The Ransomware Files, Episode 12: Unproven Data RecoveryHow a Disturbing Business Practice Led to Iranian-Made Ransomware
What if you were hired for an office job but ended up negotiating with cybercriminals?
There aren’t many rules around ransomware, but this is a story about one rule that was definitely broken. By the end, the path to the truth led to a place on the other side of the world where no one wanted to be.
It starts with a ransomware infection at a real estate company in Anchorage, Alaska, called Herrington & Associates. In April 2016, the company became infected with a type of ransomware called DMA Locker.
The ransom demand was 4 bitcoins, worth just around $1,700 at the time. The company didn't pay. It found another way to fix its problem: a company called Proven Data Recovery from New York, which said it could recover the company's data using its "proprietary" method. Like magic, the data was decrypted.
But Herrington & Associates suspected something else was going on. What Dudley and others uncovered was a disturbing business practice that funneled ransom payments to the creators of a pernicious type of ransomware called SamSam, who were in Iran.
"The Ransomware Files" is a podcast available on Spotify, Apple Podcasts, Google, Audible, Stitcher and more. I’m exploring the impact of ransomware, one of the greatest crime waves to ever hit the internet. Schools, hospitals and companies have fallen victims to cybercriminals encrypting their data and demanding payment. But IT pros are fighting back, and they have stories of resilience and fortitude.
If you enjoyed this episode of "The Ransomware Files," please follow it on a podcast platform and leave a review. Also, the show has a Twitter handle, @ransomwarefiles, that tweets news and happenings about ransomware.
If you would like to participate in this project and tell the information security community about your organization's brush with ransomware, please get in touch with me at firstname.lastname@example.org or direct message me here on Twitter. I'm looking for other people, organizations and companies that can share their unique experiences for the benefit of all until ransomware, hopefully, is no longer a threat.
- Broadcom, SamSam: Targeted Ransomware Attacks Continue, November 29, 2018;
- Cybersecurity and Infrastructure Security Agency, SamSam Ransomware - Alert (AA18-337A), December 3, 2018;
- Department of Justice, Two Iranian Men Indicted for Deploying Ransomware to Extort Hospitals, Municipalities, and Public Institutions, Causing Over $30 Million in Losses, November 28, 2018;
- dinbits, Which Is Worse? Bitcoin RansomWare or Removal Service From It?, July 14, 2015;
- Graham Cluley, The Firms That Piggyback on Ransomware Attacks for Profit, April 25, 2018;
- ProPublica, The Trade Secret, May 15, 2019;
- Renee Dudley, Daniel Golden, The Ransomware Hunting Team, October 2022;
- Reuters, U.S. Indicts Iranian Hackers Responsible for Deploying 'SamSam' Ransomware, November 28, 2018;
- RSA Conference, Hi-Tech Mass Extortion: Lessons From the SamSam Ransomware Prosecution, February 26, 2020;
- Sophos, SamSam: The (Almost) Six Million Dollar Ransomware, 2018;
- Wired, Atlanta Spent $2.6M to Recover From a $52,000 Ransomware Scare, April 23, 2018.
Jeremy Kirk: In April 2016, a real estate company in Anchorage, Alaska, called Herrington & Associates became infected with file-encrypting malware known as ransomware. The ransomware was called DMA Locker. It had locked up the agency's files and backups. The ransomware demand was four bitcoins, worth just around $1,700 at the time. They didn't pay. They found another way to fix their problem.
Renee Dudley: "And he's sitting there watching. The whole thing was unlocked in 45 minutes. This was so fast."
Kirk: The real estate agency was fixed, just like that. Like, magic. The files were decrypted, and the agency could go back to its business of trading in property. But you know that feeling when something just isn't quite right.
Dudley: "They don't feel good about what happened. So Herrington doesn't let it go. He actually calls his local FBI field office."
Kirk: What unfolds is a story about people with good intentions trying to help other people in trouble. Oh, and profit. OK, let me try that again. Trying to help and profit. But not exactly telling the truth, the whole truth and nothing but the truth. And by the end of the story, the path to the whole truth leads to a place halfway around the world that no one expected and disturbingly, no one wanted to be. It also marked the transition of ransomware from sort of an irritating digital street crime to increasingly, a national security concern.
