WHICH IS WORSE? Bitcoin RansomWare or Removal Services Profiting From It? | dinbits

The CryptoRansom Epidemic

Which is worse? The growing epidemic of ransom-ware (Cryplocker, Cryptowall, Teslacrypt, etc...) hijacking computers around the world, and demanding payment to get files decrypted? Or is it the companies popping up left and right offering to "remove" the virus for a fee.

Many people, when face with any kind of virus, prefer not to take a chance themselves. They don't want the task of finding the right tools, removing the virus, and cleaning up the system afterwards, much less the additional task of having to find bitcoin, and purchasing a decryption tool from the same "reliable source" that infected [your] computer. That's understandable because all of the above, is less than favorable. 

There is certainly merit to hiring a professional to take care of this, but at what cost? 

Well, we found out, and this wasn't even a project or anything we were currently looking at either, we were working on research for another story when we simply needed a price quote on what people were paying to have this professionally removed. What we found was a little shocking.

The Basis For Inquiry


This week [June 24th, when this article was 1st drafted], the FBI released an advisory on Malware, referred to as "ransom-ware", which listed the current damages of over $18 Million. What they didn't provide, was a breakdown what all was entailed in that $18 Million, or disclose what portion of that may have been professional removal service fees.

We were curious to know what the average fees for this service were. In our experience, the cost was around $200, which seems a bit high, so we wanted to get a good cross-section of the rest of the United States on this.


The Good, The Bad, And The Geeks


 FAIR  We went to the secret searching appliance, known as code named "Google", and instantly notice a few paid advertisements list themselves, but not nearly as many as we expected. We checked out few going for as low as $40, which we felt was cheap, the removal process is annoying, but if your doing several per day, then perhaps. These were usually smaller shops, generally mom-and-pop type computer repair joints located in strip malls. 

Likewise, these companies had less than desirable web pages (yet ironically offered web design services) and no chat technology to speak with a human instantly, but we could see from their web pages, that if we brought the bitcoin, we'd likely be out of there for under $100. 

It didn't leave anyone with a warm fuzzy feeling however, there's no mention of cleaning the system afterwards, how they are going to get rid of it, and pretty much feel they are just going to send the bitcoin, run the tool, and that's it. Assuming they even knew what to do exactly. 

Not to say that is what is going to happen but you get what you pay for. Still if there was one next door, and I had this issue, I would likely walk in and lay down $40 considering I'd be out $300 or $500 already for the bitcoins. 

So the searching continued...

The Bad Apple


 BAD  There are several scams we ran across, and they were painfully obvious, we didn't even bother to explore them and many required downloading and installing something on your computer (tip: do not do this). We eventually ended up on a webpage from a company called Proven Data Recovery and it caught our attention. First of all they had one of the top ads on Google with a multi-star rating. Second, which some may consider a plus, you are instantly met with the BBB graphic when you hit their pages. 

I have learned in the past that anyone that has to specifically put their BBB rating on their website may have had trouble in the past or something may be up. They are intentionally trying to prove why you should trust them without doing anything to gain your trust. Call me paranoid but that's just been my experience.

I couldn't have called this one better. 

Looking around the website there were several things that caused some concern. They have testimonials plastered on their pages and "thousands of satisfied customers" generally synonymous of a less then perfect organization but they also had allot of credible things on the website such as some recognizable company logo's for their clients.

Upon closer examination most of these were actually close to their home (New York) and almost all of the "reviews" were in regards to recovering data from crashed disk drives. Only one was located that had anything to do with the Cryptowall virus and I couldn't find anything related to anything else regarding virus removal.

The only way I was going to get any answers was to contact them. I went into _stealth mode_ and the following is the transcript of that communication: 


[transmission begin]

 ☎  Happy Support Person : 
Greetings - I'm here to assist you if you have any questions. :)

   Cyndi, [formerly known as Happy Support Person: 
Hello Guest, my name is Cyndi [Last Name Omitted]. I'll be with you just in a moment.

    dinbits [stealth:
Yeah hello, I'm wonder about the Crypto-virus Data Recovery service, what is it that you can recover? Or is it just the removal and paying the ransom thing it asks for?

