Russian "IT consultants" making money by scamming ransomware victims

Russian scammers are charging ransomware victims for the alleged decryption service

Dr.Shifro makes profit from ransomware victimsA business strategy helped Russian cyber brokers to make at least $300 000 in a few years.

It seems that Russian consultancy firm Dr. Shifro is scamming ransomware victims by promising them their help while trying to decrypt encrypted files.[1] Scammers have been actively offering the decryption service for Dharma/Crysis victims who got affected by this type of malware and now are desperately trying to find a decryption key to get their files recovered.

According to cybersecurity researchers from Check Point[2], the company is generating the profit by using a simple trick: they pay the ransom for the initial ransomware developers and then increase their price by 75%. This works more like a broker service than a cybersecurity consultancy firm.

Unfortunately, scammers have been actively working on the web. By adding a thousand dollars to the initial ransom, they managed to make over $300,000 in these few years of activity. According to IT experts, this firm already has “helped” for around 300 ransomware victims.

Dr. Shifro offers only one service — unlocking encrypted files

In its description, the firm claims to assist ransomware victims by unlocking data that became useless due to the ransomware attack and encryption. The Russian firm is stating that they can open files affected by the Dharma/Crisis ransomware. Taking into account that there is no decryption tool available for the particular strain, the scammers have successfully increased the number of their customers.[3]

This questionable offer has also encouraged Check Point to look into this alleged cybersecurity firm. While making a research on this firm and its services, experts found a few customers and analyzed the strategy. Researchers stated in their investigation:

The business model that Dr.Shifro has created is an attractive one that could easily be replicated by other entrepreneurial scam artists and serves as a new development of the ransomware industry that both individuals and organizations should be wary of.

According to experts, these scammers do nothing more but contact hackers and ask for the discount on a ransom amount. Then, they transfer the payment to the particular victim before adding a thousand dollars or so. The only consultancy that is happening here is between these ransomware developers and cyber brokers.

The example of the communication with hackers looks like this:

I’m an intermediary. We redeem keys for clients since 2015 on a regular basis. Send bitcoins tight, don’t ask dumb questions. Clients frequently addressed under recommendation. Could you give a discount to 0.15 btc?

WARNING: there are numerous IT services offering the same help

There are many IT service providers and individual cybersecurity experts offering the help of file recovery and data decryption. However, these decryption tools or keys are, in most cases, available online.[4] This opportunity to get various decryption keys for a particular virus encourages scammers to come up with new strategies.

Dr. Shifro are not scammers in a typical way when hacker are luring people into revealing their details or taking money from the users' directly and giving nothing.[5] It is simply unethical behavior and unpleasant experience for the people. While there is no transparency in the service, people behind this shady business refuse to comment and give more information about the activity.

About the author
Olivia Morelli
Olivia Morelli - Ransomware analyst

Olivia Morelli is News Editor at She covers topics such as computer protection, latest malware trends, software vulnerabilities, data breaches, and more.

Contact Olivia Morelli
About the company Esolutions