Dudley: "He thought he was going to be signing for packages, just regular office admin kind of stuff. And within a short time of being hired, they have him negotiating with hackers and dealing with clients. But, he had no idea what he was getting himself into."
Kirk: This is The Ransomware Files. I'm Jeremy Kirk.
In this podcast series, I'm exploring the impact of ransomware, which is one of the greatest crime waves to ever hit the internet. Schools, hospitals and companies have fallen victim to cybercriminals encrypting their data and demanding payment. But technology professionals are fighting back, and they have stories of resilience and fortitude.
Kirk: Tell me, how did you get interested in ransomware?
Dudley: "I got interested in the idea that companies were covering up cyberattacks, that they weren't disclosing them when they should be to the SEC, if they're publicly traded companies, and that just generally, they weren't doing enough to maintain adequate cybersecurity."
Kirk: That's Renee Dudley. She's been a technology reporter since 2018 with ProPublica, which is an independent, nonprofit news organization that does in-depth investigative journalism. She is also the co-author with Daniel Golden of a forthcoming book called "The Ransomware Hunting Team." It's about an elite group of technical volunteers dedicated to fighting ransomware.
Dudley: "I consulted with my editor, and we decided ransomware would be a very good area to hone in on because it takes a sort of traditional crime - ransom - and updates it for the digital age."
Kirk: It's hard to think of another type of crime that so well-balances low risk with high reward. Data is the lifeblood of companies and organizations. Encrypting that data makes it inaccessible. Then, criminals extort a ransom in order to get the key. For organizations that do not have good backups, there may be little option but to pay. The attacks can be executed by computers on the other side of world. The chance of getting caught is not impossible but you stand a much better chance of getting dinged for shoplifting socks than launching a ransomware attack with a demand in the millions of dollars.
At the time when Renee started looking into ransomware, a transition in this type of crime had already been under way. In the prior years, attackers had been targeting consumer computers for a few hundred dollars here and there. But by 2018, ransomware was exploding: victims were now companies, schools and hospitals rather than just ordinary unlucky people who got malware on their home computer. Much higher ransom payments were being demanded. A cybercriminal cottage industry helping others execute ransomware attacks was flourishing. And the ransomware explosion started new industry niches on the defensive side as well.
Dudley: "I came across a blog that was from an article from a company called Coveware, and I looked at Coveware, which had just launched. And I thought, 'Wow, I can't believe it. Here's this company based in Connecticut that's facilitating ransom payments on behalf of American victims'."
Kirk: Coveware is still one the major players in this field. Specialty firms like it popped up to help waves of ransomware victims negotiate lower ransoms with the cybercriminal gangs. It's not illegal to pay a ransom. But it's also not recommended. Giving cybercriminals money of course means you end up with more cybercriminals. But dealing with cybercriminals is messy and for most ransomware victims, they've never had to directly negotiate with extortionists.
There are all kinds of questions. And there's intense pressure because the extortionists often put time limits on when they're going to take some other punitive action if they don't get the money, like publicly release sensitive data. Victims are often unfamiliar with cryptocurrencies such as bitcoin and how or where to purchase them. Negotiations firms make this process easier by handling the payments and executing the delicate negotiations. Plus, they have experience. Well, they do now. When this field started out, they just winged it, and it worked. And it was profitable. One of those companies was Proven Data Recovery in New York. Here's Renee.
Dudley: "So two brothers Victor and Mark Congionti started Proven Data around 2011. And at that time, their intention was to have it as an IT recovery business. They were getting information of broken hard drives, cameras, hardware. But as ransomware started to proliferate, prospective clients started calling them saying, hey, can you unlock my files? And they saw that ransomware was becoming most of their business. So they pivoted, they still did the hardware stuff, but they pivoted to ransomware recovery."
