In this video by Shutterstock Tutorials, Robbie Janney shows you how to create dramatic portraits with shadow photography by using everyday objects to create those shadows.
Hexbyte – Glen Cove – News Shadow portraits
If you are after something different to do with your portraits, using shadows can create dramatic effects and make your photos stand out.
Shadow photography is an interesting niche to explore. You can achieve it by doing the following:
What you need:
A hard key light
A backlight (like a Quasar or similar)
Some cool household items that light can pass through (colanders, wicker baskets, film strips etc.
When shooting through the objects, the light can become softer instead of the hard light you are trying to achieve. This problem can be attributed to the light source’s aperture. Similar to your camera, when you want an image with nice sharp edges, you close your aperture to one of its smallest settings.
It’s the same with your light source. Just in this instance, you’re limiting the amount of light being put out, not absorbed. This limits the amount of diffraction that your light projects creating a harsher shadow when passing through your opaque object.
Most lights won’t have an aperture setting, so to cut down the beam of light, cut a hole in a piece of black cardboard and put that close to your light source using a stand to narrow the light beam. You can even change the shape of the hole in your cardboard for different effects.
Once you have your studio setup, and light ready, get creative with your shots by changing up the angle of light, subject, or the type of object you are sending the light through.
Experiment to get your best shots.
Have fun and share your shots in the comments below.
– the dPS Managing Editor, lives in Wollongong, Australia and has worked as a photographer, filmmaker, and designer in her business, Exposure Arts and Media, for 15 years. Her background extends to Digital Content Management, and Editorial Design. In her spare time, she composes music as Dreamgirl and the Motorist. Since the age of 12, she knew she would be a photographer – the other stuff came as a surprise!
Almost every high-end phone has some kind of night mode nowadays: Google has Night Sight, LG has Night View, and Samsung has Bright Night. Unfortunately, Samsung’s version has some weird restrictions that only enables Bright Night in very low light conditions, instead of letting you turn it on whenever you want. It’s really annoying and something I called out in my Galaxy S10 review. But that’s no longer the case.
Thankfully, it seems Samsung was listening because according to SamMobile, there’s a new update rolling out for the Galaxy S10 that will let you use Samsung’s Bright Night mode just by selecting the feature in the phone’s camera app. For now, the update only seems to be available in Switzerland, but since the software patch also includes the latest monthly Android security patch, we expect the update to begin showing up on phones in other regions soon.
Previously, in order to trigger Bright Night mode, the phone needed to be in an environment with less than 1 lux of light or less, which is roughly equivalent to the amount of light you get from a single candle from one meter away. Only then would the S10’s camera app automatically trigger Bright Night mode, giving you the choice to keep it on, or turn it off.
In the new update, Bright Night will get broken out into a dedicated mode with its own tab so that you can activate the feature at will. This is a nice upgrade to the S10’s photography, as it gives users much control and flexibility when it comes to tackling a shot in poorly lit environments.
That said, it seems the mode itself is largely unchanged, which might be a bit of a bummer for some because, as I discovered, Samsung’s Bright Night Mode isn’t quite as powerful as Google’s Night Sight. But if Samsung can upgrade Bright Night mode to full-time status, here’s hoping more camera improvements are in the works as well.
First, an awkward acknowledgement: This final season of Game of Thrones has been hella uneven. For every incredible high—Ayra shivved the Night King!—there have been scores of lows. (Like, seriously, does anything Tyrion proposes make rational sense?) Granted, the show has a lot of loose ends to tie up, but in doing so, it’s left quite a few of us totally frayed.
But there’s hope. Season 8 may have been a roller coaster up until this point, but Game of Thrones has one final episode left in which it could make everything right. It is possible! It’s highly unlikely, but still possible. To that end, WIRED gathered some in-house Thrones enthusiasts—writers Emily Dreyfuss, Emma Grey Ellis, and Peter Rubin, and editors Angela Watercutter, Jason Kehe, and Andrea Valdez—to talk about what they need from this final episode, and what questions they need answered, in order to feel satisfied with the show’s ultimate conclusion.
There Has to Be a Definitive Winner of the Iron Throne
Emily Dreyfuss: I don’t know about y’all, but I don’t think there’s anything this last episode could do to make me feel fulfilled. What I want is an ending to this series that’s paced at the same rate as the beginning and middle of this series, one that earns the plot points this last season shoved down our throats without appropriate buildup. There’s no way showrunners David Benioff and D. B. Weiss are going to end Game of Thrones with a time machine that goes back a few years and undoes their seemingly arbitrary decision to speedily wrap this show up in a manner that requires complicated characters to act in ways we’ve never seen them act before. And frankly, that’s the only thing they could do to please me at this point. Without that break in the laws of nature, I fear that whether Jon kills Dany or Sansa becomes queen or whatever will just feel irrelevant and I’m only going to be sad that it’s over, and sad that it ended this way.
Emma Grey Ellis: I saw that dissatisfaction coming after the first episode of this season, so I decided to de-invest. I barely watch the episodes anymore. I scan Twitter for spoilers so I know when to pay attention and when to just let the stultifying-yet-somehow-rushed scenes of exposition and shoddy (again, rushed) character development slide by. At this point, I see the characters the way Benioff and Weiss seem to: as plot devices, not people. All I want from the finale is for it to be logically defensible, which I honestly think is the best we can hope for.
Angela Watercutter: I agree, Game of Thrones has felt very rushed this season, which is odd since it seemed like people complained for years that it was too slow. I think the main problem is that the show was so good at building characters in the first few seasons that now that they’re people of action and not people of words, they feel hollow. Their actions feel less earned. Yet, we’re all invested now, and we have to see this through. To that end, there’s only one thing I really need: I need someone to definitively hold the Iron Throne when the credits roll on Sunday. This show is casting off plotlines left and right, but that’s the one it cannot lose. Someone becoming the new ruler of Westeros is the whole point of the show; hell, it’s the whole point of the show’s title. I don’t care who wins anymore, but so long as it is someone then the show will at least not have failed at its main objective. A low bar, I know, but it’s the one I’ve set.
Ellis: I think the show can still honor most of its characters’ purposes, if not their persons. Our obvious chosen ones—Jon and Dany—can’t end up on the throne. The throne should be held by someone who knows how to play the game, and neither Dany nor Jon do. Plus, the show has been teasing Dany’s possible madness for seasons, and Jon has been giving off big Ned Stark energy. Sansa is the best player left on the board now that Tyrion is mysteriously dense, so she should win.
Andrea Valdez: Though, if the showrunners (with George R.R. Martin’s consultation) wanted to be super subversive—which was a primary approach GRRM took in writing his epic and what set it apart from other fantasy series—no one could win the throne. It would be hugely dissatisfying to everyone, but perhaps it would be a lesson that the game of life doesn’t have to be a zero-sum game. Dany could rule the southern lands of Westeros from her mad throne and Sansa could run the North, sensibly and reliably protecting it against winter. Or, if the showrunners wanted to dole out more fan service a la Cleganebowl, they could throw a bone to a different set of fans: the shippers who have been rooting for Jon Snow and Sansa Stark to fall in love and rule together.
Dreyfuss: Sansa would NEVER put up with Jon’s nonsense.
Peter Rubin: I can’t help notice that no one has mentioned boy wonder Robin Arryn. It’s true that we haven’t seen the world’s oldest breastfeeder since Season 6, but if Dany goes down (more on that in a sec) and Jon goes down as well (more on that in a sec), and Gendry goes off to pine for Arya in his new capacity as the sword-forgin’ lord of Storm’s End, young Sweetrobin just might have a sho—oh, god, I can’t do this anymore. Obviously it has to be Sansa.
Dreyfuss: Oh my god, Robin Arryn is alive?! I completely forgot that. Now I’m mad the show is ending before murdering him.
Is Someone Going to Kill Daenerys?
Watercutter: This is hard to say, because I’ve been rooting for her pretty much since the beginning, but I feel like Daenerys might die in the finale. After she ransacked King’s Landing in the penultimate episode, she fully lost the Breaker of Chains, Mercy Giver high ground that she’d had before and will likely have to pay for that. In many ways, I feel for her—she does seem to be struggling with some mental health issues—but I feel like much of Westeros will probably just see her as a threat worse than Cersei and try to get rid of her. Some hypothesize that it could be Jon that kills her, but I’d guess Arya. She’d do anything for Jon or Sansa and since she didn’t execute Cersei, she might set her sights on Dany. This all feels so very tragic, even as I type it, but that’s my guess. Am I wrong?
Ellis: Nah, I think you’re right. If Arya kills Dany (and that bit of prophecy about green eyes suggests she will) and serves under Sansa, the story comes full circle: a realm effectively ruled by a pair of powerful siblings, one a cunning political thinker and the other a Kingslayer. I think that would satisfy me. Then again, this is Game of Thrones, so maybe all of that is backward.
Jason Kehe: Arya can’t do the deed! I mean, yes, I certainly agree someone must go all Katniss in Mockingjay and let fly an arrow aimed directly at the new she-tyrant’s head—but Arya already knifed the Night King. Can they really have the same character neatly and world-savingly kill two major villains? Even for a season as narratively unconvincing as this one, that’s dumb. Then again, no one else seems capable. Jon’s a wussy-puss. Tyrion hasn’t been effective in four seasons. Sansa—eh, maybe, but she’s pretty slow-moving in all those furs. Well, there is Yara, who better come back for the finale. Maybe she’ll seduce lovelorn Dany and then kiss her with poisoned lips so sweetly! That, or Dany, sensing her own madness, self-dracaryses. Committing hari-Drakari, as it were. Whatever happens, I’ll say this: They’re still keeping us guessing, which is some kind of victory.
