“Hello, this is Ransoware Depot. How may I help you?”
An exchange like this between the cybercriminal and the victim whose computer files were just encrypted may not be as farfetched as one might expect, according to a new report by Trend Micro.
The research firm found and contacted at least one ransomware gang using Jigsaw that offered a live chat option on its ransomware note to help talk its victims through the process of purchasing the bitcoins needed for the decrypt key.
“The attackers actually have people standing by to answer questions,” Trend Micro said.
To see exactly what would transpire in such a conversation, a Trend Micro staffer posed as a Jigsaw ransomware victim and contacted the criminal through the link provided. The criminals used the publicly available chat tool onWebChat. The following is the conversation with Trend's comments are on the left.
How can I help you
can you really decrypt my files?
yes its automatic on payment is received all you have to do is click that you made payment and the system will verify instantly
why are you guys doing this to us?
I am here to help you get your files back. Let me know if you need any other instructions or help
im doomed! my boss gonna fired me
all you have to do is pay $150. New york has Bitcoin atms or you can visit www.localbitcoins.com
thats too much for me
sorry. depending on the amount of files encrypted it doubles to $300 after 24 hours and $450 after 72 it doesnt happen to all computers it depends on the file size encryption
is there a way to lower na payment?
We can do $125 that the minimum and that is within 24 hours
let me see if i can work this with my boss
just send a message if we are not online we will come back online within 10 minutes And we do decrypt all you files 100% you have to message me when you make the payment so I can accept the $125 into the system if not it will tell you you haven't payed enough. Each wallet is unique to the computer so I can verify instantly
The conversation itself is difficult to use against the criminals as the connection to onWebchat's servers is protected with SSL/TLS protocols.
However, Trend Micro was able to discern from the discussion a few interesting facts about how the bad guys operate, mainly that they tend to trust the victims to tell them the ransom amount.
“Interestingly, the cybercriminal on the other end of the chat conversation doesn't actually know when the user was infected. The 'timer' is only based on a cookie set on the affected machine – if this cookie is deleted, the countdown resets to 24 hours. As a result, the cybercriminals are actually reliant on the user's honesty when it comes to finding out how much ransom should be paid,” the company said.
The psychology behind creating a “human” contact also makes sense from the criminal's standpoint. Trend Micro speculated that such interaction could help push a victim into paying the fee, something the company, and the FBI, does not encourage.
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