Kirk: The Alaskan real estate firm, Herrington & Associates, contacted Proven Data for help with its ransomware infection. Leif Herrington, who founded the agency, had initially called the FBI, as one would do if you're a victim of a crime in the United States. But it told him it didn't have the resources to take on the case. Proven Data, however, had a solution. For $6,000, it could unlock the files. This was more than three times the ransom being asked. Proven Data didn't say anything about paying a ransom. Herrington & Associates also hired a local IT consultant to help. The consultant watched as a Proven Data technician accessed one of the agency's computers via remote connectivity software.
Dudley: "Proven Data says OK, and a few days later, the IT consultant grants remote access for Proven Data to come in. And he's sitting there watching as Proven Data is just zipping along unlocking files, and the whole thing was unlocked in 45 minutes. This was so fast that the IT consultant suspected that they probably paid a ransom and discusses it with Herrington, whose business was attacked, and they're back in business. Everything's good, the files are restored, but they don't feel good about what happened because between Herrington's son and the IT consultant, they realized what must have happened that a ransom had to be paid, even though Proven Data said that they use their own proprietary technology. So Herrington doesn't let it go. He actually calls his local FBI field office, and they interview him and ask him about what happened. And the agent told him that if Proven Data was misrepresenting its methods and its expertise, it might be breaking the law."
Kirk: Back in July 2015, there was a column posted on a technology news site called dinbits.com. The column is still online, but the website appears to be inactive. The column is interesting because it publicly questioned how Proven Data Recovery could manage to recover files encrypted by ransomware without actually paying the ransom. In fact, the dinbits writer went back and forth in an online chat with a Proven Data Recovery customer service person. The dinbits writer pretended to have been infected by CryptoWall 3.0. CryptoWall and its variants were a pervasive type of ransomware around 2015.
The 3.0 version can't be decrypted by any other means than obtaining the decryption key from attackers. Now, this column wasn't the greatest story ever written, and the person goes so far as to directly accuse Proven Data of lying, which at that point was a pretty strong and potentially libelous claim. But it's one of the first public references that something in this ransomware negotiation business wasn't right.
Then something else surfaced in 2018. In April of that year, the computer security writer and podcaster Graham Cluley wrote a story for his website titled "The Firms That Piggyback on Ransomware Attacks for Profit." Remember that the Alaskan real estate firm Herrington called the FBI. Well, it turns out the FBI wouldn't get involved just because Herrington was infected with ransomware. But yeah, it did get involved after Herrington suspected Proven Data was paying ransoms but not telling their clients about it. Graham's story included links to court documents. Those documents unfortunately are now under seal. But it showed that the FBI had served a search warrant to obtain emails associated with a Proven Data email account. Ultimately though, the FBI probe didn't result in anything, and the government never prosecuted a case against Proven Data.
Technical analysts on the Ransomware Hunting Team - who did specialize in trying to decrypt ransomware without paying for a key - also knew that there was only one way that these companies could be recovering data. Here's Renee.
Dudley: "This is really complicated stuff that people spend years, like members of the Ransomware Hunting Team spend years working on honing their skills and learning how to do this stuff. And it's not just the kind of thing that anybody with a passing familiarity with technology would know how to do."
Kirk: But then comes 2019. ProPublica and Renee blow the story wide open. An in-depth piece called "The Trade Secret" exposed not just Proven Data, but another firm as well. Both claimed to solve their clients' ransomware problems. But the firms were paying ransoms, not telling their clients, and then charging their victims on top of that. Renee explains how Proven Data went down that path.
Dudley: "They realized that people didn't like the idea that they'd have to pay a criminal to get their files back."
Kirk: So if you called up Proven Data with a ransomware problem, they'd give you two options.
Dudley: "They would have sort of a script that they would use with clients, they'd have two options. One would be to use their proprietary method to get your data back. And the other would be to pay the ransom. But these, usually most of the time, were the same thing."
Kirk: One of the keys to decrypting what was actually going on at Proven Data was a man named Jonathan Storfer. Renee describes him as an easy-going, affable person who was not long out of university when he joined Proven Data in early 2017. He had no experience in technology. Here's Renee.