 ❁  Cyndi : 
Good afternoon! Is this for personal or business use?

     dinbits [stealth: 
Both

 ❁  Cyndi : 
Okay. We would charge based on the variant of the virus you have and complexity involved in decrypting the data. Our focus would be to decrypt the files and remove the virus. We have over a 90% success rate right now decrypting files from variance viruses.

[transmission paused]

Stupid Hat

Stupid Hat Application 


Something smells, and at this point I suspect something is not right because she bypassed my initial question, I specifically asked her what they did and if they were just going to pay the ransom. 

Secondly, in case you missed it, this lady just told me they can decrypt files with RSA-2048 encryptionand with a 90% success rate! Isn't that like, impossible?

It was time for the "Stupid Hat" to go on! 

[transmission continued]

     dinbits [stealth-stupid-hat-mode: 
Not sure what you mean by variant, this is asking me to register a wallet and purchase bitcoinz and send it to some long mix of letters and numbers then some other stuff, and that's about where I just stopped and decided to research.

 ❁   Cyndi : 
Variant meaning which version of the virus you have. CTB Locker, CryptoWall 2.0, 3.0, etc.

[transmission paused]


The Second Chance 


"Variant: ...a form or version of something that differs in some respect from other forms of the same thing or from a standard.

We knew what it meant, and we knew it had just given us the perfect opportunity to sounds as if we were really stuck and weren't sure what to do with an obvious lack of digital currency knowledge. 

This was another shot at giving them a chance to tell us all we really needed to know in the first place, and answer the original question that they sidestepped.

Are these folks just going to deposit $300 and press go? Or do they have some magic beans that defy Moore's Law? Are they brilliant mathematicians who have discovered the efficient number field sieve for cracking RSA-2048? Perhaps an array of Quatum Computers in the back of the shop?

[transmission continued]


     dinbits [stealth-stupid-hat-mode: 
You have a picture of it on this page ... its the blue one CryptoWall 3.0
The image on Proven Data's Website Referred to

 ☣   Cyndi Demon : 
The current cost to decrypt and remove the virus is $1,800 to $5,000 for a single disk hard drive depending on the variant of your infection and the level of complexity involved in the recovery.
We will first perform a free remote evaluation to determine the exact cost and provide you with a flat rate quote. If you are interested in the free remote evaluation I can provide you with the next steps.

[transmission paused]

Did she just say $5,000.00? For a single drive? Seriously? 

This is coming after I had just told her that I was on a screen telling me to "send bitcoin". My exact words were:


"this is asking me to register a wallet and purchase bitcoinz and send it to some long mix of letters and numbers"

The viruses range in price, usually around $300.00 or $500.00, doesn't she know this? Can she possibly be so out of the loop that she has no clue of the actual ransom demand?

Of course she knows this. She also knows that you don't know what to do else you would not be talking to her. She knows you have a clock ticking down. She knows you have likely spent hours searching for the answer and she knows you are likely in the high percentile of people that are going to look no further because you have found a seemingly reputable solution. 

She is well aware of that screen, the costs it's asking for, and most of all she knows that if you were going to pay that ransom all by yourself you would have already done it.

She knows she has the sale and she knows how to milk it too.

[transmission continued]


     dinbits [stealth-exit-mode: 
Is that each? Or for both? It's my home computer and my work laptop.

 ☣   Cyndi Demon : 

Unfortunately that would just be for the business computer ...

[end of transmission]

The Legal Heist, A "Friendly Scam"


So what just happened here? This could potentially cost up to $10,000.00? No unfortunately it get's worse. Before I exited the session and thank her for her time and said that I would be back since I needed to check on how many computers were infected and told her that it was actually 2 business computers and my home laptop. Which is three systems, and that's potentially $15,000.00.


$15,000.00 for something I could have just done myself for as little as $300.00 (or to be fair: $900.00 @ (3 * 300 ea)). You can call the Cryptowall creator/designer guy whatever you want but this is the real heist. This women was about to have me pay up to $15,000.00 for this service and that's ridiculous. Unfortunately, it's completely legal. Nothing was done wrong here and had I paid the invoice that would have been legal too.

