Welcome to our “Threat Analysis” series of blogs! These posts cover a specific industry and the threats targeting them. The goal with this series is to raise awareness about cybercriminal threats, one post at a time.

We will explain the threat and provide a pathway to remediating the vulnerabilities exploited by the threat.

Generally, these articles are geared towards organizational leadership and we try to provide a non-technical overview of the dangers lurking in the world of cybercrime.

Why Ransomware Groups Try So Hard to Please Their Victims

Ransomware is currently the hottest strain of malware due to the fact that it provides an avenue for attackers to directly make money from their victims. Many different types of malware are financially motivated, with systems in place to provide income for their authors.

For example, spyware is a type of malware that monitors your activity to provide data on behaviors for the purposes of marketing and data harvesting. There is a definite profit to be made on your behavior and habits, but threat actors quickly learned that the golden goose was located within an organization’s data.

Ransomware “locks” data behind an encryption algorithm, demanding payment to provide the key to access the data again. In most circumstances, active ransomware gangs are looking to keep a positive reputation for unlocking data once a ransom is paid. These gangs rely on the payments to unlock data as their livelihood, and do not want to become associated with failure to provide the keys.

This blog will cover some of the unique ways that ransomware groups strive to provide “customer service” to their victims and the motivation behind these seemingly oxymoronic actions.

Ransomware 101

First things first – what is ransomware? While we cover specific attacks in great detail in our other posts, we will review a quick summary of how ransomware actually works.

Step 1 – Ransomware Gang Starts Attack

The attackers usually scope their victims and send specific attacks based on the vulnerabilities and exploits available at the time. They will generally have an extensive “back-end” setup prior to starting these attacks with payment portals, forums, and even helpdesk support ready to receive payments.

Step 2 – Data is Encrypted

Ransomware will hit organizations and encrypt their data, including backups if possible. After the encryption is completed, a message will be displayed to the end users at an organization demanding payment within a limited timeframe via Cryptocurrency. If this payment is not made, it is highly unlikely that the data will be recoverable.

Step 3 – Payment is Made and Data is Restored

If a company has no other recourse, they may opt to pay the ransom in order to recover their data. These ransomware threat actors generally support easy-to-use payment methods and attempt to maintain a positive reputation for distributing the key. When things go wrong, these gangs have a variety of unique options to resolve the issue.

Ransomware Updates and Patches

When ransomware is updated, it is usually to avoid the newest detection techniques in an attempt to affect new organizations. However, some “patches” are actually geared towards improving the customer ransom unlock experience. Just recently, the ransomware gang Babuk released a message to journalists emphasizing a bug in their software that broke certain disks (vhdx) when decrypting. The biggest surprise about this message was the “PR” feel to the announcement. While they throw around obvious threats and posturing within the message, the overall tone is nearly apologetic. They emphasize the fact that they “never make empty promises!” and try to rebuild trust that their ransomware will be decryptable should the payment be made. This post does contain a malicious subtext – organizations are at their mercy.

Ransomware Support Staff

Make no mistake – Ransomware is a professional industry. The design and implementation of ransomware is completed by skilled engineers that rival those in the cybersecurity industry. But these malware engineers are just the tip of the iceberg.

Ransomware gangs often employ a host of other individuals. They will hire managers in order to keep their operations on track and analyze performance indicators in relation to their campaigns. Graphic artists can be contracted to design their ransom messages and websites. Call center and helpdesk staff can be used to resolve any issues that victims have when attempting to pay the ransoms. In fact, these gangs sometimes follow a very conventional business model with standard work hours and benefits.

Sometimes, the only difference between these gangs and a conventional organization is that their “product” is an attack, not a solution.

The Dark Side of Customer Support

Don’t get the wrong idea, customer service for ransomware gangs is a wholly self-serving affair. There is no recourse for victims should the gang be disbanded, payment infrastructure destroyed, or payment timing missed. While you can sometime negotiate pricing, they are in it for the money and “sob stories” are generally a lost cause with these groups.

We don’t want to give the impression that these gangs are kind and caring customer support groups – they simply want their money. Protect your organization from ransomware so that you don’t have to experience the stress of working with criminals to retrieve your own data.

References:

Finkle, J. (2016, April 12). Ransomware: Extortionist hackers borrow customer-service tactics. Reuters. https://www.reuters.com/article/us-usa-cyber-ransomware/ransomware-extortionist-hackers-borrow-customer-service-tactics-idUSKCN0X917X.

Olenick, D., & Ross, R. (2021, April 19). PR Campaign: Babuk Ransomware Gang Claims Decryptor Repaired. Government Information Security. https://www.govinfosecurity.com/pr-campaign-babuk-ransomware-gang-claims-decryptor-repaired-a-16428.