Dudley: "He was looking for a job after he graduated from college and saw a posting for a job at Proven Data. He had no experience in IT, tech or criminal negotiation, but they hired him. And he thought he was going to be signing for packages, just regular office admin kind of stuff. And within a short time of being hired, they have him negotiating with hackers and dealing with clients who really liked working with him because he was patient and voice of calm during a turbulent time. And like I said, just had an easy demeanor. And so, he did great. But he had no idea what he was getting himself into."
Kirk: He learned quickly, though.
Dudley: "He became very adept at negotiating with hackers. And he learned quickly how to best extract what he needed from them. What he had to do was treat the hackers like business people, they want to be respected. He called the ransomware their air quotes product, and he would ask them, could you offer your product at a lower price, our customer would like to do business with you, but can't afford your starting offer. And on and on like this, making them feel like they weren't extorting these victims, and that we're working with Proven Data."
Kirk: And negotiating a lower ransom wasn't just important for Proven Data's clients. It was important for Proven Data to keep this whole ruse going.
Dudley: "He was successful in lowering their demands. So they had to somehow lower them because of course, they had to make their money too. And so if the client sees that the demand was, say $20,000. And then Proven Data needs to make its fee on top of that if they see that their bill comes to the ransom demand plus what looks like a fee they might get suspicious but if it all turns out to be lower than the original demand, they might not think it's so suspicious."
Kirk: There was one type of ransomware that ushered this digital crime into the big time. It was called SamSam. In fact, many people who had never even heard of the term ransomware - which comprised most of the public at that time - certainly did by the time its reign ended. And you can mark its significance by the long list of victims.
In 2016, SamSam infected Hollywood Presbyterian Medical Center in Los Angeles. It extracted a $17,000 ransom after its CEO said paying was the quickest and most efficient way to restore its systems. In 2018, SamSam struck the city of Atlanta. The ransomware proved to be devastating. Residents couldn't pay water bills and parking tickets. Even the city's court system was affected. Footage from police dash cams was destroyed. The city spent at least $17 million on recovery.
SamSam was innovative since it used new techniques that ransomware groups hadn't really used before to break into networks. They'd get in by using software vulnerabilities. Software vulnerabilities can allow attackers to get a hook into a computer system. Software developers try to quickly develop patches, or fixes, but sometimes the users of the software don't apply those updates fast enough before the attackers start to use them. One of SamSam's favorite applications to attack was JBoss, which is a type of application server. They'd also try to target RDP, or Remote Desktop Protocol. RDP applications are used for remotely connecting to systems. SamSam would try to find RDP systems on the internet and see if they could guess the login credentials, it is a type of attack sometimes referred to as a brute-force attack.
Another difference is that SamSam attacks weren't automated. Previously, when someone clicked on a malware attachment in an email, the ransomware would run and do its thing and that was it. But SamSam was much different: real humans behind a keyboard spent time carefully doing reconnaissance on a victim's network in order to map out where all the potential computers were that could be infected.
Once inside a network, the SamSam attackers would quietly move around, using techniques and in-built tools to maximize the damage they'd cause. They'd use tools often used by normal Windows administrators that don't look suspicious at first glance. Computer security experts refer this as "living off the land." The idea is that by using operating systems or benign utilities - but for nefarious purposes - adversaries can avoid tripping security alarms. Those include Microsoft tools such as PsInfo, which gathers information about a particular network, and PsExec, which is a remote access and management tool. SamSam was also one of the first groups to actively search for and then encrypt an organization's backups. They asked for higher ransoms, too.
And one of those entities sitting in the middle of many of these transactions between SamSam and victims was Jonathan Storfer of Proven Data. When victims were infected with SamSam, there was a timer on the payment website. If the time expired, SamSam threatened to start deleting some of the decryption keys. This obviously put much pressure on victims. But Jonathan was able to relieve that. Here's Renee.
Dudley: "Storfer had developed such a close relationship with SamSam negotiators, the SamSam hackers, that he would just ask them, 'Hey, could you remove the timer? And they would. It helped to take the pressure off. It made everybody feel like there wasn't a ticking clock."
Kirk: It's just business, right? Well, in a way, yes. The result is somewhat inevitable at this point, so no need to make it all that more anguishing. But it's uncomfortable right because this is criminal. And then, it takes an even stranger turn.
