Here are 11 things we learned from a ransomware help line

By on
Here are 11 things we learned from a ransomware help line

Nobody likes dealing with customer support. Literally nobody. The one thing worse than dealing with a bored customer support web chat advisor is dealing with a bored customer support web chat advisor who happens to have all your files and is extorting money from you.

But there are two things about how ransomware works that makes a customer support line useful for criminals. The first is that people caught out by ransomware links are less likely to be fluent in computer. The second is the illegal nature of the activity means that untraceable Bitcoin is the only way to pay. Combine Bitcoin with computer novices and you have a recipe for confusion.

To that end, the Spora ransomware family's creators have a website which has a group chat feature, where the “support worker” deals with a heady combination of confusion, questions, pleas for mercy and outright abuse. Security firm F-Secure have published 34 pages of transcripts from the channel which gives some fascinating insights into how the business model operates.

Here's a few things that become obvious over time.

There is no negotiation

Plenty of people asked Spora for a discount over the course of the 34 pages, nobody succeeded. The price clearly fluctuates between regions (which makes sense, given hundreds of dollars is the difference between a month's salary and a couple of days, depending on where you live), but the price you've been given will be the price you have to pay. No matter how much you moan.

...unless Bitcoin exchange rates screwed you over

The only exception to this rule is where people have managed to get their money changed into Bitcoin, only to discover that the rates have gone up, and you're a few dollars short. In these circumstances, the support guy often tops up their account and lets them off.

Heart warming stuff.

But you may get a discount for a positive review

If you're unlucky/reckless enough to get more than one computer locked, you might get a discount in exchange for leaving a positive review.

That's right, the people blackmailing you for your family photos want you to give them the same glowing review you'd leave for a family run B&B on TripAdvisor.

You're also very likely to get a deadline extension if you ask for one

While discounts were extremely rare, what was incredibly common was people getting indefinite extensions on the time in which they had to pay. Some people provided elaborate excuses, while others just asked. Every time, the mysterious admin just turned the deadline off on their account, essentially giving them an indefinite amount of time to pay in. 

 

This probably suggests that the idea of a deadline is to pressure people into a snap decision. Once someone asks for a deadline extension, they're already committed to paying anyway.

Ransoms requested fluctuate wildly

Ransomware support operators take a lot of abuse, but it gets you nowhere

All support staff have more than their fair share of people taking out their anger on them. It's probably not a surprise that criminals get theirs too.

There were universally ignored.

Some people seem to have developed ransomware Stockholm Syndrome

A few people actually congratulated the criminals behind the ransomware on the quality of their work, before paying up.

As far as I can tell, this wasn't done with hopes of getting a discount – they just liked what they saw. Worrying.

Occasionally you remember there's a human on the other end of the support line

For the most part, the admin is like a stuck record, repeating the same advice time and time again. At one point, however, we get a rare reminder that there is a human on the other end, and that human has some friendly philosophical tips to pass on:

Even malware professionals get caught out occasionally

Well, this is embarrassing.

Bizarrely, they recommend using anti-virus software

The transcript implies that one payment will ensure that Spora will never come back. One of the reasons experts advise users never to pay the ransom is the risk that it'll mark you out as the kind of person who pays up, and thus a good target for future scams.

At a couple of points, the admin recommends users get anti-virus software once they've paid up. Kaspersky and Bitdefender, since you ask.

Always nice when a departing burglar offers you some tips on the relative merits of Yale vs ADE, isn't it?

If you're going to get infected, it'll probably be on a Tuesday

Finally, F-Secure's research shows that if you're going to get infected with Spora, it'll likely be on a Tuesday. That's the day when their fresh run of spam goes out…

You can read the full transcript here.

This article originally appeared at alphr.com

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © Alphr, Dennis Publishing
Tags:

Most Read Articles

You must be a registered member of CRN to post a comment.
| Register

Poll

Have you adopted agile methodologies?
Yes - And it made a big different improve productivity
Yes - But it's not made a big difference to productivity
No - But we're thinking of giving it a try
No – We’re happy with our current methods
No - Because it is a stupid idea and a fad
View poll archive

Log In

Username / Email:
Password:
  |  Forgot your password?