Security researchers have found a company in Russia that reportedly claims to decrypt ransomware, but actually contacts the ransomware developers and pays the decryption fee. The company in question is called Dr. Shifro, and they masquerade as an IT consultancy company.
Security researchers from Check Point launched an undercover operation which found that the “IT Consultants” contacted the ransomware developers and asked for a discounted price on the decryption key. They then incorporated this price into what they charged the victim, plus adding a $1000 fee. It is not clear whether all victims were billed equally for the decryption, but that the prices were inflated. The ransom was paid by Dr. Shifro, in Bitcoin.
This behavior is particularly worrying because it encourages cybercriminal activity. The advice with ransomware is always to not pay. If you give in to a ransomware demand and pay, then you continue to pay ransomware a profitable way of making money that nefarious individuals will capitalize on.
This conduct isn’t completely unheard of, it has been reported before that some IT companies do negotiate with ransomware creators in order to receive a decryption key. However, this level of compliance with cybercriminals is unheard of.
Dr. Shifro is essentially a middleman who are charging their clients in order to do something they could do themselves, but it is also something they should do. Victims going to decryption companies and then paying a higher fee for the decryption than they would for paying the ransom, are making a clear statement that they are against paying attackers the money. The company is acting against the wishes of the clients and the practice is considered highly unethical in the industry.