Dudley: "Eventually, the SamSam attackers began recommending that victims work with Proven Data. And this isn't totally uncommon, this has happened, sometimes they suggest preferred data recovery firms, because they know that having experience working with them in the past, things will go smoothly, they'll get there, they'll get their ransom payment, everything, just as like clockwork. But working with Proven Data speeds things right along for everybody. So, they would actually tell the victim, if you need assistance with making this transaction, with paying us, contact Proven Data."
Kirk: This raised an obvious question on the part of the victims.
Dudley: "Why on earth is SamSam directing us to you? Are you a part of this? Are you getting some kickback? Or what is going on here? And Storfer would have to explain, 'No, it's just that we do a lot of business with them. In some of those cases, when the clients would ask about that, he would have to tell, we're dealing with them, at least that they're dealing with them, not necessarily that they're paying them, but that they've been in touch."
Kirk: None of this sits well with Jonathan.
Dudley: "He felt very bad about all of this. He would avoid describing how things were transacted. And if a client point-blank asked, he would tell them; if they didn't ask, he called it a lie by omission. He knew that this wasn't totally right. But he did what he thought was responsible to be transparent in cases where clients asked. Now, he started to get very uncomfortable when the FBI came in and started asking questions. And that's the point where he started to think about looking for another job."
Kirk: Jonathan left Proven Data in September of 2018. Two months later, the U.S. Department of Justice announces an indictment against two men.
This is William Hall.
William Hall: "I am a prosecutor in the computer crime and intellectual property section of the Justice Department. I'm handling the prosecution of the alleged creators of a notorious ransomware called SamSam, who were indicted in November of 2018."
Kirk: William spoke at the RSA Conference in February 2020. He spoke about ransomware and specifically about the U.S. government's indictment. And there was a big surprise about the two people named as allegedly part of the SamSam operation.
Hall: "Ultimately, they acted from Iran. But this wasn't, of course, at first obvious when our investigation began."
Kirk: That revelation suddenly put SamSam on a different level as well. Here's a couple of guys allegedly part of a ransomware scheme that targeted organizations around the world but most were in the United States. Proven Data, of course, had no idea that the perpetrators of all this may be in Iran. It added a new dynamic, given the lack of and thorny relations between the U.S. and Iran and of sanctions that the U.S has long had in place against the country. William continues.
Hall: "This is the indictment returned by the grand jury in the district of New Jersey against Iranian nationals, Faramarz Savandi and Mohammad Shah Mansouri, alleging that they were responsible for deploying the SamSam ransomware in order to extort hospitals, municipalities and public institutions, causing over $30 million dollars in losses. This is the first federal indictment of its kind concerning a ransomware scheme."
Kirk: Again, William notes another ransomware first with SamSam, the first federal indictment related to ransomware. So what led prosecutors to Iran? One word: Bitcoin.
Bitcoin is a real paradox. On one hand, the demand of ransoms paid in cryptocurrency drove large scale growth of ransomware. Actors could get paid huge amounts in a digital currency system that had no middlemen and didn't touch the banks. But there's a big disadvantage with bitcoin, and that's because at some point, you probably want to cash out. So cryptocurrency exchanges are coming under ever-growing scrutiny. Also by design, bitcoin's transaction ledger, which is called the blockchain, is public. So while you don't know who is transacting, you can watch the bitcoins move around from account to account. This has proved incredibly useful for investigators and somewhat of an Achilles' heel for people trying to hide money. Here's William again.
Hall: "Bitcoin is an important part of the SamSam story. While I can't get into details about our investigative approach, suffice it to say that we could use tools to analyze the blockchain ledger and gain visibility into the movement of funds from origin to destination. We can also obtain information from domestic cryptocurrency exchanges using legal process and from foreign cryptocurrency exchanges using the tools that I just talked about a minute ago. We were able to determine ultimately that more than $6 million was extorted from SamSam victims in this case, and the perpetrators allegedly exchanged these accumulated bitcoin proceeds into Iranian rial, which is the Iranian currency. And they did so using Bitcoin exchangers, including two specific Bitcoin exchangers that were located in Iran."
