Between 2015 to 2018, at least 200 individuals and groups found themselves the victims of SamSam ransomware attacks. Hackers would use the software to paralyze targets’ computer networks — and demand that victims pay a ransom, often in cryptocurrency, to regain access.
Some of these targets turned to a company called Proven Data Recovery to regain access to their networks. But according to a new investigation by ProPublica, rather than using the “latest technology” to free the locked data, as the company told clients it would, it often just paid off the hackers — money that may have gone on to fund terrorism.
Targets of the SamSam attacks included hospitals and government agencies, so it’s easy to see why these victims were willing to hire a third party in an effort to regain access as quickly as possible.
However, rather than actually countering the attacks, ProPublica found that the firm would negotiate with the hackers, regularly paying their requested ransoms — and then charging the clients for the payments on top of other substantial fees.
It got to the point that hackers would even direct their victims to hire Proven Data, the company’s former employee Jonathan Storfer told ProPublica.
“SamSam would be like, ‘If you need assistance with this, contact Proven Data,’” Storfer said, later adding that “the weirdest thing was clients would ask us why, and we would have to respond to that, which was not a really fun conversation.”
In late 2018, the U.S. Department of Justice charged two men with creating and deploying the SamSam ransomware. It’s not yet clear what the men intended to use the money for, but they hailed from Iran, a nation frequently accused of sponsoring terrorism.
Proven Data’s CEO Victor Congiont told ProPublica that the company stopped paying the SamSam attackers after the U.S. revealed they were Iranian, saying that “under no circumstances would we have knowingly dealt with a sanctioned person or entity.”
However, Storfer thinks the halt on negotiating may have come too late.
“I would not be surprised if a significant amount of ransomware both funded terrorism and also organized crime,” he told ProPublica. “So the question is, every time that we get hit by SamSam, and every time we facilitate a payment — and here’s where it gets really dicey — does that mean we are technically funding terrorism?”
More on ransomware: Hackers Are Holding the City of Atlanta Hostage