Ransomware developers have customers, however unwilling they may be. Thus, these criminals also have customer service. But is it effective? F-Secure, a company that specializes in security and anti-malware products for consumers and corporations, decided to evaluate the “help desks,” if you will, of ransomware malware, which covertly encrypts files on victims’ machines, and then demands fees paid in Bitcoin to unlock the unwanted encryption.
As with piracy and hostage-taking on the high seas, ransomware developers depend on providing honest, effective service after committing their crimes. As F-Secure notes in a breezy, darkly amusing white paper released Monday, “Without establishing a reputation for providing reliable decryption, their victims won’t trust them enough to pay them.” Indeed, killing the “hostages”—a user’s files—after accepting payment and not decrypting documents would quickly make this kind of attack unprofitable, as people would stop paying. (Though that doesn’t stop some malware makers from peeing in the pool.)
F-Secure approached the exercise as if reviewing common, legitimate software and services. It created a fake identity, “Christina Walters,” and then allowed “her” system to be infected by the major families of ransomware. F-Secure then examined the quality of the ransomware interface, the clarity of an associated website, and the willingness of customer support to educate the target about payment, and to engage in negotiation over price and deadline.
“Ransomware has always been technologically possible. It’s the customer service that didn’t scale,” said Sean Sullivan, F-Secure Labs’ security adviser, in an interview. He noted that the TOR network, used for identity-obscuring browsing, together with Bitcoin provided the missing piece. “The only thing that kept it from scaling was the getting paid part,” Sullivan said.
While one ransomware attacker’s organization didn’t respond, F-Secure’s “Christina” corresponded with the other four. F-Secure was able to obtain one or more extensions to its payment deadline in those four cases, and negotiated a lower fee in three out of the four infections.
But, again, please read the F-Secure white paper. It provides eye-opening illustrations of how the bad guys actually operate in the wild.
The impact on you: Because crypto-ransomware can use any vector for infection, the best defenses are simple ones. First, keep your computer’s operating system up to date and fully patched, without Flash or Java installed and active. Microsoft Office macros should be disabled. Second, do continuous, up-to-date backups that retain multiple older versions of files. This way, if you do become a victim of ransomware, you’ll have backups of all the files under the encryption attack. Third, avoid visiting dubious websites, and never open unexpected, unsolicited ZIP files and email attachments. You should also train those around you, whether they be friends, family or co-workers, to exercise the same caution.
F-Secure, like other security software vendors, also suggests you install anti-malware software that shuts down malware vectors and provides alerts about unexpected system behavior.