Cybercrime , Fraud Management & Cybercrime , Ransomware

The Ransomware Files, Episode 12: Unproven Data Recovery

How a Disturbing Business Practice Led to Iranian-Made Ransomware
The Ransomware Files, Episode 12: Unproven Data Recovery

What if you were hired for an office job but ended up negotiating with cybercriminals?

There aren’t many rules around ransomware, but this is a story about one rule that was definitely broken. By the end, the path to the truth led to a place on the other side of the world where no one wanted to be.

It starts with a ransomware infection at a real estate company in Anchorage, Alaska, called Herrington & Associates. In April 2016, the company became infected with a type of ransomware called DMA Locker.

The ransom demand was 4 bitcoins, worth just around $1,700 at the time. The company didn't pay. It found another way to fix its problem: a company called Proven Data Recovery from New York, which said it could recover the company's data using its "proprietary" method. Like magic, the data was decrypted.

"The whole thing was unlocked in 45 minutes," says Renee Dudley, a technology reporter with ProPublica and co-author of a forthcoming book called "The Ransomware Hunting Team."

But Herrington & Associates suspected something else was going on. What Dudley and others uncovered was a disturbing business practice that funneled ransom payments to the creators of a pernicious type of ransomware called SamSam, who were in Iran.

"The Ransomware Files" is a podcast available on Spotify, Apple Podcasts, Google, Audible, Stitcher and more. I’m exploring the impact of ransomware, one of the greatest crime waves to ever hit the internet. Schools, hospitals and companies have fallen victims to cybercriminals encrypting their data and demanding payment. But IT pros are fighting back, and they have stories of resilience and fortitude.

If you enjoyed this episode of "The Ransomware Files," please follow it on a podcast platform and leave a review. Also, the show has a Twitter handle, @ransomwarefiles, that tweets news and happenings about ransomware.

If you would like to participate in this project and tell the information security community about your organization's brush with ransomware, please get in touch with me at or direct message me here on Twitter. I'm looking for other people, organizations and companies that can share their unique experiences for the benefit of all until ransomware, hopefully, is no longer a threat.


Speakers: Renee Dudley, Technology Reporter, ProPublica; Jeremy Kirk, Executive Editor, Information Security Media Group.

The Ransomware Files theme song by Chris Gilbert/© Ordinary Weirdos Records. Other music in this episode by Blue Dot Sessions.


  • Broadcom, SamSam: Targeted Ransomware Attacks Continue, November 29, 2018;
  • Cybersecurity and Infrastructure Security Agency, SamSam Ransomware - Alert (AA18-337A), December 3, 2018;
  • Department of Justice, Two Iranian Men Indicted for Deploying Ransomware to Extort Hospitals, Municipalities, and Public Institutions, Causing Over $30 Million in Losses, November 28, 2018;
  • dinbits, Which Is Worse? Bitcoin RansomWare or Removal Service From It?, July 14, 2015;
  • Graham Cluley, The Firms That Piggyback on Ransomware Attacks for Profit, April 25, 2018;
  • ProPublica, The Trade Secret, May 15, 2019;
  • Renee Dudley, Daniel Golden, The Ransomware Hunting Team, October 2022;
  • Reuters, U.S. Indicts Iranian Hackers Responsible for Deploying 'SamSam' Ransomware, November 28, 2018;
  • RSA Conference, Hi-Tech Mass Extortion: Lessons From the SamSam Ransomware Prosecution, February 26, 2020;
  • Sophos, SamSam: The (Almost) Six Million Dollar Ransomware, 2018;
  • Wired, Atlanta Spent $2.6M to Recover From a $52,000 Ransomware Scare, April 23, 2018.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.