This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

Meet The Firm That Pays Bitcoin Ransoms On Behalf Of Its Customers

Updated Sep 18, 2018, 06:11am EDT
This article is more than 5 years old.

“Never pay” is the general advice when dealing with a ransomware attack. But it's not always possible to follow this rule, according to a company that helps small firms negotiate with cyber criminals to reduce ransom amounts, paying them in Bitcoins.

“We are pragmatists, and the ‘never pay’ mantra is simply not attuned to the reality of the choices businesses have when they are hit,” says Bill Siegel, CEO and co-founder at Coveware.

In fact, a ransomware attack can have massive implications, sometimes forcing firms to lay off employees or close down. This is a far worse outcome than "paying a few hundred dollars", he points out. “The decision is obvious. That is the hard truth when firms have no other options for data recovery.”

And this strategy is working in practice. A few weeks ago Coveware helped a Texas-based wrecking company whose servers and files had become encrypted. “They had been down for two days when they contacted us and really did not know who to turn to for help,” says Siegel.

Siegel and his colleagues were able to negotiate the ransom amount down by 80% over 36 hours, helping the company facilitate a secure cryptocurrency payment. “The decryptor tool was passed back and handed to the company’s IT provider who, with some guidance from us, was able to fully restore the client’s data,” Siegel says.

It's certainly unusual to hear, but Coveware has had a 100% success rate receiving decryptor tools from attackers –  although the full data recovery rate after the decryptor is fully exhausted is about 90%, Siegel says.

Indeed, paying the ransom is only half the battle: Encrypted files do not automatically decrypt themselves once the payment is made and specific tools are required to recover data. So how does Coveware ensure that data is actually returned after the firm has negotiated and paid? Siegel admits that decryptor tools are “extremely flukey and difficult to work”. 

“This is a major area where aggregated case data benefits our community greatly,” Siegel says. “Each case helps us improve and evolve our data set.”

The firm uses tear sheets documenting the nuances of how decryptor tools operate, which configurations or file types they trip on; and how to use them as efficiently as possible. 

But even with all this, it is common to have to go back to the attacker and ask questions, he says. “For the most part the attackers do their best to be helpful, which creates an odd dynamic to say the least. But at the end of the day, the criminals are running a business, and they know that if their decryption does not work, word will get out quickly.”

He also concedes there are scenarios “where a company wants to pay and we advise them not to, or at least to image the encrypted files and wait”. 

“Sometimes a company has partial backups and is unsure if they can complete their review in a time frame that matches the businesses need to recover. In these instances, we urge the firm to push through the review rather than taking the quicker route of paying.”

Meanwhile, if the data encrypted by attackers is not mission critical, Siegel advises the company to make a copy of the information and move it to a ring-fenced environment.  “It is quite common for a decryptor tool to be published months or years after a given ransomware type is circulating, so if the data is not critical, they can often recover it much further down the line for free.”

Siegel won’t give much away about his negotiating tactics, which are typically carried out via encrypted email or chat. But he claims the firm can facilitate a payment safely.

First, Siegel and his colleagues – who between them have experience in cybersecurity and cryptocurrencies – help the companies procure cryptocurrency.  “A ransomware incident is not the time to learn the vagaries of the cryptocurrency capital markets,” he says. “We show the customer, to the penny, how, when, where, at what price, and with what transaction fees the cryptocurrency was acquired.”

At the same time, the firm runs an anti-money laundering compliance program internally, developed from the founders' prior jobs at SecondMarket running a regulated broker dealer.  “We run checks on every party involved in each case, the company, their authorized representatives and any service providers assisting them,” says Siegel. 

He says his firm has “several ways to find information on the attacker” and determine whether they are “more than an everyday cyber criminal”. 

“Combined, we have as complete a picture as possible of the parties involved and the risks.”

Siegel so confident in his services that the firm offers small businesses help for free. Of course, there is something in it for him, too: “Hard, real time case data” which he hopes will help to end ransomware altogether.

“Most ransomware data is gleaned from backwards looking surveys of IT professionals, which are anecdotal and stale,” he says. “Attempting to craft solutions to this problem without this data is akin to a car insurance company writing policies without studying car crash information.  The only way to get hard data on ransomware is to jump into the trenches and help victims through incidents.”

By managing the incidents, Coveware aggregates hundreds of data points that help it to craft analytics, alerts and shareable information that its clients, security manufacturers, and law enforcement use to stop incidents from occurring, Siegel says.

Paying the ransom certainly isn’t ideal – and the advice is still the same. But for firms that unfortunately have been hit, Siegel underlines the importance of not becoming a repeat victim. After an incident, Siegel’s firm puts its customers in touch with IT providers able to improve their security posture. And he advises companies to avoid being hit in the first place by making “consistent investments” in IT security, as well as employee awareness training and disaster recovery tools.