Threat Management

Cyber gang offering live chat help for its ransomware victims

“Hello, this is Ransoware Depot. How may I help you?”

An exchange like this between the cybercriminal and the victim who just his or her computer files encrypted may not be as farfetched as one would expect, according to a new report by Trend Micro, which found the practice in use. The research firm found and contacted at least one ransomware gang using Jigsaw that offered a live chat option on its ransomware note to help talk its victims through the process of purchasing the bitcoins needed for the decrypt key.

“The attackers actually have people standing by to answer questions,” Trend Micro said.

To see exactly what would transpire in such a conversation a Trend Micro staffer posed as a Jigsaw ransomware victim and contacted the bad guy through the link provided. The criminals used the publicly available chat tool onWebChat. The following is the conversation with Trend's comments are on the left.

How can I help you

can you really decrypt my files?

yes
its automatic
on payment is received all you have to do is click that you made payment
and the system will verify instantly

why are you guys doing this to us?

I am here to help you get your files back.
Let me know if you need any other instructions or help

im doomed!
my boss gonna fired me

all you have to do is pay $150. New york has Bitcoin atms
or you can visit www.localbitcoins.com

thats too much for me

sorry. depending on the amount of files encrypted it doubles to $300 after 24 hours and $450 after 72
it doesnt happen to all computers it depends on the file size encryption

is there a way to lower na payment?

We can do $125
that the minimum
and that is within 24 hours

let me see if i can work this with my boss

just send a message if we are not online we will come back online within 10 minutes
And we do decrypt all you files
100%
you have to message me when you make the payment so I can accept the $125 into the system if not it will tell you you haven't payed enough. Each wallet is unique to the computer so I can verify instantly

The conversation itself is difficult to use against the criminals as the connection to onWebchat's servers is protected with SSL/TLS protocols.

However, Trend Micro was able to discern from the discussion a few interesting facts about how the bad guys operate, mainly that they tend to trust the victims to tell them the ransom amount.

“Interestingly, the cybercriminal on the other end of the chat conversation doesn't actually know when the user was infected. The “timer” is only based on a cookie set on the affected machine–if this cookie is deleted, the countdown resets to 24 hours. As a result, the cybercriminals are actually reliant on the user's honesty when it comes to finding out how much ransom should be paid!” the company said.

The psychology behind creating a “human” contact also makes sense from the criminal's standpoint. Trend Micro speculated that such interaction could help push a victim into paying the fee, something the company, and the FBI, does not encourage.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.