Kirk: The two people named in the indictment will probably never face trial as long as they don't leave Iran. The U.S. does not have an extradition agreement with Iran. As long as they don't travel to a country that does have one with the U.S., they'll probably remain free.
Hall: "The defendants are at large. So you happen to see them here in the Moscone Center, out in the Embarcadero riding the cable car, if you'd be so kind to give a phone call over to the San Francisco field office of the FBI, we'd be most grateful."
Kirk:So why does the U.S. even bother spending resources to indict people they likely will never prosecute? Here William explains.
Hall: "We still think that charging them and taking other related actions can really help to raise the costs of committing cybercrime, even if we're not initially in a position to make an immediate arrest. And I think as I talked about, the conduct in this case came to a stop after the defendants in this case were charged and the charges were announced. In my experience, the number of cyber actors who have both the knowledge and skill to commit a crime of this nature and also the brazenness to do it is surprisingly small. So every time we take an offender away from their keyboard, it's a big win for everybody in both your community and our community."
Kirk: Renee spoke with Jonathan sometime after the indictment was announced.
Dudley: "He was very reflective about what happened. He was feeling pretty bad about it. He realizes that the payments that he was transacting are going to very bad people, and he kind of said out loud, I realized that a significant amount of ransomware may be funding terrorism and organized crime."
Kirk: But his future in the ransomware negotiation industry could have gone on. Coveware, which has always informed its clients what it's doing, wanted to hire him. But he called it quits.
Dudley: But the whole space, he compared to the wild, wild west, no rules, anything, anything goes unregulated, and he's just ready to get out."
Kirk: So like William said, after the indictment became public, that was the end of SamSam. They stopped launching attacks. But it was just the beginning of big time ransomware, which would walk down the path carved by SamSam. Ransomware operators took lessons from SamSam, such as searching for and then deleting organizations' backups - it's a practice that is still done today. Another type of ransomware called Jigsaw v.2 implemented something SamSam did, that was to encrypt every computer with a different encryption key. That meant you could sell decryption keys on a per-machine basis. Yeah. Messy.
Proven Data Recovery is still around. The company made amends. Renee says its customers are now fully informed of the options available and have to sign a written authorization for Proven Data to take actions on their behalf. There's also this.
Dudley: "They've started to do for real, what, in the past, they said they were doing. In 2020, there was a case where a managed service provider was hit by ransomware and hired Proven Data. They thought they were going to have no choice but to pay an $800,000 ransom. And they were about to pull the trigger on all this, when an encryption analyst somebody with real technical skills, who was on Proven Data's staff discovered a flaw in the cryptography, and he was able to crack the code and recover client's files."
Kirk: Ransomware coders often make mistakes in their malware. And the people who discover those mistakes, which is the Ransomware Hunting Team - which Renee focuses on in her book - often bail people and organizations out, meaning they don't have to pay a ransom to get their files back. There's irony here, of course, in Proven Data doing that, but it's a wonderful irony.
Dudley: "Years after the episode in Anchorage and years after Storfer left, they're doing the very thing that they'd always said that they were doing, but not actually doing, now they're doing it in a real way. And they actually shared they're on the other side of the law enforcement equation now. They shared this breakthrough with law enforcement and with researchers.
Kirk: Special thanks to Renee Dudley for making this episode possible, and you can find a link to the book written by her and Daniel Golden in the show notes. This story came from that book, and there are many other interesting stories about ransomware in there as well.
This episode of The Ransomware Files was written, researched, edited and produced by me, Jeremy Kirk. The production coordinator is Rashmi Ramesh. The Ransomware Files theme song and other original music in this episode is by Chris Gilbert of Ordinary Weirdos Records and Blue Dot Sessions.
If you enjoyed this episode of The Ransomware Files, please share it and leave a review. It will help keep this project going. The series has its own Twitter handle @ransomwarefiles, which tweets news and happenings about ransomware. I'm on Twitter @jeremy_kirk. If you would like to participate in this project or have an idea for it, please get in touch. The project is looking for other people, organizations and companies that can share their unique experiences for the benefit of all until ransomware, hopefully, becomes a thing of the past.