclaim – none of which could be verified. The company also posted dozens of five-star reviews on Google – but not a single verifiable negative review. The old adage of “if it looks too good to be true….” Holds fast here.

·  Be mindful of claims to advanced technology, particularly where buzzwords are heavily involved. The recovery company, in this case, touted “quantic servers” used for decryption. Assuming this is a typo for “quantum,” the current state and cost of quantum computing are not such that it would make sense for a data recovery company to have mastered its use or afforded R&D costs.

·  Work with vendors who can explain what they are doing and why. GuidePoint takes a collaborative approach to threat actor communications that relies on client consent, strategic planning, and continuous updates. Attempts to conceal actions or tactics, techniques, and procedures (TTPs), particularly when it comes to your environment and your data, should be viewed with skepticism.

---

Introduction

As 2024 starts drawing towards a close, we’ve observed another year overshadowed by ransomware, with new victims claimed and posted by threat groups on a daily basis. We have taken great care to report on trends in this space through our monthly, quarterly, and annual ransomware reports, which cover attacker behavior and developments from a broad perspective. However, outside of the attacker’s behavior and the Defender’s response lies the human element of victims responding to what is frequently cited as the worst day of their lives.

Particularly in the case of small and midsized businesses (SMBs), victim organizations often don’t know where to start when they discover they have become victims of a ransomware attack – for many, they may only have a ransom note from the threat actor to give an initial insight into what is going on. Absent additional advisors or experienced staff, some victims will turn to the logical first step – Google (or Bing, or Duck Duck Go, etc.) – to figure out what they should do next. As professional communicators and consultants, we often receive the call and have the privilege of advising organizations on how to engage the threat actor, but we are far from the only results that a victim may come across. In the not-so-distant past, a number of companies attracted media attention for opportunistically targeting ransomware victims with promises of restoration and decryption – as we’ll explore in this blog, this approach has not altogether stopped.

The start of negotiations

In early 2024, GuidePoint’s Research and Intelligence Team worked with a client to contact a ransomware threat actor (TA) in what we call a TA Communications engagement. The client, who had been impacted by a successful ransom attack, faced network disruption and encryption of enterprise data, and the client hoped to return to routine operations as soon as possible despite not having a viable recovery strategy absent a decryptor. Par for the course, the client had received a ransom note, and we began the engagement by explaining our communication methodology and associated risks and providing a past behavior profile for past negotiations associated with the group’s affiliates.

The same client informed us early on that they had contacted another organization for assistance, which we will refer to throughout this blog as “RecoveryCo.” RecoveryCo came to the client’s attention through a professional website boasting of their ability to decrypt ransomware encryption using “quantic servers” and a “99% success rate” in decryption. RecoveryCo advertised worldwide offices, media attention, and a high volume of testimonials. Notably, RecoveryCo repeated the assertion that through their decryption, there would be no need to pay the attacker.

Upon contacting RecoveryCo, the client was asked to pay a $2,000 diagnostic fee and tasked to run a diagnostic tool on the impacted infrastructure, which RecoveryCo’s representatives alleged would allow them to determine the cost of decryption. The client followed these steps to the letter and eventually received a quote of $400,000 USD for full decryption of the impacted systems—an additional $100,000 over the ransom demand from the attacker. The client understandably and politely declined further services from RecoveryCo, instead opting to move forward by communicating with the threat actor.

Burn after reading

We began the communications process by accessing the threat actor’s chat portal, accessible only on the “dark web” using The Onion Router (TOR) network and browser and requiring dedicated credentials left in the ransom note scattered across the client’s network. This is typically an uneventful process, with most threat actors following a similar script early on in communications. As the communications veered into negotiations, we logged in on a Wednesday afternoon to find an anomalous message from the threat actor who had, until recently, been making counteroffers and threats – a Privnote link.

Privnote is a service that allows users to send self-destructing messages that can only be viewed once. Shortly after receiving the link, we received follow on messages from the threat actor via the chat portal, asking us to read the note and why we had not yet opened the message. When we finally opened the note, we observed the words “A dedicated login credentials for you:” along with what appeared to be alternate chat credentials for the actor’s chat infrastructure. We noted the contents and used the credentials to log in on a separate device, this time noting a different name where the client’s name had previously appeared in the chat – “RecoveryCo.”