Dreyfuss: I totally agree. Arya can’t be the double savior of everything. Maybe Dany could die in a tragic dragon-fire burp accident. No one would see that coming. And it would be weirdly in keeping with the show’s inappropriate shoehorning in of jokes at the wrong moments. But honestly, maybe Samwell could kill her? He’s set up to be the Horatio of this story, to live to tell the tale; why not also plunge the final dagger? And he’s already proven he can kill White Walkers despite everyone assuming that he’s too chunky to be powerful.
Rubin: The answer, of course, is Hot Pie. The answer to everything is Hot Pie. But if Hot Pie can’t come galloping in on a pastry steed waving a death-baguette, Arya might not need to be the double savior of her family—she could simply be the redeemer. That, of course, hinges on Jon Snow getting a death do-over. Nephewsurper or no, he’s got to be doing a little soul-searching vis-à-vis that whole Dany-on-the-throne thing after the slaughter of King’s Landing, which means some sort of confrontation is inevitable. Jon lucked out with Viserion, but might not with Drogon, or even Dany herself. So while it might feel trite if Arya saves Jon, I’d love to see her avenge him. After all, she left King’s Landing riding a pale horse; how could that not pay off?
Arya Has to Put on a Face
Valdez: For basically all of the fifth and sixth seasons, we saw Arya in Braavos, training with the Faceless Men. For me personally, it was a bit of a plodding story arc, but I persevered through it thinking it would prove valuable in helping Arya, a slight girl brought up in high society, become the badass assassin she always aspired to be. And at the end of Season 6, it paid off: few moments in the series were as satisfying as watching Arya peel off the face of a servant girl, state her name and intention, and methodically slice Walder Frey’s throat open, like his family did to her mother. Since then, we’ve seen Arya wear only one other face (Frey’s, before she poisoned his entire clan). Just one. We know she’s traveling with a collection of them; Sansa found the bag of them when Arya returned to Winterfell. And perhaps Arya has worn others and we just haven’t seen it. Which is why it makes sense to me that the writers will finally make use of Arya’s gruesome parlor trick, allowing her to wear a face to kill just one more person. My prediction? She’ll wear the face of Grey Worm to kill Daenerys.
Dreyfuss: That’s genius. But alternatively, she could wear the face of Drogon. She’ll have to hide her body inside a, uh, large building of some kind, but it could work! [Editors’ note: It could not work.]
Watercutter: I feel like Arya could also put on the face of Tyrion to kill Dany. At least then his character would serve a useful purpose this season. (And, once again, I’ve made myself miserable thinking about how tragic this all is.)
Rubin: I was about to propose that she wear the face of Jon—think of it!—but then I realized that I have no idea how the faces work. Can one use the face of the living? Andrea, I feel like you have a copy of whatever the Westerosi version of Robert’s Rules of Order is. Is there maybe a chapter on Shape-Shifting Angel of Death protocol?
Valdez: In WIRED’s Game of Thrones podcast, Citadel Dropouts, co-host Spencer Ackerman made an excellent point early on about the importance of Bran as a source of information. Any good military force makes smart use of its intelligence service, and thus far, Bran has offered virtually no counterintelligence to his allies. And seemingly no one has tapped his vast reservoir of knowledge of past and present. Also, Bran has his own parlor trick, one that is nearly as useful as Arya’s face-swapping technique: Bran can warg into animals (and people!) and control them at his will. Why haven’t we seen Bran warg into a dragon already?
And another thing about the Bran plotline, I have spent a shameful amount of time reading Reddit threads about GoT, so many of which theorize about Bran and his relationship to the Night King. The Battle of Winterfell episode felt bereft of the exposition I expected to explain their connection, but I accepted that because the purpose of those 90 minutes were to bring us the most epic war scene committed to camera. (And now we know that Bran was not the Night King.) However, with so little time left, I fear we’ll never know if Bran was Bran the Builder (a popular theory) or what it means that he’s the Three-Eyed Raven.
Rubin: Dunno, Bran was overhyped in the ’80s, and he’s overhyped now. When all the time-is-a-flat-circle, Bran-as-Night-King theories spun up, I was intrigued, but with Benioff and Weiss (truly the Shields and Yarnell of our time, minus the inexplicably popular mime stuff) proving themselves all too willing to let threads dangle, my own Three-Eyed cravin’ has faded fast. Let’s let him go through incredibly awkward puberty in peace.
Dreyfuss: The Bran chapters were the most tedious in the books, in my opinion. But there were so many of them that it does feel like a complete waste of time for him to wind up being useless. Martin clearly at some point thought he was essential. But then again, the show dropped many an important thread from the books—Lady Stoneheart anyone, anyone?—that I don’t expect the show to somehow make Bran matter now. The whole show is ending on such a weird note that I think I’d be OK if Bran just slinked around in the background a little more and went down in GoT history as a mere meme.
Yara Should Come Back
Watercutter: I just miss her, you know? Everyone: We know.
Sansa Needs to Do … Something
Dreyfuss: What Sansa needs is a Varys who she could secretly manipulate in the background to orchestrate her own ascension to the throne. But given that he’s dragon breath now, I suppose that leaves Tyrion as her puppet. At least that part was set up two episodes ago. Let’s hope they resurrect Tyrion’s ingenuity and activate Sansa’s agency long enough to get them to hatch and execute a plan.
Watercutter: This is where my Bran Theory comes in: I hope that the long talk Tyrion apparently had with Bran earlier this season means that Tyrion got some intel he can use to help Sansa. But I dunno.
Kehe: In theory, Sansa’s the savviest Stark. Smarter than Jon, less impulsive than Arya, more coherent than Bran. She’s also a real snooze. She shuffles around Winterfell in elaborate furs, staring icily while advising rest for troops. So inspiring! Actually, maybe I’m not being facetious. In a show where everyone’s getting stupider by the hour, Sansa’s kept her head. Quite literally. Doesn’t have Mom’s feral verve, but Catelyn got her throat sliced open, so. Sansa’s a pragmatist, a realist, a through-and-through competent. It’s refreshing, a breath of wintry air. More important, she genuinely wants to lead. Unlike Jon, she’s comfortable in a position of authority. She’s not easily flustered. What do I want from Sansa in the finale? To be boring and graceful and stoic and kind, to stare idiocy and fire in the face with equanimity. To be sense in the sea of chaos. And then to tell everyone in Westeros to get some much-needed shut-eye. Good night!
Hello friends! Welcome to today’s edition of The Monitor, WIRED’s look at all the news in the world of pop culture. What’s happening this week? Well the Upfronts are still going on, so there’s a lot of talk about new TV shows—and the fates of some previous ones. Also, Hannah Gadsby is doing a terrible job of quitting comedy and Miley Cyrus is in the new Black Mirror trailer. Let’s go get ’em.
Hannah Gadsby Is Getting Another Netflix Special
Following her breakout role as Someone Who Totally Upends Comedy with her special Nanette, Hannah Gadsby is coming back to Netflix with a new special. Called Douglas, the special will presumably be from the show of same name, which Gadsby is currently touring around the US. It’s set to hit the streaming service next year.
Fox Has a New Show About an Evil Alexa
So, Fox has a new sci-fi drama. It’s called neXt, and it appears to be about an Alexa-type device that goes full-on sentient AI and tries to seriously ruin humanity. (The device is called Iliza, FYI.) It’s hard to tell if this looks good or not, but casting the guy who plays Tony Stark’s dad—John Slattery—as a tech CEO is pretty genius. Per the trailer, the Singularity hits “soon.”
Bad news for everyone who loved the early-aughts internet: YTMND seems to have officially shuttered. Launched in 2004, You’re the Man Now Dog was one of the central hubs for meme culture. It’s a sad day on the internet, indeed.
Rick and Morty Is Returning in November
After lots of waiting and fan frustration, it seems as though Rick and Morty‘s fourth season is finally making it to the air. The Adult Swim series is officially coming back in November. Exactly which day in November is unknown—as are any details about what will happen in the new series—but regardless, its return is nigh!
Here’s a Trailer for Black Mirror Season 5
But that’s not all! In other New Things to Watch on Netflix News, the streaming service just released a new trailer for Black Mirror‘s fifth season. It’s got smartphones, creepy robots, and Miley Cyrus. Also, Mortal Kombat–esque fight sequences! The new season launches June 5.
Hexbyte News Computers As ransomware attacks crippled businesses and law enforcement agencies, two U.S. data recovery firms claimed to offer an ethical way out. Instead, they typically paid the ransom and charged victims extra.
From 2015 to 2018, a strain of ransomware known as SamSam paralyzed computer networks across North America and the U.K. It caused more than $30 million in damage to at least 200 entities, including the cities of Atlanta and Newark, New Jersey, the Port of San Diego and Hollywood Presbyterian Medical Center in Los Angeles. It knocked out Atlanta’s online water service requests and billing systems, prompted the Colorado Department of Transportation to call in the National Guard, and delayed medical appointments and treatments for patients nationwide whose electronic records couldn’t be retrieved. In return for restoring access to the files, the cyberattackers collected at least $6 million in ransom.
