IT consultancy firm caught running ransomware decryption scam

IT consultancy firm running ransomware decryption scam

Ransomware has become a persistent threat to users globally but for cybercriminals, it is a lucrative business. Recently, IT security researchers at Check Point unearthed a sophisticated ransomware decryption scam in which a Russian IT consultant company has been caught scamming ransomware victims.


The company according to Check Point researchers calls itself ‘Dr. Shifro’ and claims to provide file decryption services to ransomware victims including those hit by Dharma ransomware. However, in reality, it pays the ransomware’s developers and passes on the cost to the victim at a huge profit margin.

This means Dr. Shifro has been acting as a broker between the attacker and the victim by making deals to remove ransomware from the targeted system if they are willing to pay ransom payment. The company also charges its own fee from the victims – This means the victim pays twice while the ransomware’s creator and Dr. Shifro end up making a huge profit.

It is noteworthy that Dharma ransomware made headlines in January 2017 after hacking a popular horse racing website in India and then in February 2017 after two Romanian hackers were arrested for hacking DC security cameras before the official inauguration ceremony of President Donald Trump – Both hackers were accused of distributing Dharma and Cerber ransomware.

In a test case, Check Point researchers contacted the company as both the ‘Ransomware Victim’ and the ‘Ransomware Operator.’ In victim’s case, they were asked to pay 150,000 rubles ($2300) while in operator’s case the company asked them to pay 0.15 BTC ($950 at that time).

“I’m an intermediary. We redeem keys for clients since 2015 on a regular basis. Send bitcoins tight, don’t ask dumb questions. Clients frequently addressed under recommendation. Could you give a discount to 0.15 BTC?,” Dr. Shifro told Check Point researchers.

IT consultancy firm running ransomware decryption scam
Check Point infiltration scheme (Image source: Check Point)

This indicated that the company would earn around $1350 from a single victim. Dr. Shifro has been conducting the scam since 2015 and till date, the company carried out more than 300 ransomware decryptions for victims which means Dr. Shifro has made over $405,000 in the last three years.

“Our case study taught us that the company earns, on average, $1350 per customer, and over $200,000 per year,” noted Check Point. “It is an efficient and easy-to-run business model that can significantly increase the profits generated by ransomware campaigns. Therefore, we may expect to see other threat actors running similar operations,” concluded Check Point.

This, however, is not the first time when someone has taken advantage of cyber attacks and made a business out of them. In June this year, HackRead exclusively reported about “Ransomhack” in which hackers have been threatening companies to leak stolen user data online to hurt them through GDPR regulations and in return they are demanding ransom money.

Related Posts