With the development of technology, new types of cyber attacks emerge almost on monthly basis. One of them is ransomware. It is a type of malware that locks down a computer or encrypts files and demands ransom payments for unlocking them. Ransomware viruses advanced significantly since they became well known several years ago.
Although law enforcement and security firms advise against anyone paying the ransom still about 50% of victims pay up. For security experts, this is quite a big number. Keep in mind we are dealing with the criminal world where there was never any guarantee that criminals would uphold their promises.
Ransomware is very profitable; it requires minimal expenditures at the same time involving low risks. More hackers are turning their faces to ransomware.
Ransomware becomes sophisticated and hackers try and expand and grow their “business” by improving their operations as 50% seems to be a quite low conversation number for cyber criminals themselves.
Initially, criminals developed the needed infrastructure to create and spread their malware. This process is being constantly tweaked and is very smooth with the majority of ransomware families.
One of the main weaknesses in their illegal model is victim\user trust. For ransomware to be effective, the end user should have confidence that the hacker will honestly supply the decryption key and that this key will work.
Developing a certain level of trust with the target and being able to provide quality tech support services in order to get the payment in the end, becomes crucial for ransomware authors.
Another big problem for ransomware developers is payment procedure. Even when certain victims “trust” hackers and wish to pay, completing this task often becomes a challenging issue. Nearly all ransomware viruses demand money paid in BTC – Bitcoins. Registering BTC wallets, adding funds there and transmitting those funds to crooks is actually not a banal task. Moreover, all these actions should be done through the usage of TOR anonymizing network. I should mention here that the victims of various online scams are people who commonly are not tech-savvy. It is really difficult for them to deal with all those new technologies.
Often because of necessity, a number of ransomware creators focused their efforts on enhancing the customer experience. You will find several examples of this customer service approach below.
For example, Spora ransomware family has built a name this year as the most efficiently-run ransomware campaign due to excellent customer service in combination with great marketing and reputation management.
The crooks behind this ransom Trojan believe themselves to be highly professional and stress that they possess significant expertise in managing ransomware operations.
Among some of the unique characteristics that distinguishes Spora from identical malware is a live chat option available for virus victims that allow them to communicate with criminals in real-time.
Gangsters offer support in two languages Russian and English and are extremely watchful running calm dialogues and avoiding conflict situations with upset or aggressive “customers.” They consistently respond in a timely manner providing most helpful info to all queries.
Going further, Spora operators have been very indulgent to people who cannot pay the money for some serious reason. In this case, extortionists extended or sometimes disabled the deadline.
Next, Spora creators have been providing special discounts. In one particular situation, hackers came with a 10% discount to an organization that had about 200 computers infected with Spora.
Additionally, as a free trial, they offer decryptions of several important files to most victims.
Another trick Spora operators use is offering discounts and deadline extensions for individuals that will leave a positive review of their customer service on the Bleeping Computer forum – one of the world’s leading tech support community specifically dedicated recently to ransomware threats.
The underlying cause for why the Spora team needs these reviews is to have other new targets to read successful decryption stories of previous victims and thus be assured that in case they pay, they are going to get their data files decrypted. This is a very important factor to big players like Spora as plenty of low skilled teenage script kiddies distribute ransomware samples with faulty encryption mechanisms leaving victims without chances to recover files.
It is interesting that earlier CryptoLocker’s developers (not active anymore) were keeping an eye on Bleeping Computer support threads and shortly started to reply to user questions related to CryptoLocker adopting this popular public platform for their tech support needs.
One more distinct feature of Spora is a ransom payment website that makes use of “credits” to handle Bitcoin payments.
Lastly, hackers created a so called Spora immunity file, which works as a shield and defend all victims from being infected with Spora for the second time. Spora remembers all its customers.
Some researchers state that Spora’s customer service is much more helpful and user-friendly than customer service efforts of numerous technology companies these days.
Other ransomware types also started to embrace this customer focused approach.
About 75% of cyber gangs are now willing to negotiate the ransom amount. Ransom amounts differ depending on the country. People from Estonia have to pay less than people from Switzerland.
Most ransom Trojans started to offer “free trials” and decryption of several files.
New ransomware types include wide-ranging FAQ sections and lengthy guidelines to direct affected people on how to make the payment. Sometimes, crooks employ graphic designers to make the ransom notes more eye-catching and of higher quality. Hackers spend time translating all information to a variety of languages, Cerber ransomware, for example, has a support portal in a dozen languages!
A lot of new viruses make use of famous brands of most recognized ransomware as a way to piggyback on their reputation for being trustful and always sending decryption keys.
Bad guys improve their malicious software creating up to five generations of their software fixing bugs improving GUI and overall user experience.
Various other PR tactics are being used like declaring that this virus s created for the only goal of teaching basic infosec along with testing security software like antiviruses for their capability to provide data protection. Some say – money will go to poor people.
And lastly one particular shameless and merciless technique – hackers offer victims to infect their friends (actually any two people) and if they pay, the initial target may get all files decrypted for free.
Even though ransomware owners are attempting to be “professionals” they still are organized crime groups. Criminals that extort people’s dollars should be arrested.
We must understand that they are constantly advancing not only by generating new virus samples but by making the payment process easy and smooth. Up until recently, online crime schemes like fake antiviruses were destroyed by killing the supply channels of funds. For now, they switched to newer more anonymous payment methods like Bitcoins which hard to track. Bitcoin should be regulated. One more way to cut the money streams is propaganda of not paying the hackers or even introducing laws to forbid such payments.
We should all stop paying. In fact, it is very easy. Simple data backups remove the need to pay. Once we stop paying – all these black schemes will go away. Criminals understand it, right now they feel the need to implement their customer service as they notice the down trend in payments.