Ransomware customer service: Negotiation is always on the table

Can negotiating with ransomware operators result in a reduced fee?
Written by Charlie Osborne, Contributing Writer

Cyberattackers running ransomware campaigns are usually willing to negotiate if it means exhorting any payment at all from victims, researchers claim.

Ransomware is a particularly nasty breed of malware which, once downloaded and executed on a vulnerable system, will encrypt files and bar access to the PC. Victims are then issued with a demand for payment in virtual currency in return for the key to unlock their files.

The malware strain has evolved from targeting gamers to taking on more lucrative targets, including universities and hospitals -- with demands for payment going from $200 to thousands of dollars. However, it seems that cyberattackers utilizing this kind of malware are willing to negotiate if it means they receive their paycheck.

On Monday, cybersecurity firm F-Secure released a new report, "Evaluating the Customer Journey of Crypto-Ransomware and the Paradox Behind It," which claims that three out of four ransomware criminal gangs were willing to negotiate the ransom fee.

After using fake accounts and creating victims, the security team found that three out of four threat actors were willing to negotiate the price they originally demanded. When contacted by the "victims," the cyberattackers would often offer a discount of roughly 30 percent.

See also: No honor among thieves: New ransomware takes your money, deletes files anyway

Many ransomware infections display an imposed time to try and panic users into paying as quickly as possible. These deadlines may be a matter of hours or days, and there may also be a lingering threat to delete more files the longer the victim waits to hurry things along.

However, F-Secure says that ransomware deadlines are flexible, and every one of the cyberattackers contacted by the fake victims offered extensions.

On one hand, threat actors don't care what precious files are lost by the victim, but they also must "establish a degree of trust with the victim and be ready to offer a certain level of service in order to realize the payment in the end," the report says.

It seems that ransomware may highlight how the cyberattack industry is evolving. We've gone far beyond the days of Stuxnet, and while there are many crippling, state-sponsored attack campaigns running worldwide, threat actors targeting the average user or SMB must take a more "customer support" focused approach.

As a result, many ransomware operators are also acting as de-facto businesspeople, too. They offer "free trials" for decryption, web pages offering advice and direct lines to the groups themselves for help making payments.

The "best of the worst" is Cerber. This ransomware not only offers support web pages in 12 languages, but also offers victims a free "decryption trial," contact form, and current payment rates displayed clearly on the malware's web domains.

The ransomware in question also pretends that it is a force for good, claiming that the malware "is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection."

"We read stories about ransomware every day, and lately the word 'epidemic' is being used to describe its proportions," said Sean Sullivan, security advisor at F-Secure.

"We wanted to offer a different look at this problem of mass crime, but ultimately to take the opportunity to remind people and businesses once again of what they can do to protect themselves from this threat. Software updates, good security software, caution with email, and most importantly, in case all else fails, back up your stuff regularly, before you ever become a victim."

10 things you didn't know about the Dark Web

Editorial standards