Data recovery firm indicted for conspiring with ransomware hackers for four years

By Kuksung Nam, The Readable
Nov. 21, 2023 7:45PM GMT+9

A South Korean entrepreneur who runs a data recovery firm was indicted on charges of conspiring with ransomware hackers for nearly four years, South Korean prosecutors announced on Monday. An employee of the firm was also indicted under the same charges.

In a press release, the Seoul Central District Prosecutors’ Office stated that the defendants worked with the ransomware hackers from October 2018 to July 2022. They allegedly worked side by side with the criminals and extorted more than 2 billion won ($2 million) from their mutual victims.

According to the statement, once the ransomware hackers encrypted the victims’ computers with malicious code, called the ‘Magniber,’ they shared a piece of detailed information about their attack with a handful of data recovery companies, including that of the accused. Once the Magniber ransomware encrypts a computer, it changes the file name extension into randomized five to ten-digit random lower-case letters. The defendants, under the auspices of their company name, publicized the name of the extension online, hoping to entice desperate victims into contacting them for a solution.

The prosecutors stated that this enabled the hackers to forge a direct connection with the ransomware victims, who usually seek recovery services by searching the file name extension using a search engine. The defendants received a decryption key from the hackers and handed it over to the victims in return for the ransom payment demanded by the hackers to normalize their systems. In addition, the defendants required that the victims pay the same amount under the pretext of providing them with “recovery services,” thereby doubling the ransom amount.

South Korean law enforcement stated that this is the first time they have discovered a case where a hacking group and a data recovery company actively collaborated in deploying ransomware attacks. Law enforcement did not disclose details of the cybercriminals who worked with the defendants. However, they assumed, based on the type of malicious code deployed against the targets, that they are associated with ‘Lazarus’, a North Korean state-sponsored hacking group. The Readable reached out to the South Korean prosecutors’ office for further information on the identity of the ransomware hackers. Law enforcement officials, however, stated they could disclose no further information on the case at this time.

The cover image of this article was designed by Sangseon Kim. This article was copyedited by Arthur Gregory Willers.

Kuksung Nam is a journalist for The Readable. She has extensively traversed the globe to cover the latest stories on the cyber threat landscape and has been producing in-depth stories on security and privacy by engaging with industry giants, foreign government officials and experts. Before joining The Readable, Kuksung reported on politics for one of South Korea’s top-five local newspapers, The Kyeongin Ilbo. Her journalistic skills and reportage earned her the coveted Journalists Association of Korea award in 2021 for her essay detailing exclusive stories about the misconduct of a former government official. She holds a Bachelor’s degree in French from Hankuk University of Foreign Studies, a testament to her linguistic capabilities.