GRIT, like most ransomware negotiation firms, does not assert itself as a recovery company or consultant in engaging with threat actors, instead assuming the identity of the victim’s staff; this prevents confusion and possible agitation in a subset of threat actors. Faced with a new set of credentials and a chat portal declaring us as RecoveryCo, our first question was how we had been discovered – was this an OPSEC mistake? A slip-up in our communications? We could find no indication one way or another. While we continued the “main” negotiation, we found our first hint in a message to the RecoveryCo chat sent from the threat actor: “Hi, so what are the other cases you want to talk about?” The new chat, as we would come to find, was not intended for us at all.

Caught in their own web

We continued to monitor the new chat portal while we carried out the duration of the primary negotiation and observed a third party enter the portal and begin communicating with the threat actor. The third-party communicated to the threat actor that they were authorized to act and speak on behalf of our client and attempted to negotiate prices for the client and a second victim with whom we were unfamiliar. The third party claimed to have had “the word of the owner of the company” that our client was willing to pay $75,000 for their recovery services – but our client confirmed that they had communicated no such willingness to anyone.

In consultation with the client and with the primary negotiation wearing on, we could reach only one possible conclusion about the identity of the third party – this was RecoveryCo. Outside of the small client and GRIT, only RecoveryCo would have had access to the details of the attack and the credentials required to initiate communications with the threat actor. Over the next several days, we watched this theory play out in the third party’s exchanges with the threat actor:

[Threat Actor]:
It looks like you want to discuss about <REDACTED VICTIM NAME>

[Recovery Company]:
Thanks for accepting. I have two cases but I need to arrange a price to be able to pay,

<REDACTED CLIENT NAME> – <REDACTED RANSOM DEMAND>, we have a lot of their data, not yet categorized

For user: <REACTED CLIENT LOGIN FOR VICTIM PORTAL>
I can pay 75.000 USD

Usernames don’t tell me anything
<REDACTED CLIENT NAME> They already got a discount of $50,000

The person you are in the chat with is simple network technician, he has no power. I can achieve 75.000 USD in less than 5 days. I have the word of the owner of the company.

The third-party – who we assessed to be RecoveryCo – also attempted to negotiate the ransom payment for a second organization associated with a $3.5 million USD ransom. The threat actor appeared to have been open to cooperation, offering the third party $250,000 if they could convince the second organization to pay a ransom of $3.75 million USD. Seemingly acknowledging that such a payment was unlikely, the Third Party pleaded for a lower amount and floated the prospect of a long-term arrangement with the threat actor, disclosing that they could “help you achieve cases in other countries, my company has coverage in Europe, America, and Asia.”

Ok, give me 12 hours to reply
and the case <REACTED VICTIM NAME>?
It’s a lot of money, you did your calculations wrong, they can’t pay all that money.

We have an internal policy that we can give discounts only to small companies, and for you, we can give you a $250,000 discount.

Check with your team and tell me the minimum price for them and I will find a solution.

$3,500,000

Please give me 5 minutes

If you can convince them to pay $3,750,000 then I will reward you $250,000 on your BTC address

Hello, I respect your policies but they are not viable for companies to pay, you are asking a lot of money. I am inside this organization and they cannot pay more than 1.5M
I want to help but I need you to lower the price.
With respect I tell you that 1.5M in your pocket is better than not having it.
I can help you achieve cases in other countries, my company has coverage in Europe, America, and Asia. Please talk to your group and look for cheaper price options.

The threat group also must have grown suspicious of Recovery Company to some extent and asked RecoveryCo of their organization’s name. RecoveryCo was not keen to reveal this information to the threat actor.

What is the name of your company?

Hi
I am sorry for delay
I prefer to keep my company confidentially.

Final Thoughts

Thankfully, in this instance, RecoveryCo received no further business or payment from the client, preventing the company from profiting from what we assess to be deceptive business practices. Based on the information available to us and the alternate discussions observed, we have a high level of confidence that we observed RecoveryCo in the act of attempting to perform an unauthorized negotiation with the likely goal of presenting a reduced “recovery” rate to the client. This process would have deprived the client of an accurate understanding of the incident’s resolution and potentially bolstered the reputation of the company and its claims. Our confidence in this assessment is increased by unofficial industry discussions with other threat actor communications firms, at least two of which have corroborated details of RecoveryCo’s business practices.

This incident reflects two of potentially many such ransomware victims into which RecoveryCo may have interceded, and we do not know the full extent of the company’s past business. We hope to present this information as a cautionary tale for future ransomware victims and a reminder that predatory businesses remain operating in the wild.

Postscript: We would like to thank our partners at DigitalMint for their information validation, analysis and contributions to this report.