Browser automation script.
A data recovery company is dubiously claiming it has cracked decryption of Dharma ransomware – despite there being no known method of unscrambling its files.
Infosec researcher Brett Callow of Emsisoft had a little fun trying to replicate Emsisoft’s exposure of ransomware middleman company Red Mosquito Data Recovery earlier this year, now he has turned his attention in another direction.
Australian biz Fast Data Recovery boasted that it is capable of decrypting Dharma, which data recovery biz Coveware’s chief exec Bill Siegel described as implying “they have tools and computing power beyond that of the NSA”.
“If this was the case, they would sell their technology for millions, if not billions, rather than using it to help small businesses,” he added.
Callow posed as a customer (having borrowed his wife’s business email address, with her consent) while contacting Fast Data Recovery, asking if the firm could decrypt encrypted files that mentioned the word Dharma. What Callow had done was encrypt the files himself.
He got back a standard auto-reply email:
Thank you for contacting Fast Data Recovery – The Ransomware Recovery Experts.
Please note FREE evaluation can take up to 10 days and its dependable on our work load and its treated as a non-priority.
If this is an Emergency/URGENT please contact us or reply back to this email to use our Priority Evaluation Service for fast turnaround (4-24 hours) OR 1 HOUR quote for Dharma / Crysis Ransomware.
Dharma ransomware will have the following extensions at the end of your files (COMBO, BIP, GAMMA, JAVA, BRRR, HEETS, ETC, BTC, 888, ADOBE, GAMMA, Phobos). Click here for a full list of Dharma Ransomware.
Our Priority Evaluation service cost[s] $350AUD for most for most type of infections with the exception to [sic] Dharma and Gandcrab infections.
Dharma / Gandcrab Priority evaluation cost[s] $175 AUD.
Please note the cost of Priority evaluation will be deducted from the cost of recovery and in the unlikely chance we are unable to work with your encryption, a full refund will be issued.
We have a proven track record of 100% ransomware data recovery and back our claim with No Data = No Charge.
That was followed up with an offer to carry out a “server prevention and network security audit” at AU$750 per server and $120 per PC – with a discount to $70 if one had more than 10 PCs.
Michael Gillespie, creator of ID Ransomware, opined: “There is no way to ‘reverse engineer the ransomware decryption key’ for Dharma. The encryption is perfectly implemented, and it’s simply not possible. The only way to recover files encrypted by Dharma is with the ransomware dev’s key. Any company which claims it can recover files by other means is almost certainly just paying the ransom.”
When Emsisoft’s Callow didn’t reply to the quote, Fast Data Recovery tried again:
After analysis our engineers have determined a very high chance of data recovery after the analysis was performed on your sampling files.
Your infection is part of the DHARMA ransomware family. One of the most active types of ransomware on the internet since 2016 with 2-3 new infections per week.
Your files have been identified to have a complex encryption key. A time consuming/complex process but the recovery is guaranteed.
Our team has been successful in 100% of all dharma ransomware cases presented to our company.
We will be using our streamlined process and latest technology to speed up the recovery process.
We utilise our resources to reverse engineer the ransomware decryption key on your sample files. Once the decryption key has been reversed-engineered, we will need to connect to your system to start the recovery process.
At this point, Callow broke off contact with the firm, but the case smells similar to other companies claiming to be able to decrypt ransomware when all they do is act as a middleman, taking money on the pretence of “decrypting” ransomware, then paying the ransom and in turn banking a margin for doing so.
The most outrageous case aside from Red Mosquito (as mentioned above) was Dr Shifro, a Russian firm that also claimed to be able to decrypt Dharma. This turned out to be one Belarusian man who had made around £300,000 from taking Bitcoin payments while negotiating with ransomware authors.
Emsisoft’s CTO, Fabian Wosar, concluded: “Since emerging in 2016, Dharma has been reverse engineered to death by the entire malware research community. If a flaw existed that enabled the encryption to be broken, it would almost certainly have been discovered a long time ago. To break Dharma within any of our lifetimes without having discovered a flaw would require access to a quantum computer that is capable of running Shor’s algorithm. The highest number ever factorized using said algorithm and quantum computers is 21, which is just short of the 307 digits that would be required to break Dharma.”
Sometimes, these types of services really are too good to be true.
Fast Data Recovery has been asked for comment. ®