A 'customer support' chat group reveals the inner workings of a ransomware business, as more organisations pay ransoms.
Nobody likes dealing with customer support. But the one thing worse than dealing with a bored customer support web chat advisor is dealing with a bored customer support web chat advisor who happens to have all your files and is extorting money from you.
There are two things about how ransomware works that makes a customer support line useful for criminals. The first is that people caught out by ransomware links are less likely to be fluent in computer. The second is the illegal nature of the activity means that untraceable Bitcoin is the only way to pay. Combine Bitcoin with computer novices and you have a recipe for confusion.
To that end, the Spora ransomware family’s creators have a website which has a group chat feature, where the “support worker” deals with a heady combination of confusion, questions, pleas for mercy and outright abuse. Security firm F-Secure have published 34 pages of transcripts from the channel which gives some fascinating insights into how the business model operates.
Here’s a few things that become obvious after reading the transcripts.
There is no negotiation
Plenty of people asked Spora for a discount over the course of the transcript, but nobody succeeded.
The price clearly fluctuates between regions (which makes sense, given hundreds of dollars is the difference between a month’s salary and a couple of days, depending on where you live), but the price you’ve been given will be the price you have to pay. No matter how much you moan.
...unless Bitcoin exchange rates screwed you over
The only exception to this rule is where people have managed to get their money changed into Bitcoin, only to discover that the rates have gone up, and you’re a few dollars short. In these circumstances, the support guy often tops up their account and lets them off.
Heart warming stuff.
But you may get a discount for a positive review
If you’re unlucky or reckless enough to get more than one computer locked, you might get a discount in exchange for leaving a positive review.
That’s right, the people blackmailing you for your family photos want you to give them the same glowing review you’d leave for a family-run B&B on TripAdvisor.
You’re also very likely to get a deadline extension if you ask for one
While discounts were extremely rare, what was incredibly common was people getting indefinite extensions on the time in which they had to pay. Some people provided elaborate excuses, while others just asked. Every time, the mysterious admin just turned the deadline off on their account, essentially giving them an indefinite amount of time to pay in.
This probably suggests that the idea of a deadline is to pressure people into a snap decision. Once someone asks for a deadline extension, they’re already committed to paying anyway.
Ransoms requested fluctuate wildly
Ransomware support operators take a lot of abuse, but it gets you nowhere
All support staff have more than their fair share of people taking out their anger on them. It’s probably not a surprise that criminals get theirs too.
There were universally ignored.
Some people seem to have developed ransomware Stockholm Syndrome
A few people actually congratulated the criminals behind the ransomware on the quality of their work, before paying up.
As far as we can tell, this wasn’t done with hopes of getting a discount – they just liked what they saw. Worrying.
Occasionally you remember there’s a human on the other end of the support line
For the most part, the admin is like a stuck record, repeating the same advice time and time again. At one point, however, we get a rare reminder that there is a human on the other end, and that human has some friendly philosophical tips to pass on:
Even malware professionals get caught out occasionally
Well, this is embarrassing.
Bizarrely, they recommend using anti-virus software
The transcript implies that one payment will ensure that Spora will never come back. One of the reasons experts advise users never to pay the ransom is the risk that it’ll mark you out as the kind of person who pays up, and thus a good target for future scams.
At a couple of points, the admin recommends users get anti-virus software once they’ve paid up. Kaspersky and Bitdefender, since you ask.
Always nice when a departing burglar offers you some tips, isn’t it?
If you’re going to get infected, it’ll probably be on a Tuesday
Finally, F-Secure’s research shows that if you’re going to get infected with Spora, it’ll likely be on a Tuesday. That’s the day when their fresh run of spam goes out…
Why more businesses are paying ransoms
But everyone knows that if you're infected with ransomware, you shouldn’t don't pay up, right?
By paying the attacker, the theory goes, you're proving that their method of extortion works – that they will make money (potentially a lot of it) by holding data hostage.
However, at the recent RSA Conference 2017 in the US, there's been a shift in tone within the security community. While nobody is outright advising businesses, or individuals, to pay up, they are acknowledging that many companies that fall victim to a ransomware attack do just that. Indeed, a survey by IBM towards the end of 2016 showed around 70% of companies affected by ransomware have paid to get data back, with payouts reaching the US$1 billion mark that year.
Why businesses pay
There's one strong business imperative to pay ransomware: it's less expensive to cough up than it is to hold out against the attackers.
"You may say 'look, we have a business principle here, we're not going to pay the bad guys'. But if you're confronted with the business reality of paying the bad guys a few Bitcoins versus being offline or losing millions of dollars worth of data, your business principle might give way to the business reality of having to pay the ransom," said Ed Skoudis, an instructor at the SANS Institute, during a panel at the conference.
Marcin Kleczynski, CEO of Malwarebytes, gave the example not of crypto ransomware, but of a distributed denial of service (DDoS) ransom attack, where a business is taken offline until a ransom is paid.
"Imagine a botnet being pointed at an airline's ticketing website, which produces tens of millions of dollars in revenue per hour. I [as the botnet controller] say 'this will continue unless you pay me $1 million now," Kleczynski said.
"$1 million is much less than the $10 million it makes per hour, so why not extort that kind of money?"
Indeed, having a backup and recovery system in place is no guarantee that a company won't pay the ransom, even though in theory it should negate the need to do so.
Jeremiah Grossman, chief of security strategy at SentinelOne, said: "What we find in [our] research, of those who pay the ransom around 50% actually have backups. So the backups aren't a panacea.
"What happens is, say you have the backups but the bad guys have encrypted 1,000 of your machines. IT says 'yeah, we'll recover, no problem – in a week'."
If the ransom is significantly less the cost of holding out, Grossman said, then they "write the cheque", as it's more expedient and quite possibly cheaper.
Ransomware, consumers and the Internet of Things
For businesses that do end up hit by ransomware, there is at least some consolation in the form of cyber insurance – an industry that's currently raking in an estimated US$3 billion in the US alone – as well as access to sophisticated defensive tools and backup and recovery.
For consumers, the situation is a little more bleak.
"[They're] going to get left out for a while," said Grossman. "There's nothing out there for the consumer yet. It's going to be unfortunate – while the enterprise can leverage cyber insurance, crisis management teams to negotiate, high-end, really next-gen antivirus, there's no equivalent for the home user. They're really going to be on their own and that's really going to be pretty nasty."
As well as being nasty, it could also be a very expensive experience. While now it may be a consumer's computer or phone held to ransom, with the IoT the potential targets will expand dramatically.
"If ransomware were to reconfigure or encrypt the control architecture of Internet of Things devices, we have a big problem," said Skoudis.
"What would you pay to turn your lights back on? What would you pay to turn your heat back on? Or your car – you want to drive your car to work today?"
What you should do
Nevertheless, the consensus among the information security industry is still that you shouldn't pay off the attackers. There are other options such as ransomware decrypters that may be worth trying, and if it’s business-critical you should consult a security specialist, of course.
Despite SentinelOne’s findings, a backup strategy is still highly recommended, as long as it’s done the right way – daily backups that are kept in a location that is not connected to the network or a computer to minimise the chances of the backups being encrypted – as part of a comprehensive information security plan.