Menu
In desperation, many ransomware victims plead with attackers

In desperation, many ransomware victims plead with attackers

TeslaCrypt creators negotiated with victims, earned over $76,000 in two months

Hand on keyboard

Hand on keyboard

The shamelessness of ransomware pushers knows no bounds. After encrypting people's files and then holding them to ransom, they portray themselves as service providers offering technical support and discounts to their "customers."

Researchers from FireEye recently collected messages from a Web site set up by the creators of a ransomware program called TeslaCrypt to interact with their victims. The messages offer a rare glimpse into the mindset of these cybercriminals and the distress they cause.

They are tales of desperation: a father who's struggling to survive "in this expensive world" and has been robbed of his baby's pictures; a company's employee who lost business files to the malware and now fears losing his job; a housecleaning business set up by maids who can't afford to pay the ransom; a person who has no money and now can't even file his tax returns because of the malware; a non-profit that raises money for curing blood cancer and pleads for a refund.

Other messages reflect the frustration of people who don't have the technical skill to obtain bitcoins -- the TeslaCrypt ransom is typically $550 if paid in Bitcoin cryptocurrency or $1,000 if paid with PayPal My Cash cards.

In some cases the attackers agreed to lower their demands, most likely not because they empathized with the victims, but because smaller payments were better than no payments at all.

When someone said they could only afford to pay $100 the attackers responded that the minimum possible price is $250. However, in a different case they offered to restore someone's files for $150.

Other people paid, but they could still not recover all of their files, the messages show. For example, someone had a computer with two file-encrypting ransomware programs installed on it. Decrypting the files affected by TeslaCrypt didn't help because the files had already been encrypted by the other program. In another case someone complained that they can only decrypt files located on the C: drive.

Ironically, the advice the attackers gave to some paying victims was to back up their encrypted files before attempting to decrypt them with the provided tool. "To avoid losing data," they said.

This highlights the importance of having a solid data backup plan in the first place. Files should be backed up regularly to storage media that is not always connected to the computer and which can only be accessed after additional authentication. Otherwise, in case of a ransomware infection the backups might get encrypted as well.

The FireEye researchers discovered and tracked 1,231 Bitcoin addresses used by the TeslaCrypt gang between February and April. TeslaCrypt generates a unique Bitcoin address where the ransom must be paid for every infection, meaning that each of the 1,231 addresses represents one victim.

After analyzing transactions involving those addresses, the FireEye researchers believe that 163 victims, or 13 percent, paid the ransom in Bitcoin. Another 20 victims paid with PayPal My Cash cards. The transactions show the TeslaCrypt gang earning $76,522 between Feb. 7 and Apr. 28, 2015.

By comparison, another file-encrypting ransomware program, called Cryptolocker, is estimated to have earned $3 million for its creators during nine months of operation until May 2014. Another program, called Cryptowall, generated over $1 million in ransom payments during a six-month period in 2014.

One good piece of news is that researchers from Cisco Systems recently developed a tool that is capable of decrypting files affected by some TeslaCrypt versions without having victims pay a ransom.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags Cisco SystemssecurityFireEyeDesktop securityencryptionscamsdata protectionmalware

Slideshows

Top 50 defining moments of the New Zealand channel in 2016

Top 50 defining moments of the New Zealand channel in 2016

Reseller News looks back on a tumultuous 12 months for the New Zealand channel, assessing the fallout from a year of sizeable industry change. Whether it be local or global mergers and acquisitions, distribution deals or job changes, the channel that started the year differs somewhat to the one set to finish it - Reseller News assesses the key moments that made 2016.​

Top 50 defining moments of the New Zealand channel in 2016
​Hewlett Packard Enterprise honours high achieving NZ channel

​Hewlett Packard Enterprise honours high achieving NZ channel

Hewlett Packard Enterprise honoured its top performing Kiwi partners at the second running of its HPE Partner Awards in New Zealand, held at a glitzy ceremony in Auckland. Recognising excellence across eight categories - from distributors to resellers - the tech giant celebrated its first year as a standalone company, following its official split from HP in 2015.

​Hewlett Packard Enterprise honours high achieving NZ channel
Nutanix treats channel partners to Christmas cruise

Nutanix treats channel partners to Christmas cruise

Nutanix recently took to the seas for a Christmas Cruise around Sydney Harbour with its Australia and New Zealand staff, customers and partners to celebrate a stellar year for the vendor. With the sun out, they were all smiles and mingled over drinks and food.

Nutanix treats channel partners to Christmas cruise
Show Comments