Ransomware Gangs ‘Willing To Bargain’

The gangs behind ransomware can usually be negotiated with on the price they will accept for decrypting files and will often extend deadlines for payment, researchers have found.

The groups function like any online commercial organisation and strive to deliver a satisfying customer experience, IT security firm F-Secure said in a study of five currently active ransomware types.

Customer service

The findings add weight to other recent research that found computer criminals are increasingly organised in a way similar to legal businesses, with human resources and customer services departments.

Ransomware, which typically encrypts a user’s files and demands payment to decode them, is a lucrative form of computer crime that has spread widely in recent months, but the income it generates depends, paradoxically, upon establishing a rapport with victims, F-Secure said.

“They’re disreputable, yet reputation is everything,” the study found. “Without establishing a reputation for providing reliable decryption, their victims won’t trust them enough to pay them.”

As a result ransomware gangs have developed complex customer-services operations similar to those of small businesses, the study found.

“Websites that support several languages. Helpful FAQs. Convenient customer support forms so the victim can ask questions. And responsive customer service agents that quickly get back with replies,” the firm said. “These are criminals who are making money off the backs of people and businesses they are hurting. But conversely, like any decent venture, they‘re also concerned about offering good customer service – including support channels and reliable decryption after payment.”

Negotiation

Three out of four of the ransomware groups evaluated were willing to negotiate, resulting in an average 29 percent reduction in price, F-Secure found.

None of the gangs were willing to accept payment in any form other than Bitcoin, but many quoted prices in dollars or euros due to most users’ unfamiliarity with Bitcoin and the virtual currency’s wide fluctuations in value.

All of the groups were willing to grant extensions of the deadlines built into the attack code, F-Secure found.

The findings do not apply to all ransomware – researchers recently reported a variant called Ranscam that asks for payment and pretends to encrypt files, but in fact just deletes them.

IT security firms recommend users protect themselves from such attacks by making regular backups, keeping software up to date and using security software such as email filters, since ransomware and other exploits often arrive in the form of email attachments.

Are you a security pro? Try our quiz!