Another type of undesirable man-in-the-middle

An unscrupulous business has allegedly stepped in to act as a broker between ransomware attackers and victims, while falsely claiming that it’s using technical measures to unlock encrypted files.

Researchers from Check Point allege that a Russian cybersecurity consultancy, called Dr.Shifro, poses as a business offering cures for ransomware infection, when in reality it only acts as a middleman that charges a fat commission for its “services”.

In one case tracked by researchers, Dr.Shifro made a payment of $1,300 to ransomware slingers in return for a decryption key, before charging the victim $2,300 to unlock their files – a charge that represents a 75% plus mark-up.

Check Point uncovered this and other evidence of sharp business practices by Dr.Shifro after posing as a victim of ransomware attacks and analyzing bitcoin wallets associated with the company.

Dr.Shifro has performed more than 300 ransomware decryptions for customers over the last two and a half years, according to the security researchers. Charges levied for these services average out at the equivalent of $3,000, payable either in bitcoin, other digital currencies, or traditional forms of money.

Dr.Shifro offers only one service: assisting ransomware victims unlock their files. The Russian firm claims to be able to unlock files scrambled by the Dharma/Crisis ransomware (for which no decryption key is available). This suspicious offer, combined with the sole focus of its business, prompted Check Point to look into Dr.Shifro.

According to Check Point, the organization approaches hackers and offers to act as a broker between them and their victims in trades involving ransomware decryption keys.

Alleged correspondence between the Russian businesses and a ransomware creator provided evidence of how Dr.Shifro’s ‘consultancy’ works.

“I’m an intermediary,” the email reads. “We redeem keys for clients since 2015 on a regular basis. Send bitcoins tight, don’t ask dumb questions. Clients frequently addressed under recommendation. Could you give a discount to 0.15 btc?”

The trading volume of Dr.Shifro’s account is at least 100 BTC – which means they have spent at least $300,000 on key purchases, based on the average cost of bitcoin during the study period, according to Check Point’s estimate.

While there are many legitimate IT service providers that market services to help victims in recovering systems and files after a ransomware attack – such as restoring files from backups or offering to help when decryption keys are already publicly available online – it also creates an opportunity for scammers.

Check Point’s researchers also spoke to previous customers of Dr.Shifro, who described how the process worked.

“The business model that Dr.Shifro has created is an attractive one that could easily be replicated by other entrepreneurial scam artists and serves as a new development of the ransomware industry that both individuals and organizations should be wary of," Check Point warns.

A Check Point representative told The Daily Swig that Dr.Shifro is the first example it has come across, while adding it may not be unique. Other anti-malware firms quizzed by The Daily Swig on whether or not they’ve seen similar business practices themselves are yet to respond.

Whether or not this example represents a new facet of the booming ransomware market, it’s surely sensible for organizations to remember to maintain backups and to deploy ransomware preventing tech to safeguard against infection.

Dr.Shifro is not scamming in the sense of taking money and offering nothing in return. What it’s doing may be within the law, but it is unethical because of a lack of transparency about what’s on offer, according to Check Point.

The Daily Swig put these criticisms to Dr.Shifro, offering it an opportunity to respond. We’re yet to hear back but we’ll update this story as and when more information comes to hand.