Brett Callow, a researcher with security company Emsisoft, said his wife had posed as someone who had been hit by the Dharma ransomware and asked Fast Data Recovery to help recover the data. "We did it this way because we know from past experience that data recovery firms may not reply unless they can establish the victim is real. This is likely to minimise the chance of being caught by a sting operation. As my wife runs a small business, the query would appear to be legitimate were they to look her up," he explained.
Callow said he had sent the company a file encrypted by Dharma and made it clear that he did not wish to pay the ransom.
"The company claimed it would be able to 'reverse engineer the ransomware decryption key' for a fee of US$6879/A$9650," he said.
"Dharma uses perfectly implemented RSA-1024 and the key needed to decrypt a victim’s files can only be created by the criminal or someone with access to the criminal’s private key."
The full response from Fast Data Recovery was:
"Thank you for contacting Fast Data Recovery - The Ransomware Recovery Experts
"Please note FREE evaluation can take up to 10 days and its dependable on our workload and its treated as a non-priority.
"If this is an Emergency/URGENT please contact us or reply back to this email to use our Priority Evaluation Service for fast turnaround (4-24 hours) OR 1 HOUR quote for Dharma / Crysis Ransomware
"Dharma ransomware will have the following extensions at the end of your files (COMBO, BIP, GAMMA, JAVA, BRRR, HEETS, ETC, BTC, 888, ADOBE, GAMMA, Phobos). Click here for a full list of Dharma Ransomware,.
"Our Priority Evaluation service cost $350AUD for most for most type of infections with the exception to Dharma and Gandcrab infections.
"Dharma / Gandcrab Priority evaluation cost $175 AUD Please note the cost of Priority evaluation will be deducted from the cost of recovery and in the unlikely chance we are unable to work with your encryption, a full refund will be issued.
"We have a proven track record of 100% ransomware data recovery and back our claim with No Data = No Charge.
"If you would like to add any additional information to your case, simply reply to the email you receive or log into the case management system."
Callow said Emsisoft did not wish to make any comment as to what exactly Fast Data Recovery was doing.
The chief technology officer of Emsisoft, Fabian Wosar, commented: "Since emerging in 2016, Dharma has been reverse engineered to death by the entire malware research community. If a flaw existed that enabled the encryption to be broken, it would almost certainly have been discovered a long time ago.
"To break Dharma within any of our lifetimes without having discovered a flaw would require access to a quantum computer that is capable of running Shor’s algorithm.
"The highest number ever factorised using said algorithm and quantum computers is 21, which is just short of the 307 digits that would be required to break Dharma.
"So either they (Fast Data Recovery) have access to a quantum computer that is far beyond even our wildest dreams, have found a flaw that literally thousands of researchers and cryptographers missed, or have an arrangement with the ransomware author to pay ransoms, possibly with a discount or referral bonus in place.”
Callow sent iTWire a copy of the ransom note and said another copy had been sent to Fast Data Recovery along with the encrypted file. The note reads: "all your data has been locked us. You want to return? write email [email protected] or [email protected]".
"You’ll see that the note does not specify the amount of the ransom," Callow said. "To find that out, you need to contact the ransomware developer. Dharma demands we’ve previously seen range from to US$2500 to to more than US$100,000. This gives rise to an obvious question: how did Fast Data Recovery know how much to charge?"
Fast Data Recovery is based at 77 King Street, Sydney; Callow said the company was advertising its services in the US, Canada and Europe.
iTWire has contacted Fast Data Recovery for its side of the story. The company had no dedicated media contacts and only a generic email address is available for communication.