“You just have 7 days to send us the BitCoin,” read the ransom demand to Newark. “After 7 days we will remove your private keys and it’s impossible to recover your files.”
At a press conference last November, then-Deputy Attorney General Rod Rosenstein announced that the U.S. Department of Justice had indicted two Iranian men on fraud charges for allegedly developing the strain and orchestrating the extortion. Many SamSam targets were “public agencies with missions that involve saving lives,” and the attackers impaired their ability to “provide health care to sick and injured people,” Rosenstein said. The hackers “knew that shutting down those computer systems could cause significant harm to innocent victims.”
In a statement that day, theFBI said the “criminal actors” were “out of the reach of U.S. law enforcement.” But they weren’t beyond the reach of an American company that says it helps victims regain access to their computers. Proven Data Recovery of Elmsford, New York, regularly made ransom payments to SamSam hackers over more than a year, according to Jonathan Storfer, a former employee who dealt with them.
Although bitcoin transactions are intended to be anonymous and difficult to track, ProPublica was able to trace four of the payments. Sent in 2017 and 2018, from an online wallet controlled by Proven Data to ones specified by the hackers, the money was then laundered through as many as 12 bitcoin addresses before reaching a wallet maintained by the Iranians, according to an analysis by bitcoin tracing firm Chainalysis at our request. Payments to that digital currency destination and another linked to the attackers were later banned by the U.S. Treasury Department, which cited sanctions targeting the Iranian regime.
“I would not be surprised if a significant amount of ransomware both funded terrorism and also organized crime,” Storfer said. “So the question is, is every time that we get hit by SamSam, and every time we facilitate a payment — and here’s where it gets really dicey — does that mean we are technically funding terrorism?”
Proven Data promised to help ransomware victims by unlocking their data with the “latest technology,” according to company emails and former clients. Instead, it obtained decryption tools from cyberattackers by paying ransoms, according to Storfer and an FBI affidavit obtained by ProPublica.
Another U.S. company, Florida-based MonsterCloud, also professes to use its own data recovery methods but instead pays ransoms, sometimes without informing victims such as local law enforcement agencies, ProPublica has found. The firms are alike in other ways. Both charge victims substantial fees on top of the ransom amounts. They also offer other services, such as sealing breaches to protect against future attacks. Both firms have used aliases for their workers, rather than real names, in communicating with victims.
The payments underscore the lack of other options for individuals and businesses devastated by ransomware, the failure of law enforcement to catch or deter the hackers, and the moral quandary of whether paying ransoms encourages extortion. Since some victims are public agencies or receive government funding, taxpayer money may end up in the hands of cybercriminals in countries hostile to the U.S. such as Russia and Iran.
In contrast to Proven Data and MonsterCloud, several other firms, such as Connecticut-based Coveware, openly help clients regain computer access by paying attackers. They assist victims who are willing to pay ransoms but don’t know how to deal in bitcoin or don’t want to contact hackers directly. At the same time, Coveware seeks to deter cybercrime by collecting and sharing data with law enforcement and security researchers, CEO Bill Siegel said.
Siegel refers to a handful of firms globally, including Proven Data and MonsterCloud, as “ransomware payment mills.” They “demonstrate how easily intermediaries can prey on the emotions of a ransomware victim” by advertising “guaranteed decryption without having to pay the hacker,” he said in a blog post. “Although it might not be illegal to obfuscate how encrypted data is recovered, it is certainly dishonest and predatory.”
MonsterCloud chief executive Zohar Pinhasi said that the company’s data recovery solutions vary from case to case. He declined to discuss them, saying they are a trade secret. MonsterCloud does not mislead clients and never promises them that their data will be recovered by any particular method, he said.
“The reason we have such a high recovery rate is that we know who these attackers are and their typical methods of operation,” he said. “Those victims of attacks should never make contact themselves and pay the ransom because they don’t know who they are dealing with.”
On its website, Proven Data says it “does not condone or support paying the perpetrator’s demands as they may be used to support other nefarious criminal activity, and there is never any guarantee to obtain the keys, or if obtained, they may not work.” Paying the ransom, it says, is “a last resort option.”
However, chief executive Victor Congionti told ProPublica in an email that paying attackers is standard procedure at Proven Data. “Our mission is to ensure that the client is protected, their files are restored, and the hackers are not paid more than the minimum required to serve our clients,” he said. Unless the hackers used an outdated variant for which a decryption key is publicly available, “most ransomware strains have encryptions that are too strong to break,” he said.
Congionti said that Proven Data paid the SamSam attackers “at the direction of our clients, some of which were hospitals where lives can be on the line.” It stopped dealing with the SamSam hackers after the U.S. government identified them as Iranian and took action against them, he said. Until then, he said, the company did not know they were affiliated with Iran. “Under no circumstances would we have knowingly dealt with a sanctioned person or entity,” he said.
Proven Data’s policy on disclosing ransom payments to clients has “evolved over time,” Congionti said. In the past, the company told them it would use any means necessary to recover data, “which we viewed as encompassing the possibility of paying the ransom,” he said. “That was not always clear to some customers.” The company informed all SamSam victims that it paid the ransoms and currently is “completely transparent as to whether a ransom will be paid,” he said.
“It is easy to take the position that no one should pay a ransom in a ransomware attack because such payments encourage future ransomware attacks,” he said. “It is much harder, however, to take that position when it is your data that has been encrypted and the future of your company and all of the jobs of your employees are in peril. It is a classic moral dilemma.”
No U.S. laws prohibit paying ransoms. The FBI frowns on it officially — and winks at it in practice. Ransom payment “encourages continued criminal activity, leads to other victimizations, and can be used to facilitate serious crimes,” an FBI spokesperson told ProPublica in an email. But in 2015, the assistant special agent in charge of the FBI’s cyber program in Boston said at a cybersecurity conference that the bureau will “often advise people just to pay the ransom,” according to news reports.
Paying a ransom while pretending otherwise to a client, though, could constitute deceptive business practices prohibited by the Federal Trade Commission Act, said former FTC acting chairman Maureen Ohlhausen. “Any claim that a company makes, they can legally be held to that claim,” she said. Neither MonsterCloud nor Proven Data has been cited by the FTC.
Storfer, who worked for Proven Data from March 2017 until September 2018, said in a series of interviews that the company not only paid ransoms to the SamSam hackers, but also developed a mutually beneficial relationship with them. As that relationship developed, he said, Proven Data was able to negotiate extensions on payment deadlines.
“With SamSam, we could say, hello, this is Proven Data, please keep this portal open while we contact and interact with the customer while moving forward,” Storfer said. “And they would remove the timer on the portal. And then they would respond quicker and in many cases would be able to provide things a little bit easier.”
The SamSam attackers didn’t identify themselves, he said. While Proven Data generally concealed its identity when responding to ransom demands, “we were very open” with the SamSam hackers, “and we would essentially announce ourselves,” Storfer said.
Eventually, the attackers began recommending that victims work with the firm. “SamSam would be like, ‘If you need assistance with this, contact Proven Data,’” said Storfer, who declined to identify clients. Some of them wondered about this endorsement. “Honestly, the weirdest thing was clients would ask us why, and we would have to respond to that, which was not a really fun conversation,” he added.
The referrals indicate the SamSam hackers’ confidence that Proven Data would pay the ransom, said Bart Huffman, a Houston lawyer specializing in privacy and information security. Such prior understandings could be seen as a criminal conspiracy and may violate the U.S. Computer Fraud and Abuse Act, he said.
“That does seem like you are working for the other side,” Huffman said. “You are facilitating the payment at the recommendation of SamSam, in the manner suggested by SamSam.”
Proven Data has never been charged with such a violation. The company “never had a ‘close relationship’ with SamSam attackers,” said Congionti, who didn’t comment on the recommendations specifically. “Our contact with attackers is limited to minimizing the attack on the customer. … Anyone can reach out to a hacker and tell them to keep the portal open longer.”
The father of ransomware was Harvard-educated anthropologist Joseph L. Popp Jr. While researching the theory that AIDS originated in green monkeys in East Africa, Popp in 1989 mailed more than 20,000 floppy disks about AIDS education to people interested in public health. When recipients ran the disk, their computers froze, and a message on the screen instructed them to send up to $378 to a post office box in Panama for a second disk that would restore their access.
The FBI arrested Popp before he could carry out his plan to distribute another 2 million disks. U.S. officials extradited him to England, where he was deemed mentally unfit to stand trial, John Kilroy, one of his lawyers, said.
“I believe he sincerely wanted to stop the spread of AIDS,” Kilroy said. “He lost his way in doing the ransom. I don’t think he had a good understanding of the consequences for other people.”
Popp, an Ohio native, returned to the U.S. and settled in Oneonta, New York. There, he helped establish a butterfly conservatory that was named in his honor after he died in a 2006 car accident at age 55, according to a local news clipping and his death certificate.
He didn’t live to see his brainchild become one of the world’s most common types of cybercrime. It wasn’t until 2012, when bitcoin began gaining traction, that ransomware took off. The decentralized digital currency made it difficult to trace or block payments.
Since 2016, more than 4,000 ransomware attacks have taken place daily, or about 1.5 million per year, according to statistics posted by the U.S. Department of Homeland Security.
