Hackers, especially those who create and deploy a type of malware known as “ransomware,” are now offering support and service to the victims they extort money from.
The practice isn’t so different from the way malware authors offer support to other hackers who use their tools.
Ransomware is a type of virus that infects a user’s machine and encrypts the files on it, leaving them inaccessible unless the victim pays for the decryption key. Ransoms typically range from $300 to $500, sometimes with a limited time before the price is raised or before the chance to pay is withdrawn completely.
The idea behind ransomware authors extending an olive branch to victims is simple: the victim has to trust that paying up will actually restore their files. If they don’t trust the legitimacy of the service, they are less likely to pay.
Further, even for the victims that want to pay, actually doing so can be a challenge. Most ransomware services require payment in bitcoins, and getting funds into a bitcoin wallet and then transferring those bitcoins to the attacker is not a trivial process.
“When you think about the people that ransomware’s targeting … they’re going after relatively unsavvy users who are using [outdated browsers],” Craig Williams, Security Outreach Manager for Cisco’s Talos research group, told Business Insider.
Williams said that nearly all ransomware will change the user’s background to a ransom note explaining how to pay.
“These instructions are written in such a way that [the attackers] are able to get money from [their victims], which I think in itself is a feat.”
Ransomware authors will take extra measures to ensure payment. Some will offer alternative methods of payment. Others offer the free decryption of a single file to prove that they do in fact possess the key. Many services even use the names of better known viruses in order to piggy-back on their name recognition and reputation for actually providing decryption keys.
The practice of hackers offering victim support began with the developers of Cryptolocker, one of the most widespread ransomware viruses around, according to Lawrence Abrams.
Abrams is the founder of computer support site Bleeping Computer, and he said that CryptoLocker’s developers would monitor support threads on Bleeping Computer and soon began to respond to some user concerns on their web-page.
CryptoWall, a successor to CryptoLocker, followed the former’s lead and added a support page to its own websites. According to Abrams, most large ransomware packages since then have offered their own support pages.
On Bleeping Computer, several ransomware victims reported communicating with various malware developers or deployers to resolve issues with payment or decryption.
In one instance, a victim of the PClock ransomware reported negotiating the ransom on his files down to 0.2 bitcoins — around $40 dollars at the time. A ransom letter posted by a victim of the same virus suggests an original ransom of 10 times that amount.
Rewat, a CryptoWall victim from Thailand, told Business Insider that he paid a ransom of nearly $580 to retrieve his files, but found that the decryption tool he was given did not work. At the suggestion of another Bleeping Computer user, Rewat posted on CryptoWall’s support forum, an option only available to those who have paid the ransom.
Rewat sent two messages explaining that he paid the money he had set aside for his mother’s cancer treatment in order to restore his files and save his job, only to receive a faulty decryption tool.
After a few hours with no response, Rewat tried redownloading the tool. This time, it worked. Compared to the 10 minute encryption process, decryption took 8 hours.
Rewat is unsure if CryptoWall ever received his message, but weeks later, he received a response: “Please upload your file via sendspace.com [and] send download link to me.” He doesn’t plan to write back.
Former ransomware developer Tox told Business Insider that, during the time his virus was operational, he didn’t often receive messages from victims, but that figured that the more help he could provide the better.
“The easier the payment process, the more paying victims [there will be.] I felt like a modern Arsene Lupin, in [that] I tried to be as [much of] a gentleman thief as my position allowed me to be,” Tox said over encrypted chat.
For his part, ransomware developer Jeiphoos told Business Insider that he only ever received one message from someone claiming to be a victim. He determined that the “victim” was trying to scam him and moved on.
Asked what he would do if a legitimate victim reached out to him for support, Jeiphoos said he would offer “IT support” on how to get bitcoins and pay with them.
What if they asked for a free pass?
“No,” Jeiphoos said, “as that wouldn’t be fair to my customer.”