Cybercrime, we are told, is becoming increasingly professional — it is being run like a business. If this is true, then selling ransomware decryption keys is almost the perfect business model. It has low start-up costs; is free from both corporation tax and regulators via bitcoin payments and Tor communication channels; it is repeatable business; and it fulfills a strong customer need.
The only weakness in this model is user trust. For it to work, the user has to trust that the seller really will provide the decryption keys and that those keys will work. But since users are aware that the problem was caused by the same group violating their computer in the first place, there is no automatic trust. Without that trust the business model fails.
F-Secure has investigated the extent to which five different and currently active ransomware groups will promote user trust to bolster the business model — and in some cases it is quite surprising. The five families were Cerber, CryptoMix, Jigsaw, Shade and Torrent Locker.
F-Secure created a fictitious persona, Christine, to get infected and liaise with five different ransomware groups. In its own words, the purpose was “to see which crypto-ransomware family offers the best (or, more appropriately, least worst) customer journey from start to finish.” The evaluation focused on the user interface (product quality) and user support (service quality), including things like ‘hand-holding’ and try-before-you-buy options.
The most obvious result was there is little correlation between quality of product and quality of service. Cerber is the most professional product, scoring 8.5 out of a possible 9 points. The user interface supports 12 languages, it offers a trial decryption, and it is clear and well organized. Equally worse, scoring just 3 points, are Jigsaw and Torrent Locker. Jigsaw has no trial decryption and supports English only. The user interface is poor and unprofessional with an indecent popup window.
These relative positions are reversed over quality of support. Jigsaw scores best with nine points from a possible 11, while Cerber gets just 6 points. Torrent Locker is the absolute worst with 3 out of 9 for product, and just 1 out of 11 for service. The service element of the evaluation included responsiveness, willingness to negotiate on price, and willingness to extend the deadline.
F-Secure security advisor Sean Sullivan believes the more professional products come from the more organized criminal gangs. They have already developed a complete infrastructure to deliver the malware and manage the process — income is ongoing and almost automatic, and they don’t need to bother about victim support services. More entrepreneurial or opportunistic agents have invested less in the infrastructure and consequently need to provide more support to ensure payment.
This view is somewhat supported by the agents’ willingness to negotiate. Cerber refused, while Jigsaw offered a 17% discount. F-Secure was unable to contact the Torrent Locker agent, but was able to negotiate an average 29% discount from the other four.
The greatest discount (67%) came from the agent who demanded the highest starting fee: Cryptomix demanding ca.$1900 — Jigsaw had the lowest starting demand at $150. Sullivan again suspects that the higher demands come from the more organized criminal gangs. He has no knowledge of how many victims pay the ransom but believes it to be ‘surprisingly high’.
“We ran a Twitter poll earlier this year,” he said, “asking people how much they would hypothetically pay ‘to recover lost data’.” 63% said they would pay nothing; 29% would pay less than €400; 5% would pay between €401-800; and only 3% would pay more than €800.
“I think these gangs would be even more successful if they lowered their asking price,” Sullivan suggested.
There is a fascinating dialog between Christine and the Jigsaw agent — who genuinely seems surprised that Christine had been infected. He claims to have been contracted by one company to target a competitor company. Sullivan told SecurityWeek that he doubts this; not because it doesn’t happen, but because it doesn’t usually happen with major companies. The Jigsaw agent claims to be working for a “big name corporation. Fortune 500 company.”
Christine told him at the end of the process (after she had ‘found’ her files on Google Drive and didn’t need to pay for decryption after all) that she actually felt a bit sorry for him — and this ability to manipulate feelings is typical of the seasoned social engineer. “I wouldn’t be surprised,” suggested Sullivan, “to find that he also operates ‘romance’ scams.”
The paradox of ransomware is that victims need to trust the aggressor. “Without establishing a reputation for providing reliable decryption,” concludes the F-Secure analysis, “their victims won’t trust them enough to pay them. And their business model would be a winning one – if it weren’t so deplorable.” The best solution remains to avoid infection with up-to-date software and organized back-ups — but if you still get infected, it might be worth trying to negotiate a lower decryption fee. Just avoid Cerber and Torrent Locker.