Ransomware Doctor Makes Victims Sick
By: Jim Stickley and Tina Davis
February 7, 2019
Getting hacked with ransomware is a paralyzing and costly scenario. Victims have few options to recover their ransomed data, and Check Point Research has recently uncovered a “hacking hack” that takes even further advantage of those limited options. They discovered a Dr. Shifro “IT Consultancy” services, claiming they alone can find the decryption key to your ransomed data–for a price. If only it were that simple. Dr. Shifro, it was discovered, is part of an even more vile scam.
Ransomware victims have a few basic options to get their systems and data back from hackers. The first and most obvious is to pay the ransom–likely in Bitcoin or other cryptocurrency–to receive the decryption key for all of the encrypted data. It’s an option the FBI and other security professionals do not agree with, as they believe paying ransom demands encourages other malicious actors to use ransom techniques as well. It may be sound advice, but organizations that depend on the ransomed data to survive minute-to-minute don’t always see non-payment as an option. Think hospitals, law enforcement, city services, and financial institutions–all are prime targets for ransom and quick payment due to their immediate need for data access to survive.
Check Point explains two remaining options for ransomware victims. The second is looking for a publicly available key for the particular malware used in the attack that will unlock the encrypted files. Sometimes they do exist, but honestly, not often. If that’s a bust, a third option, paying a service to provide the ransom key, is for some the last resort. Enter Dr. Shifro–whom we now know is a Russian company–promising to decrypt even the most difficult data encryption.
Check Point researchers noticed that Dr. Shifro’s “IT Consultancy” decryption services coincidentally made claims related to the Dharma/Crisis ransomware attacks. Even though there is no decryption key for the devastating ransomware, Dr. Shifro claimed they alone could get the data back. Dr. Shifro, it was found, acted in concert with the Dharma/Crisis hackers and was in reality a mediator for the ransom payments. It seems the good doctor paid the hacker’s ransom to get the decryption key and then charged the victims a massive fee to cover the ransom price and their profits.
However, there is another way to avoid paying ransom and to getting data back. The best way for companies to thwart ransom attacks is to apply security patches as soon as they become available and to perform their own data backups. Keep those backups separated from the operational network and completely offline if that’s an option. Data backups should be tested regularly to make sure they perform correctly when needed. Perhaps even more importantly, regular employee cyber education is necessary to thwart email phishing attacks that can install ransomware to begin with.
Taking care of these secure cyber maintenance tasks can prevent another Dr. Shifro from taking advantage of an already serious computer illness.