“Ransomware continues to spread and is infecting devices around the globe,” the FBI said in a statement. “We are seeing different kinds of ransomware, different deployment methods, and a coordinated distribution. The FBI considers it one of the top cybercriminal threats.”
Yet the FBI’s Internet Crime Complaint Center counted only 1,493 ransomware victims in 2018 — a figure the bureau itself says represents only a small fraction of total incidents. Victims don’t report attacks, perhaps because they’re embarrassed or reluctant to admit to gaps in their IT security, according to law enforcement officials.
Even when victims do report ransomware, the culprits are rarely caught. The Iranians who allegedly distributed SamSam were the first people ever indicted by the U.S. government for deploying a ransomware scheme, although others have pleaded guilty to money laundering or computer damage in connection with ransomware.
While demands to businesses and municipal governments have reached as high as six figures, the average ransom sought is a few thousand dollars, according to cyberresearch firms. That’s well below the thresholds maintained by federal prosecutors to trigger an investigation, said former FBI Deputy Director John Pistole. Local police departments lack the resources to solve cybercrime and themselves are frequently ransomware targets. “It is a weird gray area where there is a law but it isn’t enforced,” said Jeffrey Kosseff, an assistant professor of cybersecurity law at the United States Naval Academy. “Ransomware is a real failure of the current legal system. There is not a good remedy.”
European law enforcement agencies have had more success. In March 2018, for example, the Polish Police — in cooperation with the Belgian Federal Police and Europol — arrested a Polish national suspected of having infected several thousand computers with ransomware. European law enforcement officials “just hang out on Slack channels where we tell them stuff,” said Fabian Wosar, a U.K.-based security researcher, referring to the popular messaging platform.
Asked whether its agents also gather information via Slack, the FBI said that it “must adhere to rules relating to federal agency recordkeeping, which makes the adoption of more agile communication methods trickier for us than for private sector companies.”
When Wosar discovered servers in the U.S. and the Netherlands that likely contained the attackers’ decryption keys for the ASN1 ransomware strain and could help identify the criminals, he and another researcher notified the FBI and the Dutch National Police. “Great news,” a member of the Dutch high-tech crime team responded. “We are eager to start things up” and “try to seize the servers.” The FBI replied with basic questions that reflected a lack of understanding of how ransomware works, said Wosar, who is head of research at anti-virus provider Emsisoft.
On another occasion, Wosar had what he called a “very hot lead” on the inventor of the ACCDFISA strain. He tried one FBI agent after another and ended up submitting his tip on the “FBI homepage like everyone else,” he said. “I’m sure it got lost among hundreds of thousands of submissions.” The bureau declined to comment on the incidents.
As ransomware proliferated without an effective law enforcement response, an industry sprang up to unlock victims’ computers. In the U.S., it was dominated by two firms: Proven Data and MonsterCloud. Each says it has assisted thousands of victims.
The companies’ claims to be able to release files using their own technology aroused Wosar’s curiosity. He and other security experts sometimes find ways to disable ransomware, and they post those fixes online for free. But they can decrypt ransomware only if there are errors in the underlying software or if a security lapse allows the researchers to hack into the attacker’s server, he said; otherwise, it’s essentially bulletproof.
“If there is a company that claims they broke the ransomware, we are skeptical,” Wosar said. “Everything the ransomware did has been analyzed by other researchers. It’s incredibly unlikely they were the only ones to break it.”
In December 2016, he devised an experiment dubbed “Operation Bleeding Cloud,” after MonsterCloud and the notorious “Heartbleed” software vulnerability. He and another researcher created a variant of ransomware and used it to infect one of their own computers. Then they emailed MonsterCloud, Proven Data and several data recovery firms based in the U.K. and Australia, posing as a victim who didn’t want to pay a ransom.
Wosar said he sent some sample encrypted files to the firms along with a fake ransom note that he had written. Like many ransom notes, the demand included an email address to contact the attacker for instructions on how to pay. Each note also contained a unique ID sequence for the victim, so Wosar could later identify which firm had contacted him even if it used an anonymous email account.
The firms eagerly agreed to help. “They all claimed to be able to decrypt ransomware families that definitely weren’t decryptable and didn’t mention that they paid the ransom,” Wosar said. “Quite the contrary actually. They all seemed very proud not to pay ransomers.”
Soon, the email accounts that he’d set up for the imaginary attacker began receiving emails from anonymous addresses offering to pay the ransom, he said. He traced the requests to the data recovery firms, including MonsterCloud and Proven Data.
“The victims are getting taken advantage of twice,” he said.
Proven Data’s Congionti and MonsterCloud’s Pinhasi both said they could not recall this particular case. “If someone is saying that we promised up front that we would be able to decrypt their files, I am certain that this is inaccurate,” Pinhasi said.
Last year, the research division of Israeli cybersecurity company Check Point Software Technologies used a similar tactic to unmask Dr. Shifro, a Russian company. Dr. Shifro purported to use its own technology to liberate computers locked by ransomware, but it actually negotiated with a security researcher posing as the hacker, according to Check Point. Dr. Shifro did not respond to an email in both Russian and English seeking comment.
Storfer, the former Proven Data ransom negotiator, said he was saddened to read of Dr. Shifro’s tactics. “That’s basically what I was doing,” he said.
In 2017, Storfer was a year out of college and looking online for a job close to his Westchester County, New York, home when he spotted an opening for an office manager at Proven Data. He’d never heard of the company, but he applied and was hired.
He thought he would be scheduling meetings, sending out packages and accepting deliveries. But prior jobs at retail stores and restaurants had honed his customer service skills. After a short time at Proven Data, he was given the title of client solutions manager and assigned to negotiate with hackers. Storfer “was responsible for some of the correspondence with ransomware attackers,” Victor Congionti said. The job, which Storfer said paid a starting salary of about $41,000 a year, provided a unique window onto the rarely glimpsed underworld of cybercrime.
He soon realized that ransomware is a vast global industry. Most attacks on U.S. targets originate from abroad, especially Russia and Eastern Europe. There are hundreds of ransomware strains and thousands of variants of those strains. Some are sidelined as their revenues diminish or cybersecurity researchers devise ways to neutralize them, while new ones are always emerging.
Some ransomware attacks hit millions of computers indiscriminately, hoping to infiltrate them through infected spam email attachments. Others target businesses, government agencies and nonprofit organizations, sometimes with “brute-force” tools that invade computer networks. While individuals are frequently attacked, criminals increasingly extort institutions that have deeper pockets and readily pay the ransom to minimize disruption to their operations.
Once ransomware penetrates the computer, victims are unable to open their files, which are often renamed with a new extension. Generally, a ransom note pops up on the screen. It may direct victims to a page only accessible through Tor, a dark web browser, or to a hacker’s email address, for information on how to pay. The hackers may offer to decrypt a sample file. When they receive confirmation of payment — usually in bitcoin but sometimes in even less traceable forms of cryptocurrency, such as Dash and Monero — they send the software and key to unlock the files. Most hackers live up to their end of the deal, Storfer said. Otherwise, they are denounced as cheaters on websites frequented by victims, researchers and data recovery firms, and their ransom demands lose credibility, he and others said.
Some attackers warn victims to avoid data recovery firms. “Decryption of your files with the help of third parties may cause increased price (they add their fee to our),” said one ransom note posted on Coveware’s website.
More sophisticated cyberattackers cultivate firms like Proven Data as a source of income. The hackers sometimes offer discounts, which Congionti said the company’s “present policy” is to pass on to clients. The dark website for the GandCrab strain offers a “promo code” box on its ransom checkout page exclusively for data recovery firms. After paying a ransom, the firms receive a code for a discount on a future ransom.
Proven Data’s rival, MonsterCloud, is run by Pinhasi, who describes himself as a former IT security intelligence officer for the Israeli military. He declined ProPublica’s request to visit its South Florida storefront office, saying it was being renovated. Instead, over a mid-February lunch at Shalom Haifa, a nearby restaurant, Pinhasi guardedly discussed his business.
He said MonsterCloud handles up to 30 calls a day and has about 20 employees in South Florida as well as extensive global contacts. “Our network is in the hundreds,” he said. “Because keep in mind that we have people who we are connected to pretty much all over the globe, who are working with us in various cases.” Asked what these people do, he said, “I can’t really dive into it.”
In some cases, he said, MonsterCloud uses its contacts on the darknet — hidden, anonymous networks that communicate over the internet. “Our goal is to restore the data and help the customer. If we need to walk to the moon on broken glass, we will. We don’t care how, what, where, whatever. Our goal is to get the data out.”
In a video posted online touting MonsterCloud’s services, Pinhasi wears a dark suit and tie and rimless glasses. At lunch, the 43-year-old sported a white long-sleeve T-shirt emblazoned with the logo of teen retailer Abercrombie & Fitch.
Pinhasi said he came to the U.S. in 2002. He told ProPublica that he has led MonsterCloud since 2003, but Florida corporation records show the business began 10 years later. Instead, in 2003, he co-founded a Florida company called PC USA Computer Solutions Providers.
One PC USA client, Maurice Oujevolk, vented his unhappiness on Yelp. Oujevolk hired PC USA for his Sunrise, Florida, model car business, and paid regularly for cloud backup service. In March 2016, his company’s computer system crashed. He called PC USA for help. But Pinhasi told Oujevolk that PC USA’s system had also failed, and complete backups were not available, Oujevolk said. Pinhasi demanded more money to try to recover the files. Oujevolk refused.
