An exchange like this between the cybercriminal and the victim who just his or her computer files encrypted may not be as farfetched as one would expect, according to a new report by Trend Micro, which found the practice in use. The research firm found and contacted at least one ransomware gang using Jigsaw that offered a live chat option on its ransomware note to help talk its victims through the process of purchasing the bitcoins needed for the decrypt key.
“The attackers actually have people standing by to answer questions,” Trend Micro said.
To see exactly what would transpire in such a conversation a Trend Micro staffer posed as a Jigsaw ransomware victim and contacted the bad guy through the link provided. The criminals used the publicly available chat tool onWebChat. The following is the conversation with Trend's comments are on the left.
How can I help you
can you really decrypt my files?
why are you guys doing this to us?
I am here to help you get your files back.
all you have to do is pay $150. New york has Bitcoin atms
thats too much for me
sorry. depending on the amount of files encrypted it doubles to $300 after 24 hours and $450 after 72
is there a way to lower na payment?
We can do $125
let me see if i can work this with my boss
just send a message if we are not online we will come back online within 10 minutes
The conversation itself is difficult to use against the criminals as the connection to onWebchat's servers is protected with SSL/TLS protocols.
However, Trend Micro was able to discern from the discussion a few interesting facts about how the bad guys operate, mainly that they tend to trust the victims to tell them the ransom amount.
“Interestingly, the cybercriminal on the other end of the chat conversation doesn't actually know when the user was infected. The “timer” is only based on a cookie set on the affected machine–if this cookie is deleted, the countdown resets to 24 hours. As a result, the cybercriminals are actually reliant on the user's honesty when it comes to finding out how much ransom should be paid!” the company said.
The psychology behind creating a “human” contact also makes sense from the criminal's standpoint. Trend Micro speculated that such interaction could help push a victim into paying the fee, something the company, and the FBI, does not encourage.