The past two years has seen a dramatic increase in ransomware, malware such as the infamous CryptoWall that encrypts data on the infected device and demands a ransom payment for the decryption key. One interesting side effect has been an unexpected focus on the level service that the cybercriminals provide to their victims while trying to make sure they pay up.
Ever since this strain of malware has been on the internet, security experts have universally urged victims not to pay the ransom. Part of the reason for this is that it perpetuates the scam, incentivizing criminals to get into this business and spread it to more victims. Another major reason – and the only one that the scam's victims are likely to care about – is that there is no guarantee that paying the ransom would persuade the scammers to return the files safely. They could just as well make off with the money or demand further payments. Meanwhile, the victim loses both their files and the money they paid to get them back.
The scammers themselves appear to have realized this as well, with several reports indicating that they are increasing their efforts to instill trust among their victims that paying the ransom will retrieve their files.
A major contributor to the rise of ransomware is the proliferation of digital cryptocurrencies, primarily bitcoin, that are difficult to trace and are naturally a good fit for a criminal enterprise executed on the internet. Most ransomware attacks require payment in bitcoin, and, perhaps anticipating a lack of cryptocurrency experience among their victims, they have also included instructions in how to make a payment via bitcoin.
But even when those instructions fall short, those executing the ransomware have shown compassion for the technologically challenged. In January, musician and writer Alina Simone wrote in the New York Times about her technologically limited mother's efforts to pay ransom on her files after falling victim to a CryptoWall 2.0 attack. This attack came with a deadline for payment, after which the ransom would double from $500 to $1,000.
So after deciding that paying was her only choice, Simone's mother purchased $500 worth of bitcoin through an online service. However, bitcoin's value fluctuates constantly, and by the time the deposit had finally been processed (which can sometimes take almost a week), the value of bitcoin had dropped, leaving her roughly $25 short of the ransom amount. By the time Simone could transfer another $25 on behalf of her mother – this time through a cash-for-bitcoin ATM in Brooklyn – the deadline had passed, the ransom was increased to $1,000, and her mother was already out the original $500 she had sent via bitcoin.
So, in good faith, Simone's mother responded to the CryptoWall interface that demanded the ransom to tell the criminals what caused the delay in her payment and show proof that she already sent the ransom. And it worked – shortly afterward, she received her decryption key without having to pay the additional $500.
Some ransomware perpetrators are taking it a step further. In December, security firm KnowBe4 spotted a new strain of ransomware called OphionLocker that identified the devices it had infected in the past so as to avoid hitting the same victims twice.
"The ransomware people are very focused on their customer service," KnowBe4 CEO Stu Sjouwerman told CSO at the time. "It's in their best interest that word get out that if you pay, you will get your files back."
"The irony is thick," he added.
Most people may not expect criminals to offer a helping hand to their victims, but ransomware is one of those cases where it's actually good business. If word gets out that ransomware scammers don't honor their ransom agreements, then fewer people would ever pay them. Even more simply, if people simply don't know how to pay their ransoms, then they never could in the first place.