“I lost tremendous time and money to rebuild the information that disappeared,” Oujevolk said. He didn’t sue PC USA, he said, because the dispute was impairing his health and he wanted to put it behind him. “I am surprised he can still be doing business in Florida. We were trusting them, and they took our money and disappeared. They had told us we didn’t need to do any backups.”
Pinhasi said that Oujevolk’s was the only complaint he had received in 18 years of service. He said Oujevolk’s “fact recollection was flawed,” and the problem was that the client’s hard drive provided to PC USA for storage was “corrupted.” He said Oujevolk declined PC USA’s offer to send the hard drive to a recovery company in California. Oujevolk said there was no such offer.
Pinhasi flourished financially. Public records show he’s driven three new Mercedes in the past decade and owns two houses in South Florida, including a waterfront home in Hallandale Beach assessed at $1.4 million. Once ransomware took off, he pivoted from cloud services to data recovery.
On its website, MonsterCloud offers “guaranteed results.” It tells prospective clients, “Don’t Pay the Ransom.” Paying the ransom, it says, “doesn’t guarantee you’ll get your data back.” It’s “a risk you don’t want to take. Let our experts handle the situation for you.”
Pinhasi declined to say whether MonsterCloud pays ransoms. “We work in the shadows,” he said. “How we do it, it’s our problem. You will get your data back. Sit back, relax and enjoy the ride.”
The lack of transparency deterred Tim Anderson, an IT consultant based in Houston. When the Nozelesn strain of ransomware attacked one of his clients this past January, he reached out to MonsterCloud. The firm wanted $2,500 for an analysis and up to $25,000 for actual recovery, he said. The ransom was 2 bitcoin, worth about $7,000 at the time.
When Anderson requested an explicit technical description of how MonsterCloud would unlock the files, the firm demurred.
“I immediately smelled a rat,” Anderson said. “How do I know they’re not taking the $25,000 and paying the ransom guy $7,000 of it? The consumer doesn’t know what’s going on.”
He declined MonsterCloud’s services. Instead, his client hired another firm to pay the ransom.
Pinhasi points to MonsterCloud’s ties to law enforcement as evidence of its integrity.
“We are trusted by law enforcement and intelligence agencies,” he said. “We recently met with the FBI to share with them our deep knowledge of Ransomware, and we often share with them our cyberintelligence gathering findings. They wouldn’t waste their time with us if we were a deceptive company.”
John Pistole, a former deputy director of the FBI under Robert Mueller, is featured in a promotional video on MonsterCloud’s homepage. “Police departments, government agencies, hospitals, small business and Fortune 500 firms trust MonsterCloud to help recover from attacks and protect against new ones,” Pistole said in the video. “MonsterCloud’s proprietary technology and expertise protects their professional reputations and organizational integrity.”
Pistole, who also headed the Transportation Security Administration under President Barack Obama, is listed on MonsterCloud’s website as the only member of its “Cyber Security Advisory Council.” Now president of Anderson University in Indiana, he said in an interview that he became acquainted with Pinhasi after MonsterCloud reached him through a speaker’s bureau. Pistole said that MonsterCloud pays him indirectly through the bureau.
Pistole said his testimonial was scripted by Pinhasi. He is well aware, he said, that in most cases the only way to decrypt computers hit by ransomware is to pay the hackers. That’s MonsterCloud’s approach, he said.
“The model I’m used to is, you pay the ransom,” he said. “That’s the business model as I understood it last year when I did my initial look at it after meeting Zohar. … Based on my experience and knowledge, ransom is paid and they facilitate the best practices moving forward.”
Pistole is listed in Florida corporation records as an “authorized member” of another company run by Pinhasi, Skyline Comfort LLC. Pistole said that Skyline’s business plan is putting massage chairs in airports. For a few minutes’ massage, passengers would pay a fee, which Skyline would split with the airport authority. Pistole said that he connects Pinhasi with airport officials and will be paid if the company becomes profitable. A former TSA colleague and Pinhasi’s brother-in-law are also involved in Skyline, he said.
In other testimonials on MonsterCloud’s website, four local law enforcement agencies praise the firm for restoring their data following ransomware attacks. ProPublica spoke with all but the Kaufman, Texas, Police Department, which did not respond to messages. Officials at the three departments we spoke with were all under the impression that MonsterCloud decrypted their computer networks without paying a ransom.
Chief Deputy Ward Calhoun of the Lauderdale County Sheriff’s Office in Meridian, Mississippi, which enlisted MonsterCloud after a ransomware attack in May 2018, said in an interview that other victims seek his advice “once or twice a month.” He tells them that MonsterCloud can help them. “The danger is, even if you give money to hackers, you don’t know you’re gonna be able to unlock your data anyway,” he said. “We decided we weren’t going to do that. We went with MonsterCloud instead.”
The Trumann, Arkansas, Police Department was another satisfied customer. When its computer system was infected in November, decades’ worth of data including case notes, witness statements, affidavits and payroll records were frozen. The department’s IT manager came across MonsterCloud on a Google search while “frantically looking for a way to fix the problem,” said the chief of police, Chad Henson.
Henson, who oversees about two dozen officers serving a population of 8,000, said he was reassured about MonsterCloud’s capabilities when he discovered “how friendly they are to law enforcement and to government entities.”
“That’s when we made the phone call to them,” he recalled. “They said: ‘Don’t worry about it. We are pretty sure we can get everything back.’”
Another reason he chose MonsterCloud, he said, was that it wouldn’t pay the ransom. “I’m the one in the seat, the one charged to safeguard the department,” he said. “To turn around and spend taxpayer money on a ransom — that is absolutely the wrong decision. It is the nuclear option. But with MonsterCloud, we can just remove that option.”
MonsterCloud restored the Police Department’s files within 72 hours and assured the department it did not pay a ransom, Henson said. In return for the testimonial, it waived its $75,000 fee.
MonsterCloud’s contract with the Trumann Police, obtained under a public records request, calls its recovery method a “trade secret” and says the firm would not explain the “proprietary means and methods by which client’s files were restored.” It also says that if “all possible means of directly decrypting client’s files have been exhausted,” the firm would attempt to recover data by “communicating with the cyber attacker.”
Pinhasi said that the Trumann department was crippled by the Dharma strain of ransomware. Wosar and Michael Gillespie, a software analyst in Illinois whom the FBI has honored with a community leadership award for his help on ransomware, said there was no known way of decrypting the Dharma ransomware in use at the time. They said MonsterCloud must have paid a hacker.
MonsterCloud also received a testimonial in lieu of a fee from the Lamar County, Texas, Sheriff’s Office. A May 2018 ransom note said: “You are unlucky! The terrible virus has captured your files!” The sheriff’s office brought in MonsterCloud, which “did an excellent job,” said Lamar County network administrator Joel Witherspoon.
He said MonsterCloud contacted the hacker, who was demanding 1 bitcoin, worth about $8,000 at the time. Witherspoon then told the company that the county wouldn’t pay the ransom. MonsterCloud didn’t answer him, he said.
“I don’t think they would ever pay” the ransom, Witherspoon said. “They just said they had a team of specialist engineers working on it.”
Pinhasi declined to say how MonsterCloud retrieved the law enforcement agencies’ data but noted that it did so for free. “We provide complimentary services to law enforcement agencies,” he said. “There has never been one cent of taxpayer money used for any ransom we’ve been involved with.”
Witherspoon was especially impressed by his primary contact at MonsterCloud, Zack Green. “Zack’s title, dear God, it’s a mile long title. He seems to know a lot.”
Green’s titles on his email signature include “Ransomware Recovery Expert,” “Cyber Counterterrorism Expert,” “Cyber Crime Prevention Expert” and “Cyber Intelligence Threat Specialist.” We called MonsterCloud asking for Green but were told he was in a meeting. Cybersecurity experts said the credentials he lists are not actual industry designations.
Pinhasi said Green is an alias, but he declined to say for whom. “We go based on aliases, because we’re dealing with cyberterrorists,” he said.
After we told Witherspoon that Green was an alias, his opinion of MonsterCloud changed. “It makes me think, ‘Did we get attacked, or did they attack us?’ I am surprised,” he said.
Some tributes to MonsterCloud on its website may also be fabricated. Under a section titled “Real Testimonials,” MonsterCloud posted 58 five-star Google reviews from clients like “Brad Stevens” and “Sam Smith” — the names of the Boston Celtics coach and a Grammy Award-winning singer, respectively. The reviews were replete with exclamation points and details of MonsterCloud’s heroics. A Google search showed that about half of them were submitted six months ago, when some of those same reviewers, including Stevens and Smith, also raved about a skin-care establishment down the street from MonsterCloud’s office. The two businesses share the same marketing director: Boris Zion.
Under his own name, Zion gave MonsterCloud a five-star Google review and more plaudits on TrustPilot.
“MonsterCloud is #1 ransomware company hands down!” he wrote in October. “I knew them for a while before I became a customer [when] I found myself in situation where my business was attacked.”
Pinhasi and Zion said that the testimonials are legitimate. “We sent out an email to our clients to ask for reviews as many businesses do, so many of our reviews came in around the same time,” Pinhasi said. Zion acknowledged it was “kind of coincidental” that the same customers had praised MonsterCloud and the skin care company. He said that it’s challenging to persuade publicity-shy ransomware victims to post positive reviews. “For the most part, nobody wants to write a review online,” he said. “You don’t tell anybody that you got hacked.”
He said that he couldn’t recall when he was attacked by ransomware, or by which strain. “I’m a marketing guy, not a cybersecurity expert,” he said. He agreed to send us the ransom note but never did.
After defending the reviews, MonsterCloud on Tuesday removed them from its website.
Storfer soon realized that neither his co-workers nor his bosses, brothers Victor and Mark Congionti, had much expertise in writing computer programs to disable ransomware. Before they started Proven Data, Mark Congionti had been a substitute math teacher. Victor Congionti had a more technical background — he had worked as an IT security analyst for an insurance company — but his passion was electronic dance music. Victor was building a side business as a disc jockey and rarely came to the Proven Data office, which was then in Mark’s house in White Plains, New York, Storfer said. The company moved this past March to an office building in Elmsford.
A 2016 resume posted on an archived version of Victor Congionti’s personal webpage said his roles at Proven Data included adding “to existing customer profitability” and “developing new business and strategic partnerships.” In his profile on a roommate-search website, he describes himself as a “foodie,” “fitness junkie” and “party person” who works from home. He told ProPublica that he is no longer a partier now that he has a 4-year-old son and is going to college to study electronic music production.
“We are not coders,” Victor Congionti acknowledged. He said Proven Data uses its network “to research any emerging ransomware variants and the potential for cracking encryptions.”
Richard Moavero, Proven Data’s client services manager, said that Mark Congionti is more involved than Victor in running the company day to day, including negotiating with hackers. “Mark’s really cool about it,” Moavero said. “If it was up to me, I’d punch them through the computer. His demeanor is really good in dealing with these people. Just the way he doesn’t get flustered. … He’s able to take the emotional part out of it.”
The Congionti brothers established Proven Data around 2011 primarily to recover information from broken hard drives and cameras and other hardware. As ransomware proliferated, and calls poured in from prospective clients seeking help releasing their encrypted files, the business model shifted, according to Victor Congionti and a review of the company’s archived web pages.
During his year and a half at Proven Data, Storfer fielded hundreds of these calls. He took a “don’t ask, don’t tell,” approach to informing clients that Proven Data would pay their ransoms.
If they didn’t ask, “it was more of a lie by omission,” he said. If they asked, he told the truth. But some of those clients still requested a non-itemized receipt that didn’t break out the bitcoin ransom price separately.
“There were people who would ask us specifically not to put the bitcoin price on it,” he said. “By hiring a business like that, it does give you a kind of plausible deniability.”
His predecessors took a different approach. Storfer said he’s been told by the FBI that Proven Data’s staff used to rely on “canned responses” that gave clients two options for data recovery. The first was paying the ransom. The second option was to unlock the files using Proven Data’s technology. Unbeknownst to clients, Storfer said, the second option didn’t exist. If they chose it, Proven Data paid the ransom anyway.
Victor Congionti said that Proven Data employees “did use and still use scripts,” which he also called “canned responses.” Asked about the two options, he didn’t answer directly, but said, “If we have ever found any scripts to be misleading or perceived the wrong way, we would make the necessary changes immediately.”
Some clients became suspicious. After its networks were frozen by ransomware in June 2016, Safford, Arizona, hired Proven Data, said Cade Bryce, the city’s systems administrator.
Proven Data case manager Brad Miller told the city in an email that the company’s engineers had analyzed a sample file and found there was a “high chance for data recovery” by “using our streamlined process and latest technology.” Miller acknowledged the company’s price “can be high” and suggested that the city’s insurance “may cover the cost.”
According to Storfer and Victor Congionti, Brad Miller was an alias that the company used for overseas freelancers. “Their names can be complex,” Victor Congionti said. “We used this alias to simplify things.” He said the company has stopped using the alias “as we saw the confusion it could create. We did not view it as deceptive. It was for convenience.”
About a week later, Proven Data told the city that the “decryption process has completed successfully.” But the city later discovered that some files remained locked, Bryce said. Proven Data opened a new case and insisted on charging the city once more. Safford acquiesced — its insurance company ultimately reimbursed most of the total bill of $8,413 — but Bryce wondered why it had to pay twice if Proven Data already had the solution.
“If their algorithms did the first one, why couldn’t they do the second?” he said in an interview.
In mid-August, Proven Data gave up. “We haven’t had any luck decrypting this remaining variant and contact to the hackers has not yielded any results as well,” it said in an email.
Wosar and Gillespie said the most likely explanation was that Proven Data paid the ransom, but that bugs in the ransomware permanently damaged the files.
Sam Napier, the city’s IT administrator, shared the company’s update with Bryce. “I think you were right about them working with the hackers and adding a fee,” Napier wrote. Victor Congionti declined to comment on the Safford case.
One part of Storfer’s job was listening sympathetically to panicked IT managers who were confused and ashamed about the attacks on their organizations and fearful of losing their jobs. Another was bonding with cybercriminals, in the hope of reducing the ransom price.
Often, the victims who contacted Proven Data had already berated their attackers. Annoyed, some hackers would demand more money, and others would disappear, Storfer said.
“People would get into a pissing contest with the hacker and try to incite them,” he said. “Because they have all the power, they don’t take nicely to antagonistic behavior. You really want to unfortunately befriend them in some way or ingratiate yourself because you want to try to find some empathy.”
Moavero, the client services manager, agreed. “It’s not like one of those things where you can just get on and vent with them, because then they’ll just shut right off,” he said. “You have to treat them with kid gloves sometimes.”
Storfer often didn’t know who he was dealing with. It could have been the ransomware creator or a middleman. Some of the people or crime organizations that develop ransomware strains also handle functions such as infecting computer networks, sending ransom notes and collecting payments. Others license the ransomware to intermediaries for a fee. From clues in their emails, such as video game references, he could sometimes tell which attackers came from the same hacker group.
Storfer said Proven Data kept a list of hackers who could supply decryption keys quickly and cheaply as needed. He bargain-hunted by stirring up “market rate competition” among them. “Even though one group may have done the hacking, a different group could provide you with the key,” he said.
“There are some hackers who would charge 1 bitcoin, which at its peak when they were doing this was about $10,000, to decrypt one machine,” he said. “Another hacker might have been able to do it for $4,000.”
In such cases, the interlopers would not supply Proven Data with a master key, which would have enabled the company to clear future incursions of the same ransomware for free. Instead, they would send a decryption key for the specific attack and victim. The attackers might never know they had been bypassed for payment, because some don’t track each victim among the thousands targeted.
Storfer learned quickly never to use the term “hacking.” Instead, he would assume his correspondent “thinks they’re a businessman,” Storfer said. “I’d say: ‘Look, we can’t afford this at this time. Do you mind providing your product at a lower rate?’ And it worked,” he said. “They’re doing a job where everyone hates them, so feeling like they were respected made them work with us. I like to think empathy goes a long way.”
The rapport sometimes reaped discounts. “We were able to get a $5,000 ransom lessened to $3,000 because they knew we could deliver it exactly when we said we were going to get it to them,” Storfer said.
Once the attackers agreed to lower the ransom for one client, it was easier to persuade them to reduce it for others, as well. He’d tell them, “‘Look, we have another client who you may be able to help. Can you provide this pricing?’ Their response is: ‘Sure thing.’”
Though successful, his tactics made Storfer uneasy. “It’s one of the weird kind of gray areas that I never felt comfortable with — that I had to interact and almost befriend these individuals,” he said. “But for the good of helping people that we were dealing with and making their lives easier, I thought it was a real benefit.”
Storfer usually didn’t reveal his company to hackers. Still, by using the same anonymous email address repeatedly, he became familiar to them. The hackers would “want to verify that we worked with them before.”
“And I want to be clear, ‘worked with them’ being the most accurate term, but I want to say that there is no love in this agreement,” Storfer said. “I’m using terms like ‘working with them’ but it’s the skin-crawliest way to describe it, because we truly hate them. And it was something that we would openly talk about — about how creepy and crawly we felt in general to have to put yourself on their side and empathize with these individuals to get them to work with you. Because you kind of have to shed your skin afterwards.”
Despite Storfer’s best efforts, sometimes the hackers behaved erratically. Proven Data would pay the requested ransom, but they would not respond. At such times, Storfer would share the attacker’s email address and details of the snub with other hackers in the same group.
Then the hacker “would come back and say, ‘Sorry, I’ve been on a coke binge for three weeks.’” Storfer said.
For the FBI, retracing individual victims’ ransom payments has rarely been a priority. But Proven Data’s startling success in decrypting ransomware drew the attention of a bureau office in Anchorage, Alaska.
In April 2016, a strain of ransomware called DMA Locker infiltrated the computer files and backups for Leif Herrington’s real estate brokerage in Anchorage. The ransom note demanded 4 bitcoin, then worth about $1,680. Herrington called the FBI. “They said, ‘There’s thousands of these going on every day, we don’t have the resources to do anything,’” Herrington said.
Herrington’s son looked into the attack, discovered there was no known way to decrypt the files and suggested his father pay the ransom. After unsuccessful attempts to pay the ransom on his own and through a local IT firm, Herrington called Proven Data. It told him it could unlock his files for $6,000.
“They represented that they had proprietary software they developed to unencrypt,” Herrington said. “They never said anything about paying the ransom.”
