Rachel Monroe has an interesting profile of a ransom negotiator in The New Yorker. But the piece also provides an answer to a puzzling claim in a blog post by REvil that referred to fraudulent middlemen.
When the negotiator hired by a victim entered the chat, they discovered that someone had already been negotiating with the threat actors — and they had done what appeared to be a terrible job. But who were these people who were negotiating when it this firm that had been retained to do that?
Fowler and Minder tried to piece together what had happened. The clients insisted that they had never gone to the dark-Web site, much less interacted with the hacker. Then Fowler reminded Minder about a recent post on REvil’s blog, warning about fraudulent middlemen who said that they could decrypt files; instead, the middlemen would secretly negotiate with the hackers before offering the decrypted files at a markup. At the time, it had amused Minder that a cybercrime syndicate was issuing a warning about scammers. But now the clients acknowledged that they had reached out to MonsterCloud, a Florida company that advertises itself as “the world’s leading experts in Cyber Terrorism & Ransomware Recovery.” MonsterCloud’s Web site encouraged victims to use its ransomware-removal services instead of paying a ransom. That pitch likely appealed to the heads of the engineering firm, who were “very, very patriotic,” Minder told me. “It didn’t surprise me at all that they’d rather pay a software company in Florida” than send a ransom to a foreign criminal syndicate.
Minder soon learned that, shortly after the REvil hacker demanded sixty-five thousand dollars, a MonsterCloud representative told the engineering firm that it could recover the files for a hundred and forty-five thousand dollars. (MonsterCloud declined to comment.)
According to an investigation by ProPublica, MonsterCloud has a long track record of secretly negotiating with hackers.
Read more on The New Yorker. The FTC was made aware of MonsterCloud’s claims to clients, which raise questions about whether it is deceptive to tell a client that they are not paying ransom if you are using part of your fee precisely to pay the ransom to get the decryptor. Is the FTC actually investigating this firm? Investigations are non-public, so we do not know, but ProPublica had also investigated this firm.
And how many more firms may be doing what MonsterCloud has allegedly done? And are they all adhering to guidelines about not making payments to entities on the banned list?