UK ransomware firm ‘helps’ victims by paying off hackers, tacking on massive fee

Red Mosquito allegedly has a profitable sideline in place for ransomware victims.
Written by Charlie Osborne, Contributing Writer

A Scottish IT services provider is allegedly skimming off the top when it comes to the cybercriminal world of ransomware -- by paying off hackers and then charging a substantial fee for the privilege. 

Ransomware is a particularly virulent form of malware that can cause chaos and heartbreak for consumers and enterprise companies. 

If ransomware is able to successfully infiltrate a system, it may be able to lock devices, encrypt content, and in some cases, spread to other PCs on a network. The global WannaCry outbreak highlights just how damaging an infection can be, considering this single malware family was able to disrupt organizations including Telefónica, the UK's National Health Service, Deutsche Bahn, and TSMC.

Ransomware often attempts to blackmail victims into paying a ransom demand -- in Bitcoin or other forms of cryptocurrency -- in return for a decryption key to retrieve their files and unlock their systems. 

While there is no guarantee that the key will ever appear or will work, many victims do pay, a recent example being Florida's Riviera City, which paid $600,000 to hackers after a ransomware outbreak shut down the majority of city services for weeks. 

Given the mammoth destruction ransomware can cause, it is unsurprising that payments are made -- and while bowing to these demands ensures the malware variant remains profitable to develop, some companies are also allegedly cashing in by exploiting its victims further.

A recent investigation undertaken by ProPublica claims that Red Mosquito, a company which uses the slogan "Your IT Department," is profiting from ransomware victims in what could be considered a morally murky business venture. 

See also: Ransomware attack sends City of Del Rio back to the days of pen and paper

Emsisoft security researcher Fabian Wosar worked with the publication in the sting, in which he posed both as hacker and victim to see how Red Mosquito dealt with ransomware infections and the needs of victims. 

Wosar created a fake ransomware variant, dubbed Gotcha, and drafted a ransomware note. The security researcher then contacted Red Mosquito while posing as a victim of the ransomware's 'infection' on a home server he desperately needed to recover. 

Throwaway email addresses were used while pretending to be both victim and hacker. 

Wosar said that Red Mosquito Data Recovery (RMDR), an offshoot of the main company, did not attempt to purge the ransomware infection used in the operation; instead, the company allegedly went "straight to the ransomware author literally within minutes" in order to pay off the demand. 

After the company told the victim persona that it was "running tests," Red Mosquito contacted the 'hacker' through the second trash email account -- to negotiate the fee from $1200 in Bitcoin to $900. A proposed charge was then sent to Wosar of $3,950 for the victim to receive their files and access back within three working days. 

TechRepublic: Why half of enterprises struggle to keep pace with cloud security

RMDR said on its website that the company offered a "professional alternative" to paying criminals. After being contacted by ProPublica, the statement appears to have been removed. 

The IT firm's FAQ page states, "We do not recommend dealing with the 'hacker' directly. In many cases, paying the ransom may be the only option to get your data recovered and it is best to get an experienced consultant to assist with this process." 

CNET: Gov. Newsom: California is ready to regulate tech

This could be considered as playing upon a victim's emotions and moral learnings for profit, as the security researcher noted that victims are often amenable to paying more than a ransom demand to recover their data if it is believed the money is going to a legitimate company rather than a cybercriminal. 

Red Mosquito has not responded to requests for comment at the time of publication.

These are the worst hacks, cyberattacks, and data breaches of 2019 (so far)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards