Since 2015, a consultancy firm called Dr Shifro has positioned itself as a decryption service for ransomware based in Russia. In reality, Dr Shifro is a Belarusian ransomware middleman, reports The Register.

An undercover operation conducted by cybersecurity firm Check Point Software discovered that the ransomware entrepreneur simply paid the ransom that was demanded of victims who became his clients, then charged a markup.

As Bleeping Computer explains, “The faux consultant contacts the ransomware creator and asks for a discounted price for the decryption key, which in the case of the researchers was $1,300.

The cost of the unlock key would be incurred by the victim, along with a fee of $1,000 for delivering a decryption tool.”

The business model was discovered when Check Point researchers were exploring Dharma ransomware and a bold claim caught their eye: Dr Shifro claimed to be able to break the encryption used for that ransomware without the private key.

This was suspicious, because, as The Register reports, “Estimates vary, but most agreed that doing such a thing with current hardware would take years, if not decades.”

The researchers set a trap and were able to not only surface details of the fraudster’s business, but also his actual identity. Just by requesting a copy of the contract the firm uses with potential clients, they were able to learn important details that included scans of Dr Shifro’s passport.

According to The Register, Dr Shifro’s Bitcoin account shows a two-year accumulation of just over 100BTC, which amounts to roughly $370,000.

Further reason to heed experts’ advice to not pay ransom when attacked by cybercriminals.

Get the full story at The Register.