Anti-Malware and anti-virus company Emsisoft posed as a potential customer to conduct an informal “sting” on a company “guaranteeing” it can decrypt data locked by Dharma ransomware for a fee of about $7000 USD.
The problem is, Emsisoft claims, no known party has ever decrypted Dharma ransomware before, and claiming to be able to do so suggests one might be a culprit disseminating the malware in the first place.
“Unless you have access to a quantum computer more advanced than any machine known to have been built, it’s simply not possible to ‘reverse engineer the ransomware decryption key,'” Emsisoft’s Brett Callow writes in an email. “Dharma uses perfectly implemented RSA-1024 (encryption) and the key needed to decrypt a victim’s files can only be created by the criminal or someone with access to the criminal’s private key.”
Emsisoft CTO Fabian Wosar elaborates:
“Since emerging in 2016, Dharma has been reverse engineered to death by the entire malware research community. If a flaw existed that enabled the encryption to be broken, it would almost certainly have been discovered a long time ago. To break Dharma within any of our lifetimes without having discovered a flaw would require access to a quantum computer that is capable of running Shor’s algorithm. The highest number ever factorized using said algorithm and quantum computers is 21, which is just short the 307 digits that would be required to break Dharma. So either they have access to a quantum computer that is far beyond even our wildest dreams, have found a flaw that literally thousands of researchers and cryptographers missed, or have an arrangement with the ransomware author to pay ransoms, possibly with a discount or referral bonus in place.”
Ransomware is a dangerous type of software that is usually disseminated via infectious attachments in emails.
Attackers usually spam out click-bait emails randomly, or in some cases, use “social engineering” (profiling) to identify individuals working at a targeted entity and fashion custom emails designed to trick them.
In one case, ransomware attackers identified a dog enthusiast working at a cryptocurrency exchange and sent that person an email advertising “a nearby dog show.”
The person clicked on a link inside the email and released “Trojan” malware that enabled a deposit of ransomware to be distributed throughout company systems. Cryptocurrencies were then stolen from customer accounts.
Attackers have thus been been moving focus onto attacking universities, governments, healthcare facilities and private firms in Canada, the UK, Europe and elsewhere.
Once ransomware is present in a system, it is used to lock data and sometimes entire systems.
Victims are typically alerted to the presence of ransomware on their systems by a note that appears on home screens demanding a ransom to be paid in cryptocurrencies to unlock data.
Emsisoft offers its own ransomware decryption service but says no-one has been able to decrypt Dharma.
Suspicious of Fast Data Recovery’s claims, Emsisoft encrypted a set of files using Dharma and then queried Fast Data Recovery about possible decryption:
“(W)e posed as a ransomware victim – my wife, Rhonda, actually – and asked a data recovery company for help.”
“We used my wife’s business info because we know from past experience that data recoveries may not reply unless they can establish the victim is real. This is likely to minimize the chance of being caught by a sting operation.”
“We sent the company…a file encrypted by Dharma ransomware. We made it very clear that under no circumstances did we want to pay the ransom. The company claimed it would be able to ‘reverse engineer the ransomware decryption key’ for a fee of $6,879.00 USD/$9,650.00 AUD.”
In support ticket correspondences with the Emsisoft investigators, Fast Data Recovery claimed their proposed decryption operation would have a high rate of success:
“After analysis our engineers have determined a very high chance of data recovery after the analysis was performed on your sampling files.
“Your infection is part of the DHARMA ransomware family. One of the most active types of ransomware on the internet since 2016 with 2-3 new infections per week.”
“Your files have been identified to have a complex encryption key. A time consuming/complex process but the recovery is guaranteed.”
“Our team has been successful in 100% of all dharma ransomware cases presented to our company.”
“We will be using our streamlined process and latest technology to speed up the recovery process.”
Emsisoft wonders how Fast Data Recovery knows how to set its rates:
“A copy of (the ransom note typical in Dharma attacks) was sent to Fast Data Recovery along with the encrypted file. You’ll see that the note does not specify the amount of the ransom. To find that out, you need to contact the ransomware developer. Dharma demands we’ve previously seen range from to $2,500 to to more than $100,000. This gives rise to an obvious question: how did Fast Data Recovery know how much to charge?”
Ultimately, Emsisoft, “make(s) no comment as to what Fast Data Recovery may or may not be doing. Generally speaking, however, if a company claims to be able to recover files encrypted by Dharma,” this is not the case.