It is not illegal to overcharge folks. They can charge whatever they want to for this service. It may be unethical ... but its not illegal. 

The possible illegal aspect of this is where are they getting the bitcoin and are they charging me for it in that excessive fee and are they paying it to the criminals? This is assuming that they are doing it this way and with a 97% success rate it's a fairly good assumption.

This is because this decryption is not possible... they are lying

There are other ways to get your data back and I am not saying that they do not look at these options. For instance, you can attempt to restore from a shadow copy and reconstruct deleted files, but here's the thing, the latest Cryptowall 3.0 (the one mentioned in the transmission) already knows this can be done and takes measures to make this difficult, if not impossible, by disabling this service and destroying the files.

Secondly you can try and restore the deleted files themselves, but again, the virus takes measures to corrupt and destroy theses files as well. If you don't turn you computer off immediately the chances of this being successful decline rapidly. This is not %100 even on a normal uninfected computer.

Proven Data Recovery specializes, supposedly, in reconstructing deleted files and it's very possible that this method is one they use for recovery. We found at least one reference to turning your computer off immediately on there website which is a prerequisite for a chance of this actually working and even lend a greater chance to restore files from a shadow copy, however that's not the point here.


The point is that they are engaging in deceptive practices by preying on helpless unknowing victims in an effort to profit from criminal activity and that is wrong

During this transmission it is made evident that there is a screen to pay to get back the files. At no point was it communicated that the easiest and cheapest method is going to be to send the bitcoin and purchase the decryption tool or that it was even an option. It was not communicated that decryption is impossible. In fact, they make it quite on the contrary stating they they them selves are capable of this decryption. 

Furthermore, at no point did they communicate any actions other than letting them on my computer to assist in any of the aforementioned possible solutions which would actually make the matter worse and strengthen the requirement to pay the ransom ... or them ... or more likely both.

Had they instructed me to immediately turn the systems off, the chances of recovering data through available restoration methods already present on my system would have been greatly improved. 


Decryption Claims of Greatness

Proven Data Recovery claims to be able to decrypt files (with a success rate exceeding 90%, I might add) encrypted by the Cryptowall 3.0 virus and I have stated that they are lying about this claim. Without properly examining their tools and decryption methods one may wonder why I think they are lying? It's not that I don't think they can do it, it is because I know that they can't (unless of course, they are the ransom-ware makers themselves). 

I spoke with a member of the team over at Fulcrum Technologiesa security and cloud computing solutions firm in Houston TX, earlier this year when the virus was first reported. I asked him what he thought the best course of action is and he said:


Honestly, the only way to decrypt the files is to buy the tool. It uses state-of-the-art RSA-2048 encryption, there is nothing out there that currently exists for decryption, unless you have the key. 

Outside of that, restoring from a backup, the other methods of deleted file reconstruction, or restoration from shadow-copies are about the only other options. None of which may be possible depending on the depth of the infection nor could they guarantee 100% recovery and that is if they can be utilized at all. The Cryptowall 3.0 takes precautions to prevent this. 

The Math Behind RSA-2048 Decryption 


Without the key, and paying the ransom to get it. You'd have to crack RSA-2048 bit encryption security. Lets take a look at that for a minute, and show Proven Data Recovery, some actual "proven data":

Based on on the 768-bit breakthrough (cracked 5 years ago), a 1024-bit encryption would take 1000 times longer than 768-bit encryption. 768-bit was broken in just under 2 years with 80 processor maxed, which would have been the equivalent to an estimated 1,500 years using a standard desktop computer. That means 1024-bit encryption would take roughly 1.5 Million years [years = 10^6(1.5)].



