Cybercriminals have a heart, but they may lose it anytime

Jun 3, 2015 09:41 GMT  ·  By

The operators of a new piece of ransomware originating from Russia keep open a communication channel with victims for payment instructions, but this also means there’s a possibility for bargaining.

Ransomware with file encryption routines is one of the nastiest cyber threats today, not just for the average user but also for businesses and even law enforcement departments, which have no other alternative but to pay for data recovery, unless a backup system has been set up.

File names are also scrambled

Found by security researchers at Check Point, Troldesh ransomware, also known as Encoder.858 and Shade, applies full encryption of the files it processes, from content to name and extension.

It is distributed via spam email and starts locking up the data as soon as it is deployed on the system, changing the extension to XBTL. Next, users see the ransom message and are directed to a Readme text for additional details.

Even if there is no backup available, victims of crypto-malware are strongly advised not to pay, because lack of “customers” would bring the business to an end.

Usually, cybercriminals do not interact with the victims and set up an infrastructure that automatically collects payments and delivers the file decryption keys in exchange.

On the other hand, fees have gone up and the crooks ask for hundreds of dollars to return files to their original state.

Bargaining is an option, but not a reliable one

In an attempt to maximize their profits and to be able to provide clear instructions to affected users, some ransomware operators offer the possibility to be contacted, and those running Troldesh are among them.

The reason in their case is to deliver the payment details and offer proof that they do have the means to decrypt the locked data, in case someone doubted it.

Check Point researcher Natalia Kolesova exploited this and managed to get a discount of more than 50% from the initial €250 / $278 ransom demand. After complaining about not affording to pay the money she finally got the price lowered to €118 / $131, payable via QIWI money transfer system.

Similar scenarios occurred in the case of TeslaCrypt handlers, who gave in to grievances and also offered discounts; in some cases the keys were even offered for free.

Although cybercriminals can be persuaded to settle for less than the initial amount, users should not rely on this when ransomware is involved. Crooks could always close their shop and leave the data encrypted.

Backing up files regularly and storing the safe copies in a place with limited access from the main computer is currently the best form of protection against crypto-malware.