Ransomware 'customer support' Chat Reveals Criminals' Ruthlessness

Ransomware criminals chatting up victims, offering to delay deadlines, showing how to obtain Bitcoin, dispensing the kind of customer support that consumers lust for from their cable and mobile plan providers, PC and software makers?

Finnish security vendor F-Secure recently released 34 pages of transcripts from the group chat used by the crafters of the Spora ransomware family. 

The back-and-forth not only put a spotlight on the gang's customer support chops, but, said a company security advisor, illustrated the intertwining of Bitcoin and extortion malware.

"We should be thankful that there are at least some practical barriers to purchase Bitcoins," wrote Sean Sullivan of F-Secure in a post to the firm's blog. "If it were any easier to do so, very little else would check the growth of crypto-ransomware's business model."

Sullivan originally penned that conclusion last month, in a short section of the "State of Cyber Security" report that F-Secure published then. Yesterday, F-Secure posted the transcripts, 20,000 words or more, and dubbed the collection a "new supplemental appendix" to the original report.

In one exchange, a Spora victim said he or she had paid the extortion fee, but had gotten nothing in return. "I already sent you 98USD worth of bitcoin," the victim reported.

In response, the "customer support rep" blamed the victim for entering an incorrect Bitcoin destination address. "But do you agree, that it is you mistake, that you entered incorrect address?" asked the Spora rep.

"I literally copied the address that was given at the refill page. How could I be mistaken?" the victim replied.

In one of many similar threads, the transcripts identified each victim by the first character of the ID created by the ransomware, someone pleaded for mercy.

"Hello crooks. I agree to pay," said "0" in a lead-off message. "But 570 dollars for a lot of photos of my grandmother. Can I expect a discount if I leave good feedback on the forum about you?"

No go. "We do not provide any discount. Also, we cannot be sure, that you have only photos," retorted "support."

At times, the messages were pitiful. "Hello, I am 82 and my family pikture  go away -- bad, very bad," reported another victim identified as "0."

"Is anyone there?" asked another during a stretch when Spora's support didn't respond to scores of messages, apparently borrowing another tactic from legitimate technical support desks.

Others played the anger card, the profanity card, the sympathy card. "Am I the one you should hack? No. I am just a salary man who tries to make ends meet and bring foods to his kids," said "E," who also identified himself as "Mustapha from Morocco.

But as F-Secure's Sullivan noted, many the questions posed to the hackers involved Bitcoin. "Hello, I am from Greece and we have capital  controls, is there any chance of a discount? Am having trouble buy bitcoins from here," remarked one.

"I'm going to pay for bitcoin. But I'm not sure that it works in weekend. Can you remove deadline please? If not works I will pay it on Monday," pleaded another.

The answer from Spora was always the same: No discount. The "rep" often extended deadlines, however, sometimes in response to victims pleading poverty, telling them that when they had the full amount, come back and pay.

"The malware technology to encrypt data has been possible for many, many years; the bigger challenge has always been getting paid," Sullivan pointed out. "In the past, cyber-crime schemes (such as scareware) have been killed off by disrupting the money supply.

The same may well be true of cyber extortion; to kill the business model, it may be necessary to ban Bitcoin."

Computerworld

You Might Also Read:

Would Killing Bitcoin End Ransomware?:

Digital Forensics, Incident Response & Attribution:

Both Police & Business Must Deal With Cyber Extortion:

How To Deal With The Rising Tide Of Ransomware:

 

 

« Russian Cyber Warfare:'Victory in Syria'
TeamSpy Malware Returns to Steal Data »

ManageEngine
CyberSecurity Jobsite
Check Point

Directory of Suppliers

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

RSA Conference

RSA Conference

RSA Conference conducts information security events around the globe that connect you to industry leaders and highly relevant information.

Apcon

Apcon

Apcon's mission is to provide valuable network insights that enable security and network professionals to monitor, secure and protect their data in both physical and virtual environments.

LogonBox Software

LogonBox Software

LogonBox Software specialises in producing a cost-effective range of Network Security and Identity Management software solutions for all sizes of Enterprise.

CS Group

CS Group

CS Group offers a complete range of security solutions from consultancy to security maintenance and from secure infrastructure design to security governance.

e-Lock

e-Lock

e-Lock services include IT security consulting and training, security systems integration, managed security and technical support.

Elemendar

Elemendar

Elemendar Artificial Intelligence reads cyber threat reports written by humans and translates them into industry-standard, machine-readable and machine-actionable data.

Shift5

Shift5

Shift5 focus on securing operational technology (OT) by building best-in-class, dual-use products serving military and commercial entities.

Soffid

Soffid

Soffid provides full Single-Sign-On experience and full Identity and Access Management features by policy-based centralised orchestration of user identities.

ImmuniWeb

ImmuniWeb

We Simplify, Accelerate and Reduce Costs of Security Testing, Protection and Compliance.

Guardsman Cyber Intelligence (GCI)

Guardsman Cyber Intelligence (GCI)

GCI provides proven cyber intelligence solutions to protect your business against ever present physical and digital threats shadowing your online business.

Systal Technology Solutions

Systal Technology Solutions

Systal is a global managed network and security service and transformation specialist. We help enterprise-level businesses maximise the security and business value of their complex IT infrastructure.

Insurica

Insurica

INSURICA is a full-service insurance agency built upon a tradition of integrity, industry leadership, and excellence.

Verastel

Verastel

Specializing in the niche space of proactive cyber-defense, and adaptive resilience, team Verastel is bolstering enterprise digital security like never before.

DNSFilter

DNSFilter

DNSFilter is the most accurate threat detection and content filtering tool on the market today.

Nihka Technology Group

Nihka Technology Group

Nihka offers full end-to-end ICT solutions from business optimisation, data centre modernisation, cloud connection and management, and ICT security.

MineOS

MineOS

MineOS aligns compliance with business growth. We designed our platform so that privacy compliance efforts directly benefit other teams and initiatives.