A January 2018 FBI affidavit, seeking a search warrant to obtain information from Proven Data and its email provider, lays out what happened next. Herrington’s IT consultant, Simon Schroeder, gave Proven Data a sample infected file for evaluation. During a follow-up appointment a couple of days later, Schroeder granted remote access to Proven Data and watched as it unlocked a set of files in 45 minutes.
The firm cleared the files so quickly that Schroeder suspected it paid the ransom. Although Herrington was back in business, he called the FBI again. An agent came to his office to ask about Proven Data, Herrington said, adding that he and Schroeder turned over all their documents.
Herrington told the agent that he didn’t know whether Proven Data “actually had keys or if they were in cahoots with the ransomware attackers and just collected the money,” he said. “I suggested to the FBI that they would want to investigate them, whether they were somehow in partnership with the ransomware people.”
The FBI confirmed his hunch. Records provided to the FBI pursuant to a federal grand jury subpoena showed 4 bitcoin flowing from a Proven Data account to the online wallet that the attackers had designated for payment. An email from the hacker’s address thanked Proven Data for the payment and included instructions on decrypting Herrington’s files.
“Subsequent investigation by the FBI confirmed that PDR was only able to decrypt the victim’s files by paying the subject the ransom amount,” the affidavit said.
The bureau interviewed Proven Data’s co-owners, the Congionti brothers. Mark Congionti acknowledged that at the time of the attack, there was no known way to unlock the files aside from paying the hacker, the affidavit said. (An FBI spokeswoman said in January that the bureau could not discuss the case because it was active. The U.S. Department of Justice declined this month to identify the target of the investigation or to say if it’s still ongoing. As yet, no charges have been publicly filed.)
Victor Congionti acknowledged that the company paid Herrington’s ransom. “It was the only option to get his data back,” he said. “We regret that he felt misled. … There was obviously a misunderstanding as to how we would solve his problem. We have re-examined all of our practices and procedures to ensure that such a misunderstanding does not occur again.”
The FBI agent discussed the possible legal nuances with Herrington. “The FBI did explain if they were up front, that was legal, but that if they represented they had the technology to do it, it might not be,” Herrington said. “They were not being up front about it. They said they had technological expertise.”
Also at issue was whether Proven Data had “any working relationship with the ransomware people,” Herrington recalled the agent saying. “The FBI was concerned that even if these companies were paying the ransom, it is encouraging the ransom people. By paying, they’re effectively keeping these guys in business.”
Proven Data had several hundred email exchanges with the addresses associated with DMA Locker attacks, according to the FBI affidavit. As with the SamSam hackers, Proven Data used its own email addresses with DMA Locker. “We interacted directly with them,” Storfer said.
Victor Congionti said Proven Data later determined that using its own address with hackers was “not advisable” and abandoned the practice.
Storfer wondered if the hacker behind DMA Locker was a British soccer fan because his emails contained references to Manchester United including one username of “John United” and another honoring former team manager Alex Ferguson. The ransom price was in British pounds, an unusual currency in ransomware circles, he said.
“DMA was actually a very good, nice negotiator for the most part,” Storfer said. “He was very clear, straightforward,” and wrote “very proper English. And he had a tool that worked impeccably well, and he would even troubleshoot for you.”
Normally, attackers don’t send the key until they’re notified that the ransom has been paid, typically via a bitcoin transaction ID number. But the DMA Locker hacker was so familiar with Proven Data’s wallet IDs that sometimes he sent a decryption key as soon as he saw the bitcoin transaction post on the Blockchain, the electronic public ledger of transactions.
“One of the weird benefits was that he knew our wallets enough that every time we sent him a payment, he would send us a key before we could send a transaction ID,” Storfer said. “He would literally sit on the blockchain, and just be like, ‘Oh ya, Proven, let me give you guys some keys.’”
Victor Congionti said he wasn’t “aware of this type of familiarity. If it did occur, we had no control over it.”
When the hacker decided to retire from the ransomware business, he let Proven Data know — and proposed one last deal.
“He literally said: ‘Hey, I’m shutting down service. Do you have any other clients that need keys? I’m doing this super discount for any of them,’” Storfer said. “I actually consider that one of the benefits of being friendly with — the biggest air quotations — the hackers.”
Proven Data raised Storfer’s salary, he said. But his conscience was weighing on him, especially after the FBI began questioning Proven Data employees in the Alaska case.
He worried that he was abetting a sophisticated form of organized crime. He struggled to justify his line of work to his family and friends, some of whom teased him for answering late-night hacker emails.
“Do I miss ever having to explain what my job is to anyone else? No,” Storfer said. “Having that conversation and trying to explain, oh what do you do? Oh, I negotiate with hackers for a living. … It is a very weird business, and it is one of the reasons I couldn’t stay in the field.”
After a year and a half at Proven Data, he decided to leave the industry. But he wavered in this resolve when Coveware, the Connecticut firm that is transparent about paying ransoms, sought to recruit him. Siegel, who co-founded Coveware in 2018, said he wanted to hire Storfer because of his familiarity with ransomware.
In the end, Storfer chose a job outside the data recovery industry. “I just decided that I wanted to get out of the space because I felt uncomfortable. … The realm where Proven Data and MonsterCloud and Coveware and all these groups act in is the Wild West. They set their own rules.” Victor Congionti confirmed that Storfer left voluntarily.
Moavero, who joined Proven Data soon after Storfer left, also had no background in cybersecurity. “I responded to an online ad looking for a head of customer service,” he said. “I had no clue what Proven Data did. … Ransomware? I had to go home and look up ransomware. It’s been a whirlwind.”
Even after Storfer left Proven Data, it still paid the SamSam hackers. Chainalysis found that on November 16, 2018, 1.6 bitcoin, or about $9,000 at the time, moved from Proven Data’’s wallet to a digital currency address associated with the SamSam attackers — an intermediary step on the chain to the Iranian-controlled wallet. Twelve days later, the Iranians were indicted, and payments into their wallets were banned.
Today, hardly any money is left in those Iranian wallets.
Garen Hartunian contributed to this report.
Renee Dudley is a senior reporter at ProPublica, covering technology. Before joining ProPublica in 2018, she was a member of the enterprise team at Reuters and a reporter in New York for Bloomberg News.
Jeff Kao is a computational journalist at ProPublica. He previously worked as a machine learning engineer at Atrium LTS, where he developed natural language processing systems for legal services.
Hexbyte News Computers Cleaning fees could be the least of your worries if your next car rental is from Hertz.
Reports of Hertz customers finding themselves in hot water after renting a vehicle from the Florida-based company are on the rise, and the culprit appears to be a faulty computer system and poor office management. The majority of the cases claim Hertz reported vehicles stolen to the police when they were actually being legitimately rented by customers, causing major issues for the renters and anyone unlucky enough to be riding with them.
According to ABC Action News, these affected customers ended up in handcuffs and in the back of a police car in the majority of the cases. A few people were even met with the business ends of a firearm and were taken into custody forcefully after disagreeing with police. Some actually endured the terrible experience of spending a few hours in jail—but a few either spent considerable time behind bars— once case resulting in two weeks in prison. However, almost every time, erroneously charged renters are still fighting the charges they received in court and all the fines that come along with them.
Hertz manages tens of millions of rentals each year, which makes these 30 or so stories exceptionally rare, but not any less bizarre. The recent claims don’t explain how exactly these mix-ups happen, but some of the renters reported switching vehicles, upgrading cars, or reporting mechanical issues before being approached by the law. One driver returned a vehicle for a flat tire and was given another to drive instead, and when the company did not complete paperwork for the second vehicle, the car was reported stolen and the police got involved. Another driver was alerted to an expired registration on her rental but was ultimately arrested before she could even return the car a few days later.
Francis Alexander, an attorney who is representing some of the falsely-accused renters, says that Hertz’s computer system has a “glitch” that has led to the company-wide pattern of reporting cars stolen. He says there are upwards of 30 cases across the country, and the issue is not a new one. Some of these were reported last year, and Hertz found itself paying tens of thousands of dollars in damages to victims in civil cases.
It turns out that your next rental with Hertz may not earn you bonus points or credit card miles, but a permanent stamp on your criminal record.
For many at the Johns Hopkins Applied Physics Laboratory, January 1 this year didn’t mean a New Year’s celebration. Instead, it meant the first arrival of data from New Horizons’ visit to a small Kuiper Belt object. But, like its earlier flyby of Pluto, the probe was instructed to grab all the data it could and deal with getting it back to Earth later. The full set of everything New Horizons captured won’t be available for more than a year yet. But with 10 percent of the total cache in hand, researchers decided they had enough to do the first analysis of 2014 MU69.
2014 MU69 is thought to preserve material as it condensed in the earliest days of the Solar System’s formation. And everything in the New Horizons’ data suggests that this is exactly what it has done. With the exception of one big crater temporarily named “Maryland” and the gentle collision that created its two-lobed structure, the object appears to have been largely untouched by more than 4 billion years of the Solar System’s existence.
Hexbyte – Tech News – Ars Technica | The dawn of time
The Kuiper belt is a sparse donut of small bodies near the outer edges of the Solar System. The bodies there are formed primarily of icy materials, most of which would otherwise remain gases in the warm, inner regions of the Solar System. Some of them, like Pluto, are large enough and/or have a complex collision history, which can ensure that they undergo geological changes that alter the materials that were present at their formation.
