A Glasgow-based cybersecurity company has been accused of negotiating a payment with cybercriminals to retrieve files locked by a ransomware attack.
In an expose originally reported by ProPublica, it is alleged that Red Mosquito Data Recovery claimed to be in the process of recovering files seized during an attack. However, cybersecurity researchers at anti-virus provider Emsisoft were actually conducting a ‘sting operation’ to test the firm’s capabilities.
Red Mosquito Data Recovery (RMDR), which is based at Blairtummock Place near Easterhouse, describes itself as a “one-stop data recovery and consultancy service” on the company website.
“As ransomware recovery specialists, we have an outstanding track record in advising businesses and individuals affected by computer ransomware,” the company bio reads. The firm said it offers professional alternatives to paying ransoms. However, noted that “paying the ransom may be the only viable option for getting your files decrypted”.
Red Mosquito also said it does not recommend “negotiating directly with criminals since this can further compromise security”. ProPublica said that these claims have since been removed from the company’s website.
As part of the sting operation, Fabian Wosar, CTO at Emsisoft, created a fake ransomware dubbed ‘GOTCHA’ and also played the role of the victim in this scenario, creating the fake persona of ‘Joe Mess’.
Posing as Joe, Wosar contacted the company and explained that his home server had been hacked, with pictures, documents, videos and other sensitive files seized by hackers. Wosar told DIGIT they created files that “to someone with experience in dealing with ransomware, would look like a legit ransomware encrypted file.”
Accompanying the fake ransomware was a ransom note. Each company targeted by the researchers were given their own file and ransom note, which contained the company’s name in an encrypted form. For example, Red Mosquito had the ID tag ‘QDCSITRQQVK’.
“If you know the cypher and the keyword, you can then turn the ID into the readable form,” Wosar said. “This is how we figured out which person contacting the ransomware author – who was actually an email account we set up for this purpose – was from which company, as the instructions asked them to submit the ID when contacting us.
“Then we just set up an anonymous email account and started reaching out to companies we found.”
Ahead of the operation, Wosar said he and his team “did some astroturfing” to spread the news about the fake ransomware. They also used contacts at ID Ransomware to help get this added to the list of recognised ransomware.
ID Ransomware is a popular free service that helps victims establish which kind of ransomware they’ve been affected by and also provides information on whether free solutions are available.
“Any person who ever had to deal with ransomware in any capacity knows about this service and if they were serious about attempting to look into other actions, other than just straight up paying the ransom, they would go and check there first,” Wosar explained.
Email transcripts obtained by DIGIT show that, upon contacting Red Mosquito, an individual who identified himself as ‘Conor Lairg’ said: “I am very confident we will be able to recover your files,” adding “We are now running tests and I will be in touch as soon as possible with an update.”
Conor Lairg identified himself as a “Data Recovery Specialist”, Wosar said. Wosar’s documents show that “only about two minutes” had passed between first contact with Joe and the company contacting the ransomware author. This, he insisted, “isn’t enough time to do any kind of reconnaissance to figure out a solution that doesn’t involve paying the criminals”.
There have also been zero submissions to ID Ransomware, he added. Therefore, paying the ransom “appears to be their default method of going about things”.
Wosar’s fake hacker email was contacted from an account believed to be held by Red Mosquito (firstname.lastname@example.org) asking: “How much for decrypt?”
In response, Wosar demanded $1,200 (£943) in Bitcoin, stating: “You pay, we provide key and decriptor to recover data.”
The Red Mosquito contact, however, bartered with Wosar, attempting to haggle the ransom down to $500 (£393). Wosar agreed to lower the price, email transcripts show: “$900 (£707). Take it or kiss data bye-bye. We don’t run charity here.”
“I will try and get BTC,” the respondent confirmed.
Running parallel to the conversation between the hacker and the alleged Red Mosquito respondent, Wosar – under the guise of Joe – asked whether or not the company would “cave” and pay the ransom. “So you think you may be able to help without me having to pay the ransom?” he asked.
The email transcripts show that the next day, Lairg contacted ‘Joe’, stating: “Thank you for your patience. I am pleased to confirm that we can recover your encrypted files.”
For services rendered, Joe was required to pay $3,950 (£3,104) – which equates to around four times the confirmed ransom agreement that Wosar’s documents show. These files were expected to be recovered within one to three business days as part of the company’s Priority Recovery Service.
Payment was required before the file recovery could begin, with PayPal and Bank Wire Transfer options available. Lairg added: “Our ‘No Recovery No Fee’ policy means that if we cannot recover any of your files then we will immediately refund payment on a pro-rata basis.”
These revelations follow a recent move by a Florida city council to pay hackers $600,000 in Bitcoin to recover files held hostage after a ransomware attack – a decision that has raised serious questions over how companies and/or organisations should approach a cyber attack of this kind.
Agreeing to pay ransoms, however, can lead to a ‘slippery slope’ which further emboldens cybercriminals. Wosar claimed that companies such as RMDR “exploit moral or ethical opposition that a lot of people have and make bank while doing it”.
Wosar said: “[Incidents such as these] essentially contribute to the ongoing problem that is ransomware. Not only that, they are actively profiting off of it. If nobody would pay, ransomware wouldn’t be a thing, even though we know that not paying is sometimes not an option.
“We interact with a lot of victims and there are a lot of people out there that would rather lose their data than pay the ransomware author. When you check the conversation, you will see that our victim made it abundantly clear that he does not wish to pay the ransomware author.”
Mandy Haeburn-Little, chief executive at the Scottish Business Resilience Centre, said: “We never advise anyone to pay ransomware. At best it’s a slippery slope to becoming someone’s sucker list. At worst, it can lead to very serious personal and professional compromise, endangering many others around you while also funding some of the most insidious elements of criminal activity.”
DIGIT contacted Red Mosquito Data Recovery for comment. However, no response was given via email and telephone at time of publishing.