The "2048", in RSA-2048 encryption, refers to 2048-bit encryption, and "cracking" that would require factoring a 617-digit number that looks like this:



2048-bit encryption is an estimated 2^32 times harder (that's 4,294,967,296) to crack than 1024-bit encryption, using NFS method factoring. To put that into perspective; using a average desktop computer's computational speed to crack RSA-2048, it would take*:


*Roughly: 6.4 quadrillion years

Obviously server farms exist (some with GPU arrays) of various computational speed capabilities, and finding a more efficient NSF method is not impossible, but even using the computational speed of the 768-bit encryption crack you'd be looking at about 8.6 Trillion years:



The Geeks

 GREAT  We don't want this entire writing to reflect only the bad apples. During the quest, we found Geekatoo, and we were impressed. At first landing, the webpage was clean and modern, and considering how aggravated I was having just learned of the likes of  Proven Data Recovery, the playfulness of the website was very much welcomed. 

Welcomed also, was the gentlemen by the name of Joel, of whom I spoke with over the sites live-chat technology. Like the website, and the companies name, their staff is not without a playful attitude as well stating at one point in the conversation that: 

"We have over 6,000 geeks across the country in ...."

There's little doubt this was a canned response used constantly, but it's a great one and one I did not expect. Joel also took the time to understand the problem and although I tried to get right to the point almost expecting a gouge, he took some time to explain the virus and what measures needed to be taken to ensure it really was gone, even getting technical discussing the registry entries  that would require removal and how it was one of the smartest Malware viruses he'd ever seen.

Technically, he could have been talking about any of the family of that Malware and likely reading from a script for "best answers", but it was done in a way that won my attention and respect. Even after asking for a price more than once, he had asked for my zip code and even located a "geek". He found a time this afternoon that they could be here at my office to take care of the problem before price was finally discussed. 

The most out of pocket (minus the bitcoin)  was going to be $179.00 and that came with a support plan covering a year unlimited remote support, on multiple devices, and "as many tuneups and virus removals as you want.". Well, Joel, I don't want any virus removals because I don't want any viruses but that was a great answer. Had I really needed this service, I would have paid on the spot.

I had never heard of Geekatoo until this conversation but I would recommend giving them a try, if you ever have the need, just from that experience alone. Apparently they also have iPhone app which I also did not take a look at, but wanted to point out since they were so very helpful. 

The best practice, of course, is not to click on stuff you don't know about (such as executable .EXE's) and have Virus protection installed and scheduled to scan your system periodically. 

The Troublesome Summary 


We spoke with a couple other reputable companies, of which I thought Proven Data Recovery was, I was told basically either "we'll do this for XX amount" or "either you pay the ransom and use the tool, or it's going to be difficult, expensive, and may not be possible at all" and they all offered to handle the dirty work for a small fee which averaged "about $200" plus the cost of the bitcoin of course and note that none of them tried to sell the bitcoin or even offer to acquire it outside of the "plus the cost of the bitcoin" statement and for the record neither did Proven Data Recovery

Proven Data Recovery has no way of doing what they claim as far as decryption and what we have here is a company likely either paying the ransom themselves and cleaning up the system or attempting one of the other methods discussed above. 

Most likely they are doing a combination of all of the above in order from "easiest and most profitable" to the "difficult and time consuming" and likely where that $5000.00 price tag comes in for their service. They are not performing decryption the files unless they are paying for the decryption tool, aka paying the ransom, because it's not possible.

What they are doing, is preying on the victims infected by these viruses excessively profiting from the criminal activity. 

Is this illegal? This is a grey area.

Is it unethical? Let's just put it this way, you don't need a math equation to figure that one out...


Help Is Here


If you find yourself with Cryptolocker, Cryptowall, or other related viruses, we certainly recommend you contact a viable professional service, if you are uncomfortable with the trying to do this alone. However, don't pay more than a couple hundred dollars for this (plus the bitcoin cost of course), because that is what this should really cost. 

If you find yourself in a jam, or if your running out of time, then don't worry! Contact us at press@dinbits.com, and we'll be happy to walk you through the recovery for free





 








Post a Comment

  1. Bluehost is ultimately one of the best website hosting company with plans for any hosting needs.

    ReplyDelete
  2. I have bookmarked your online journal, the articles are path superior to anything other comparable web journals.. a debt of gratitude is in order for an extraordinary online journal! IT Consulting Firms

    ReplyDelete

Powered by Blogger.