Crypto-ransomware has been the scourge of business lately, taking files hostage by encryption and demanding money for their decryption. And ironically, ransomware itself is something of a business (albeit an underground, illegitimate one). It certainly has a business model, one that depends on building the trust of the victim: If victims don’t trust that they’ll get their files back, they won’t pay.
In order to help establish this trust, many ransomware families have evolved to feature something akin to what a legitimate business would call a “customer journey” – the experience that takes the victim, or the “customer,” from initially becoming acquainted with the ransomware, to eventually “converting” to a paying customer.
We thought this is a pretty interesting scenario – nasty criminals with a customer focus. So we conducted an experiment to find out how these ransomware families are doing on their customer journey. (The full details and results are available in our new report, Evaluating the Customer Journey of Crypto-Ransomware.)
We had a non-technical employee get “infected” by five different families of crypto-ransomware, all of whom had some kind of support channel that offered a chance to interact with the criminals. We created a fake persona, “Christine Walters,” a 40-something mom with very little tech knowledge, and a Hotmail address for her. We had our “Christine” evaluate each of these families based on her experience, from the first ransom note screen all the way to communicating with the crooks.
Our findings are interesting. Here are three of them:
1. Ransoms can be negotiated.
We found that ransomware criminals are usually willing to negotiate the price. Three out of four variants we contacted (the fifth, TorrentLocker, didn’t reply to us at all) were willing to negotiate, averaging a 29% discount from the original ransom fee. Here’s a breakdown:
Not bad. Cryptomix had the highest starting demand, at 3 Bitcoin, which was around 1900 dollars – and they also gave us the biggest cut, at 67%. How did we accomplish this? Here’s a screenshot of one of “Christine’s” negotiations:
With a little more haggling, we were again able to get them down to just one Bitcoin, which was about $635.
Bottom line: these guys would rather make some money than none at all. Cerber was the only family unwilling to budge on the price. They were also the family with the most professional user interface, which brings us to our next finding.
2. The families with the most professional user interfaces don’t necessarily have the best customer service.
As said, Cerber had the cleanest, most professional and most helpful interface (with support for 12 languages!) but their customer service agent, although responsive, wasn’t so very helpful. They didn’t negotiate the price, and they weren’t helpful when asked for help with making the Bitcoin payment. They did, however, give us more time to make the payment. Here’s a view of part of our conversation using their convenient online support form.
3. Ransomware deadlines are not necessarily “set in stone.”
Although they state bold deadlines, in our experience, ransomware criminals don’t necessarily enforce the deadlines. All the groups we contacted granted extensions. “Christine” had a busy weekend planned, so she asked for more time, which they granted. And even a week after we’d concluded our experiment (without having paid any of the ransoms) we were contacted by one of the agents asking if we still wanted our files.
For more findings, full details, plus our full conversation with one of the ransomware “agents,” check out the full report. Plus, did you know it doesn’t take much tech smarts to be a ransomware crook? Check out our infographic of the “5 Habits of Successful Ransomware Cybercriminals.”
And finally, because you don’t ever want to have to be in the position of haggling a price for your files, learn how to protect your business from ransomware before you ever get hit – check out our Quick Quide to Outsmarting Ransomware.