Report: ransomware crooks rely on customer service to cash in

Cybercriminals infecting computers with ransomware must provide good customer service to make money.

Cyber criminals infecting computers with ransomware — a type of malware that holds data hostage until a victim pays a ransom — are dependent on the customer service and reputation of their operations to make money, a new study conducted by Finland-based cybersecurity firm F-Secure shows.

F-Secure’s team of security researchers were able to learn how ransomware hackers conduct business by creating a fake Hotmail account owned by a fictional character they dubbed Christine Walters — a 40-year-old married mother with no security knowledge — who subsequently became the target of numerous ransomware attacks.

“[These] ransomware criminals walk a certain line — on one hand, they’re the nasty criminal, but on the other hand, they have to establish a degree of trust with the victim and be ready to offer a certain level of service in order to realize the payment in the end,” a new report by F-Secure published Monday explains.

In the study, F-Secure focused on understanding the customer experience involved in making a ransomware payment — which is typically required on the part of a victim to unlock stolen files.


This payment process, according to the report, can be better understood as what comparable, legitimate small businesses would traditionally call the “customer journey.” A salesperson in both instances effectively relies on a step-by-step sales procedure to reliable secure a purchase by the customer or, in this case, victim.

[Read More: Feds confident in fight against ransomware]

“The paradox of ransomware is that the perpetrators are criminals with a customer mindset. They’re disreputable, yet reputation is everything: Without establishing a reputation for providing reliable decryption, their victims won’t trust them enough to pay them,” the report describes.

F-Secure’s pseudonym spoke with representatives from five different ransomware brands: Cerber, Jigsaw, CryptoMix, Shade and Torrent Locker. All five boast online platforms, customer service representatives and only accept Bitcoin as payment.

Some of the ransomware operations showcased websites that support several languages and oddly provide basic FAQ pages. Customer support forums were also a common theme, available so that a victim can quickly ask questions and receive a response.


The fake F-Secure account spoke with ransomware “agents” on four out of the five platform’s respective support forums.

While the ransomware operators set different deadlines, used different platforms and requested unique, fluctuating prices to decrypt victims’ data, their unnamed customer service representatives each showed a willingness to lower prices over time and to educate victims who were unaware of their situation.

In one exchange, F-Secure’s Walters asked a ransomware agent why her files were unaccessible. The anonymous agent responded: “File encryption is a virus. Not a service. You clicked on a link or downloaded a program and your files were encrypted so you have to pay if you want them back … The ransom for your files doubles after 24 hours to $225. We have contacted you several times before so we should be charging you the $225. Since you don’t understand what a ransom virus is we will keep it at $125 for today.”

Last year, Kaspersky Labs, a prominent, international security software company, detected ransomware on 179,209 computers. In April, the Departments of Justice and Homeland Security said in a statement that ransomware victims in the U.S. paid over $24 million, according to data obtained by the Internet Crime Complaint Center, or IC3.

“Out of the five [ransomware operations], we were able to make contact with four of them. In those exchanges, we were able to negotiate an average of a 29 percent discount from the original ransom. We were also able to obtain more time for payment,” F-Secure’s security researchers wrote.


The report concludes that ransomware operations are idiosyncratic cyber crimes — it cannot be thought about generically, like any other strain of malware. To avoid such data breaches, F-Secure recommends for organizations to regularly backups of files, keep software up to date and be cautious of phishing emails and other online scams.

Chris Bing

Written by Chris Bing

Christopher J. Bing is a cybersecurity reporter for CyberScoop. He has written about security, technology and policy for the American City Business Journals, DC Inno, International Policy Digest and The Daily Caller. Chris became interested in journalism as a result of growing up in Venezuela and watching the country shift from a democracy to a dictatorship between 1991 and 2009. Chris is an alumnus of St. Marys College of Maryland, a small liberal arts school based in Southern Maryland. He's a fan of Premier League football, authentic Laotian food and his dog, Sam.

Latest Podcasts