Deal with the devil: Ransomware experiment proves you can negotiate price down

Ironically, the cybercriminals holding your computer files for ransom may be offering you a better customer experience than your average cable provider or insurance company.

For instance, the cybersecurity firm F-Secure recently reached out to five ransomware distributors' online customer support channels under the guise of a victim, and found that three out of the four agents that responded were willing to negotiate a lower ransom price. Factoring in these four engagements, F-Secure was able to average a 29 percent discount on the collective ransoms, according to a company report issued yesterday. Moreover, all four agents that responded were willing to extend the deadline.

Demanding ransoms from approximately $150 to $1,900 in bitcoins, with deadlines ranging from one to five days (one deadline was unspecified), the five ransomware families F-Secure studied were: Cerber, Cryptomix, Jigsaw, Shade and TorrentLocker. While Cryptomix's demand was exorbitantly more expensive than the others, its ransomware agent also offered the deepest discount (67 percent – from three bitcoins to one, or about $1900 to $635).

Strange as it sounds, many ransomware companies strive for a positive, polished customer experience and an above-the-board reputation. It seems contradictory to their true nature, but it's their strategy for encouraging user compliance and ensuring timely payments.

“Customer service has long been the issue holding ransomware in check,” said Sean Sullivan, security advisor at F-Secure, in an email interview with “It's never been difficult to infect a computer and go after data in some way. The hard part has been how to communicate with the victim on how to pay in a way that's difficult to trace. Once Bitcoin became popular, ransomware really began to tackle the communication/service issue.”

Interested to see just how accommodating the customer experience truly can be, F-Secure tested the five ransomware families by tasking a non-technical researcher to play the role of “Christine Walters,” a fictional online persona supposedly victimized by the ransomware. Meanwhile, other observers evaluated the ransomware for its presentation and ease of use. 

Jigsaw scored the best for customer service, followed by Cryptomix and Shade, due primarily to a willingness to negotiate on price and deadline. The extremely patient agent representing Jigsaw not only lowered the ransom by 17 percent, but was even willing to help walk the victim through the bitcoin purchase process.

The F-Secure report even transcribes an amusing, lengthy exchange between the two parties, in which the agent politely points out that “We have never had a case take so long.” Later, when “Christine” says she was able to recover back-ups of her files, the agent tells her that he's “glad you got your files back.”

“I think the amount of effort that the "Jigsaw agent" made was remarkable. Particularly given the price point,” said Sullivan. “I suspect that the individual would like to be doing something else, but lacks the opportunity.”

TorrentLocker was rated worst due to its total lack of response to customer queries. All of the other ransomware families responded promptly to inquiries, often within minutes of receiving a message. Cerber offered a strong support form to assist customers, but was nevertheless scored lower on customer service because the agent refused to reduce the price.

Interestingly, ransomware families that were stronger in customer service were weaker in the product features category, and vice versa.

For instance, Cerber scored highest because of its professional, polished presentation. This includes webpages featuring support for 12 languages, a home page featuring the current ransom price and deadline countdown, an FAQ section and even a free test decryption of one chosen file. TorrentLocker offered many of these same services as well; however its support webpages were only accessible by first installing the Tor browser, which nullified its more agreeable attributes.

F-Secure even credited Cerber for the “entertaining” information text file left on the infected machine's desktop – offering detailed, easy-to-follow instructions and even uses persuasive marketing techniques to sell the victim on complying.

On the other hand, the firm admonished Cryptomix, Shade and Jigsaw for inadequate instructions – Cryptomix's ransom note, for instance appeared as simple .txt and .html files with only basic information, and amateurish graphical interfaces featuring desktop wallpapers and, in Jigsaw's case, female nudity.

So does this mean it's safe to bargain with a cybercriminal? “People should absolutely interact and ask questions. If they then get a sense that they can haggle, they should,” said Sullivan. “Haggling over price is practically expected in many parts of the world, and being told ‘no' isn't going to make things worse.”

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.