Skip to content

Trending tags

Why These Online Criminals Actually Care About Your Convenience

Melissa Michael

18.07.16 2 min. read


Evaluating the Customer Journey of Crypto-Ransomware


Get an inside view of ransomware in our new report:

Evaluating the Customer Journey of Crypto-Ransomware



Customer service is not normally something associated with the perpetrators of crime. But crypto-ransomware, the digital demon that has been crippling businesses and plaguing consumers, is different.

Crypto-ransomware criminals’ business model is, of course, encrypting your files and then making you pay to have them decrypted so you can access them again. To help victims understand what has happened and then navigate the unfamliar process of paying in Bitcoin, some families offer a “customer journey” that could rival that of a legitimate small business. Websites that support several languages. Helpful FAQs. Convenient customer support forms so the victim can ask questions. And responsive customer service agents that quickly get back with replies.

We think this is a pretty interesting paradox. Criminal nastiness, but on the other hand willingness to help “for your convenience,” as one family put it. We decided to dig a little deeper.

We evaluated the customer journeys of five current ransomware families (Cerber, Cryptomix, TorrentLocker, Shade, and a Jigsaw variant), and got an inside look we’re sharing in a new report, Evaluating the Customer Journey of Crypto-Ransomware. From the first ransom message to communicating with the criminals via their support channels, we wanted to see just how these criminals are doing with their customer journey – and whose is the best (or rather, least loathsome).

Among our findings:

  • The families with the most professional user interfaces don’t necessarily have the best customer service.
  • Criminals are usually willing to negotiate the price. Three out of four variants we contacted were willing to negotiate, averaging a 29% discount from the original ransom fee.
  • Ransomware deadlines are not necessarily “set in stone.” All the groups we contacted granted extensions on the deadlines.
  • One of the groups claimed to be hired by a corporation to hack another corporation – a kid playing a prank, or a sinister new threat actor?


Here’s an example of our “victim” (a fake persona invented named Christine Walters) negotiating with the crooks via email.

ransomware negotiation

And the “ransomware agents” behind the malware – what about them? As this infographic explains, they don’t need to be whiz programmers these days. Here are 5 of their secrets for “success,” plus 5 ways you can protect yourself:


5 Habits of Successful Ransomware Cybercriminals


5 Habits of Successful Ransomware Cybercriminals






Melissa Michael

18.07.16 2 min. read



6 comments on Why These Online Criminals Actually Care About Your Convenience
  1. jim says:

    keep in mind, that cloud backup is the wrong thing in most cases. Not only its a privacy risk, but ransomware can lock you out of your account or delete data from your cloud account.

    Backup on a hard drive, you do not have connected during normal operation. Consider rebooting to a live cd for the backup, if you think your system may be infected and keep multiple versions (last backup, the backup before the last backup), so if you notice encrypted files too late, you still have the unencrypted files on backup.

  2. Melissa says:

    Hi, thanks for your comment. On cloud backup – that’s true about sync services, perhaps. But if you store stuff in the cloud that doesn’t sync, we haven’t heard about any behavior in ransomware that would lock you out. (Other types of malware can, however – just haven’t heard about this with any ransomware.) External hard drives (also shown in the pic) or other physical means are great, their limitation is they’re vulnerable to fire, flood, etc. So best case, good to have both!

  3. Eric says:

    can’t the authorities use that customer service to trace and bust the criminals?

  4. Melissa says:

    Hi Eric, thanks for your comment. If only it were that simple – but it’s not, because the criminals set up anonymous accounts, and they use the Tor network to hide their IP address. This way the communications channels can’t be traced back to them.

  5. Teemu says:

    I would recommend a NAS hard drive based backup instead of a wired hard drive. NAS stands for Network Access Server, and in practice, it is a box shaped device that looks like a modem but is a hard drive. You can backup both your phone and computer to such a device. For Apple users you have Time Machine, which is probably very easy to setup, and for Windows / Android / manufacturer independent solution Synology NAS drives work well.

  6. Garth says:

    An adblocker, a script blocker and a beefed up anti-malware-URL hosts file can go a long way too. The latter is very useful for when I’m forced to use Steam’s buggy, out-of-date browser due to a game not like alt-tab. Almost never see ads there anymore.

    As the old saying goes, “An ounce of prevention is worth a pound of cure”.

Comments are closed.

Leave a comment

Oops! There was an error posting your comment. Please try again.

Thanks for participating! Your comment will appear once it's approved.

Posting comment...

Your email address will not be published. Required fields are marked *

Highlighted article

Related posts

Newsletter modal

Thank you for your interest towards F-Secure newsletter. You will shortly get an email to confirm the subscription.

Gated Content modal

Congratulations – You can now access the content by clicking the button below.