Ransomware 'customer support' Chat Reveals Criminals' Ruthlessness

Ransomware criminals chatting up victims, offering to delay deadlines, showing how to obtain Bitcoin, dispensing the kind of customer support that consumers lust for from their cable and mobile plan providers, PC and software makers?

Finnish security vendor F-Secure recently released 34 pages of transcripts from the group chat used by the crafters of the Spora ransomware family. 

The back-and-forth not only put a spotlight on the gang's customer support chops, but, said a company security advisor, illustrated the intertwining of Bitcoin and extortion malware.

"We should be thankful that there are at least some practical barriers to purchase Bitcoins," wrote Sean Sullivan of F-Secure in a post to the firm's blog. "If it were any easier to do so, very little else would check the growth of crypto-ransomware's business model."

Sullivan originally penned that conclusion last month, in a short section of the "State of Cyber Security" report that F-Secure published then. Yesterday, F-Secure posted the transcripts, 20,000 words or more, and dubbed the collection a "new supplemental appendix" to the original report.

In one exchange, a Spora victim said he or she had paid the extortion fee, but had gotten nothing in return. "I already sent you 98USD worth of bitcoin," the victim reported.

In response, the "customer support rep" blamed the victim for entering an incorrect Bitcoin destination address. "But do you agree, that it is you mistake, that you entered incorrect address?" asked the Spora rep.

"I literally copied the address that was given at the refill page. How could I be mistaken?" the victim replied.

In one of many similar threads, the transcripts identified each victim by the first character of the ID created by the ransomware, someone pleaded for mercy.

"Hello crooks. I agree to pay," said "0" in a lead-off message. "But 570 dollars for a lot of photos of my grandmother. Can I expect a discount if I leave good feedback on the forum about you?"

No go. "We do not provide any discount. Also, we cannot be sure, that you have only photos," retorted "support."

At times, the messages were pitiful. "Hello, I am 82 and my family pikture  go away -- bad, very bad," reported another victim identified as "0."

"Is anyone there?" asked another during a stretch when Spora's support didn't respond to scores of messages, apparently borrowing another tactic from legitimate technical support desks.

Others played the anger card, the profanity card, the sympathy card. "Am I the one you should hack? No. I am just a salary man who tries to make ends meet and bring foods to his kids," said "E," who also identified himself as "Mustapha from Morocco.

But as F-Secure's Sullivan noted, many the questions posed to the hackers involved Bitcoin. "Hello, I am from Greece and we have capital  controls, is there any chance of a discount? Am having trouble buy bitcoins from here," remarked one.

"I'm going to pay for bitcoin. But I'm not sure that it works in weekend. Can you remove deadline please? If not works I will pay it on Monday," pleaded another.

The answer from Spora was always the same: No discount. The "rep" often extended deadlines, however, sometimes in response to victims pleading poverty, telling them that when they had the full amount, come back and pay.

"The malware technology to encrypt data has been possible for many, many years; the bigger challenge has always been getting paid," Sullivan pointed out. "In the past, cyber-crime schemes (such as scareware) have been killed off by disrupting the money supply.

The same may well be true of cyber extortion; to kill the business model, it may be necessary to ban Bitcoin."

Computerworld

You Might Also Read:

Would Killing Bitcoin End Ransomware?:

Digital Forensics, Incident Response & Attribution:

Both Police & Business Must Deal With Cyber Extortion:

How To Deal With The Rising Tide Of Ransomware:

 

 

« Russian Cyber Warfare:'Victory in Syria'
TeamSpy Malware Returns to Steal Data »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Cleo

Cleo

Cleo is a leader in secure information integration, enabling both ease and excellence in business data movement and orchestration.

GTB Technologies

GTB Technologies

GTB Technologies is a cyber security company that focuses on providing enterprise class data protection and data loss prevention solutions.

Alan Turing Institute

Alan Turing Institute

Alan Turing Institute is the UK national institute for data science. A major focus is Big Data analysis with applications including cyber security.

4iQ

4iQ

4iQ fuses surface, social, deep and dark web sources to research and assess risks to people, infrastructure, intellectual property and reputation.

HvS Consulting

HvS Consulting

HvS Consulting is a specialist information security company offering a full range of services including IT security architecture, ISO 27001 audits, Pentesting, Security monitoring and Training.

Hexatrust

Hexatrust

The HEXATRUST club was founded by a group of French SMEs that are complementary players with expertise in information security systems, cybersecurity, cloud confidence and digital trust.

Veracity Industrial Networks

Veracity Industrial Networks

Veracity provides an innovative industrial network platform that improves the reliability, efficiency, and security of industrial networks and devices.

Cervello

Cervello

Cervello is a leading provider of comprehensive and proven solutions to protect railways against cyber attacks.

MCPc

MCPc

MCPc improves the security and well-being of our clients. We protect data, manage the complexity and sustainability of technology, empower employee performance, and ultimately reduce business risk.

BreachQuest

BreachQuest

BreachQuest brings together cybersecurity experts with decades of experience identifying security flaws, penetrating networks, and responding to incidents.

Aunalytics

Aunalytics

Aunalytics is a data platform company that delivers insights as a service to answer your most important IT and business questions.

EPAM Systems

EPAM Systems

Since 1993, EPAM Systems has leveraged its advanced software engineering heritage to become a leading global digital transformation services provider.

DataStealth

DataStealth

DataStealth is a data protection platform that allows organizations to discover, classify, and protect their most sensitive data and documents.

CyberSecAsia

CyberSecAsia

CyberSecAsia series conference is the one and only decision-makers gathering for CISO and info security experts in Asia.

EmberOT

EmberOT

EmberOT is at the forefront of operational technology (OT) security, offering cutting-edge solutions designed to protect critical infrastructure within energy, utilities, and manufacturing sectors.

Attura

Attura

Atturra is one of Australia's leading advisory and IT solutions providers, focused on providing end-to-end transformation services to its clients.