But 2014 MU69 is much smaller; early estimates placed it at under 50km in diameter. This raised the possibility that it could preserve the materials present at its formation over 4 billion years ago. Bodies like 2014 MU69, collectively termed planetesimals, also contributed to the formation of the outer planets and larger Kuiper Belt Objects. So New Horizons’ study of 2014 MU69 provided a potential opportunity to better understand the conditions present at the start of the Solar System, including those that went into building larger bodies. But that would only hold true if 2014 MU69 hadn’t been changed during its time in the Solar System.
To study the object, New Horizons came equipped with seven scientific instruments, including cameras, spectrometers to map its surface composition, and even particle and dust collectors to capture any material that 2014 MU69 was releasing into space. The spacecraft’s closest approach was about 3,500km from 2014 MU69, which allowed it to capture images that could resolve features 50km across (and, in some cases, even smaller).
9pm ET Update: Another day, another scrub for SpaceX and its mission to launch a batch of internet satellites. About two hours prior to the opening of Thursday night’s launch window, the company canceled its Falcon 9 launch of five dozen Starlink satellites. In a tweet, SpaceX offered this explanation: “Standing down to update satellite software and triple-check everything again. Always want to do everything we can on the ground to maximize mission success, next launch opportunity in about a week.”
So we’ll do this again in about a week.
Original post: Even though time remained in its launch window Wednesday night, SpaceX scrubbed an attempt to launch its first batch of Starlink satellites. The upper-level winds were just not cooperating, so the company stood down the launch attempt.
On Thursday, the rocket stands again at the launchpad. This time, the weather conditions have improved, and the winds in the upper level of the atmosphere appear to be more conducive to a launch. And so SpaceX will press ahead with a historic launch and unconventional deployment of 60 satellites that will provide Internet access. The deployment, about an hour after launch, will be fascinating to watch, and we are eager to know how successful the company and the Air Force will be at connecting with and tracking these satellites.
Below, you will find an embedded webcast, which should begin at about 10:15pm ET (02:15 UTC Thursday), as well as an edited copy of our story explaining the Starlink constellation, which was originally posted ahead of Wednesday’s launch attempt.
Hexbyte – Tech News – Ars Technica | Heaviest payload
With a mass of 18.5 tons, Thursday’s launch will be the company’s heaviest to date for either the Falcon 9 or Falcon Heavy rocket. The rocket will boost 60 Starlink satellites, each weighing 227kg, to an altitude of 440km.
This is the first block of Starlink satellites for what should eventually be a much larger constellation, and they will help SpaceX gauge its performance and conduct tests of several key systems. Over the coming months, these first satellites will be joined by six additional launches carrying similarly sized payloads. These launches will bring the constellation to an initial “operational” capability.
There is no guarantee all will go well, SpaceX founder Elon Musk said during a teleconference with reporters on Wednesday evening. “This is very hard,” Musk said. “There is a lot of new technology, so it’s possible that some of these satellites may not work. There’s a small possibility that all of these satellites will not work.”
Hexbyte – Tech News – Ars Technica | Launch and release
The initial part of the launch will be familiar to people who have watched a SpaceX launch before. This Falcon 9 first stage has flown twice before, and it will attempt to make a landing on the Of Course I Still Love You droneship in the Atlantic Ocean. The real action will come about 1 hour 2 minutes after launch, when the second stage begins deploying the Starlink satellites.
Stop me if you’ve heard this one before but the ice is screwed. New findings released on Thursday reveal that a quarter of the ice sheets in West Antarctica, the most vulnerable part of the continent, have destabilized. Ice loss has sped up fivefold across the region’s most imperiled glaciersin just 25 years.
Scientists used 800 million satellite measurements taken since 1992 to reach their conclusions. The results, published in Geophysical Research Letters, underscore just how rapid the changes taking place are and the perils coastal communities could face if ice continues its runaway melt.
The ways that we know the West Antarctic is melting down are manifold. There’s measurements on the ground, flyovers by NASA scientists, and occasional visits by boat. But to get the big picture, satellites provide a crucial view from space. Researchers used data from a suite of European Space Agency satellites that have been monitoring Antarctica since 1992. Those satellite have lasers that measure how high the ice that covers Antarctica and extends out to sea is, and the 25 years of records in the analysis allowed the researchers to see how ice height has changed over time. The researchers identified areas where rapid thinning and ice loss occurred as unstable.
The good news is that the East Antarctic, the highest and coldest part of Antarctica (and which contains most of the continent’s ice), is largely stable. Still, what’s happening in the west isn’t insignificant. The research reveals that the region has shed enough ice over the past 25 years to fill Lake Erie near 12 times over. And it gets worse than that!
The findings show that 24 percent of the ice sheet is now unstable, with some parts having thinned 400 feet over the past 25 years alone. That’s what ice researcher at the University of Leeds and lead author Andy Shepherd called “extraordinary amounts” in a press release. Extraordinary is not a superlative you want to hear in the case of the West Antarctic, though. The imbalance has caused ice from the imperiled Pine Island and Thwaites glaciers, hold back massive stores of ice on land,to spill into the ocean five times faster in 2017 compared to 1992, contributing to an uptick in sea levels.
If those glaciers break up and the ice behind them falls into the sea, it could raise sea levels more than 10 feet and completely reshape coastlines. The new study is an important check-in on how close to the edge we might be.
Earlier today, Epic once again took a page from Steam’s book and announced a “mega sale” that includes both percentage discounts and an additional $10 off every game priced $14.99 or higher on the Epic Games Store. It seemed to be smooth sailing for the sale, but then two major games suddenly vanished from the store.
Vampire: The Masquerade – Bloodlines 2, the upcoming action RPG, disappeared first, and nobody was quite sure what to make of it. It was briefly available for a discounted price, but then suddenly, it was gone. Trying to access the game’s store page currently returns a 404 error. An Epic representative told Kotaku that Vampire: The Masquerade publisher Paradox chose at the last second—or after the last second, technically—to not participate in the sale.
“If a developer or publisher chooses to not participate in our sales, we will honor that decision,” the Epic rep said in an email. “Paradox Interactive has chosen to not participate in the Epic Mega Sale and the game has been temporarily removed from sale. If you’ve purchased Vampire: The Masquerade – Bloodlines 2 during the period when the discount did apply at the time of check out, Epic will honor that price.”
Shortly after Vampire exploded into a figurative cloud of bats, Epic director of publishing strategy Sergey Galyonkin made a similar comment on Russian site DTF, which the Epic representative confirmed was accurate. A little later, Galyonkin made another comment on the same site, saying that he initially thought Paradox was aware of how the sale would affect its games, but “after a little investigation, it turned out that I was wrong.”
“We are in discussion with Epic regarding the temporary removal of Vampire: the Masquerade – Bloodlines 2 from the Epic Game Store,” read the statement. “The game will return to the store soon! Any purchases made while the game was discounted during the Epic Mega Sale will be honored and no Masquerade violations will be assessed.”
The other game that was pulled was space station survival sim Oxygen Not Included, the Epic Games Store page for which also gives visitors a 404 error right now. Developer and publisher Klei Entertainment has yet to comment on why this happened. Kotaku reached out to Klei for more information, but it has not yet responded.
It’s worth noting that neither of these games are Epic Store exclusives, which could put them in an awkward spot on other stores. The structure of this sale, after all, is unusual; the additional $10 off games priced $14.99 and higher comes “courtesy of Epic,” meaning that Epic itself is taking the monetary hit, so companies like Paradox and Klei can’t easily match those prices on Steam. In Paradox’s case, it’s doubly dicey, seeing as Vampire: The Masquerade – Bloodlines 2 isn’t out yet. Why pre-order it anywhere else if Epic could, theoretically, discount it again before it’s released? Some people have pointed to regional pricing differences that would’ve led to impractically large discounts on an unreleased game in some territories, as well.
Epic’s bouncing baby store has had other first-time mega-sale-related hiccups, as well. Hades, the early access roguelite from the makers of Bastion and Pyre, was briefly priced incorrectly at $6.99, and developer Supergiant corrected it with a confusing increase not only to the game’s sale price (which is now $14.99), but also its base price, which was $19.99 but is now $24.99.
“We apologize for any confusion this caused and hope customers who got the deal enjoy the game,” Supergiant said on Twitter. “The corrected sale price is still a 25% discount off of the original price point.”
The developer also addressed the increased base price, which some users viewed as an attempt to sell the game for a higher amount than a 25 percent discount would otherwise imply.
“We raised the list price based on continued improvements and additions we’ve made so far in Early Access,” Supergiant said. “We think this price point reflects the game’s current value. Customers can get the game at a lower-than-ever price for several weeks.”
This is not at all an uncommon practice with early access games, but it’s rubbed some fans the wrong way in light of a pre-price-increase comment from Supergiant earlier today in which the developer said it would “announce something like that well in advance” when asked about a Hades price increase on Twitter.
It is, to an extent, understandable that the Epic Games Store wouldn’t nail running a store-wide sale on its first try. After all, it took Valve ages to get Steam sales right, and even then, Steam still regularly goes down at the outset of big seasonal dealstravaganzas. But this comes on top of Epic’s barebones feature set, other assorted errors, and unpopular penchant for snapping up exclusives. Watching a company with all the money in the world stumble through the process of launching a store doesn’t inspire much faith in that store’s future prospects, even if the roadmap ahead looks significantly more acceptable than the pothole-ridden road we’re on right now.