The Ransomware Paradox: Bad Guys Offer Good Customer Service

Not only are ransomware extortionists stealing our money, they’re also stealing our smart business practices. First, cybercriminals started mimicking our sophisticated organizational hierarchies, then they figured out a new financial trading system. Now, in an absurd juxtaposition, they’re pampering their ransomware victims with helpful customer service to increase their chances of getting paid.

Need help finding a Bitcoin vendor? Here’s one in your area.

I can understand you might be skeptical that we’ll actually restore your files.

We’ll let you decipher one file for free. Oh, you just made a car payment and are a little low on cash? No problem, we’ll lower the ransom.

The paradox of bad guys offering good customer service was so interesting to European cybersecurity company F-Secure that the firm recently evaluated the customer journeys of five current ransomware families: Cerber, Cryptomix, Jigsaw, Shade and TorrentLocker. First, F-Secure set up a Hotmail account for a bogus “Christine.” Then, once infected, the firm had her interact with the criminals to observe the numerous tactics of reputable customer service being used by disreputable extortionists:

User-friendly interface

Knowing it’s important to make a good first impression, smart cybercriminals are using more professional-looking branded webpages to notify victims their files have been taken hostage. Cerber’s website even offers content in 12 languages and has the online equivalent of a Wal-Mart greeter (albeit, one who is talking through a tracheostomy tube): A voice letting victims know their files have been encrypted, just in case they don’t read the ransom note on their screen.

Clear instructions and FAQs

Most extortionists demand payment in Bitcoin, which isn’t widely understood by the law-abiding masses. So extortionists provide clear instructions, FAQ pages and lists of Bitcoin vendors.

Multichannel support

Like good marketers, the bad guys provide support across numerous channels. They offer online forms, chat and email support.

Timely response

Apparently, cybercriminals are keeping up with the latest customer service surveys, like one by Toister Performance Solutions that found customers now expect an email response from businesses within one hour. When “Christine” sent emails asking for support, she often received replies within minutes.

Free trial offer

What better way to build trust with skeptical prospects than letting them see that their files really will be decrypted? Four of the five ransomware families evaluated offered a free trial, usually letting the victim/customer choose one file.

Lower price offer

Ransomware gangs are usually willing to lower the price. When “Christine” balked at the original ransom (which ranged from 150 to 1,900 Bitcoins), three of the families dropped the price, averaging a 29% discount from the original ransom fee.

Extended limited-time offer

Ransomware always has a deadline, akin to conventional limited-time offers. Just like retailers who graciously tout that their sale is “extended three more days,” the bad guys are willing to extend their “offers,” too. When “Christine” complained she was busy and having trouble with the payment process, four of the five families extended the deadline.

While F-Secure’s report looked at the lighter side of a serious problem, the firm’s overarching goal was to remind users that ransomware prevention—with regular backup of files—beats negotiation with the bad guys, no matter how polite they seem.