Why These Online Criminals Actually Care About Your Convenience

Reports, Threats & Hacks

Evaluating the Customer Journey of Crypto-Ransomware


Get an inside view of ransomware in our new report:

Evaluating the Customer Journey of Crypto-Ransomware



Customer service is not normally something associated with the perpetrators of crime. But crypto-ransomware, the digital demon that has been crippling businesses and plaguing consumers, is different.

Crypto-ransomware criminals’ business model is, of course, encrypting your files and then making you pay to have them decrypted so you can access them again. To help victims understand what has happened and then navigate the unfamliar process of paying in Bitcoin, some families offer a “customer journey” that could rival that of a legitimate small business. Websites that support several languages. Helpful FAQs. Convenient customer support forms so the victim can ask questions. And responsive customer service agents that quickly get back with replies.

We think this is a pretty interesting paradox. Criminal nastiness, but on the other hand willingness to help “for your convenience,” as one family put it. We decided to dig a little deeper.

We evaluated the customer journeys of five current ransomware families (Cerber, Cryptomix, TorrentLocker, Shade, and a Jigsaw variant), and got an inside look we’re sharing in a new report, Evaluating the Customer Journey of Crypto-Ransomware. From the first ransom message to communicating with the criminals via their support channels, we wanted to see just how these criminals are doing with their customer journey – and whose is the best (or rather, least loathsome).

Among our findings:

  • The families with the most professional user interfaces don’t necessarily have the best customer service.
  • Criminals are usually willing to negotiate the price. Three out of four variants we contacted were willing to negotiate, averaging a 29% discount from the original ransom fee.
  • Ransomware deadlines are not necessarily “set in stone.” All the groups we contacted granted extensions on the deadlines.
  • One of the groups claimed to be hired by a corporation to hack another corporation – a kid playing a prank, or a sinister new threat actor?


Here’s an example of our “victim” (a fake persona invented named Christine Walters) negotiating with the crooks via email.

ransomware negotiation

And the “ransomware agents” behind the malware – what about them? As this infographic explains, they don’t need to be whiz programmers these days. Here are 5 of their secrets for “success,” plus 5 ways you can protect yourself:


5 Habits of Successful Ransomware Cybercriminals


5 Habits of Successful Ransomware Cybercriminals






Rate this article

2 votes


keep in mind, that cloud backup is the wrong thing in most cases. Not only its a privacy risk, but ransomware can lock you out of your account or delete data from your cloud account.

Backup on a hard drive, you do not have connected during normal operation. Consider rebooting to a live cd for the backup, if you think your system may be infected and keep multiple versions (last backup, the backup before the last backup), so if you notice encrypted files too late, you still have the unencrypted files on backup.

Hi, thanks for your comment. On cloud backup – that’s true about sync services, perhaps. But if you store stuff in the cloud that doesn’t sync, we haven’t heard about any behavior in ransomware that would lock you out. (Other types of malware can, however – just haven’t heard about this with any ransomware.) External hard drives (also shown in the pic) or other physical means are great, their limitation is they’re vulnerable to fire, flood, etc. So best case, good to have both!

I would recommend a NAS hard drive based backup instead of a wired hard drive. NAS stands for Network Access Server, and in practice, it is a box shaped device that looks like a modem but is a hard drive. You can backup both your phone and computer to such a device. For Apple users you have Time Machine, which is probably very easy to setup, and for Windows / Android / manufacturer independent solution Synology NAS drives work well.

Hi Eric, thanks for your comment. If only it were that simple – but it’s not, because the criminals set up anonymous accounts, and they use the Tor network to hide their IP address. This way the communications channels can’t be traced back to them.

An adblocker, a script blocker and a beefed up anti-malware-URL hosts file can go a long way too. The latter is very useful for when I’m forced to use Steam’s buggy, out-of-date browser due to a game not like alt-tab. Almost never see ads there anymore.

As the old saying goes, “An ounce of prevention is worth a pound of cure”.

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

You might also like