In desperation, many ransomware victims plead with attackers

TeslaCrypt creators negotiated with victims, earned over $76,000 in two months

Hand on keyboard

Hand on keyboard

The shamelessness of ransomware pushers knows no bounds. After encrypting people's files and then holding them to ransom, they portray themselves as service providers offering technical support and discounts to their "customers."

Researchers from FireEye recently collected messages from a Web site set up by the creators of a ransomware program called TeslaCrypt to interact with their victims. The messages offer a rare glimpse into the mindset of these cybercriminals and the distress they cause.

They are tales of desperation: a father who's struggling to survive "in this expensive world" and has been robbed of his baby's pictures; a company's employee who lost business files to the malware and now fears losing his job; a housecleaning business set up by maids who can't afford to pay the ransom; a person who has no money and now can't even file his tax returns because of the malware; a non-profit that raises money for curing blood cancer and pleads for a refund.

Other messages reflect the frustration of people who don't have the technical skill to obtain bitcoins -- the TeslaCrypt ransom is typically $550 if paid in Bitcoin cryptocurrency or $1,000 if paid with PayPal My Cash cards.

In some cases the attackers agreed to lower their demands, most likely not because they empathized with the victims, but because smaller payments were better than no payments at all.

When someone said they could only afford to pay $100 the attackers responded that the minimum possible price is $250. However, in a different case they offered to restore someone's files for $150.

Other people paid, but they could still not recover all of their files, the messages show. For example, someone had a computer with two file-encrypting ransomware programs installed on it. Decrypting the files affected by TeslaCrypt didn't help because the files had already been encrypted by the other program. In another case someone complained that they can only decrypt files located on the C: drive.

Ironically, the advice the attackers gave to some paying victims was to back up their encrypted files before attempting to decrypt them with the provided tool. "To avoid losing data," they said.

This highlights the importance of having a solid data backup plan in the first place. Files should be backed up regularly to storage media that is not always connected to the computer and which can only be accessed after additional authentication. Otherwise, in case of a ransomware infection the backups might get encrypted as well.

The FireEye researchers discovered and tracked 1,231 Bitcoin addresses used by the TeslaCrypt gang between February and April. TeslaCrypt generates a unique Bitcoin address where the ransom must be paid for every infection, meaning that each of the 1,231 addresses represents one victim.

After analyzing transactions involving those addresses, the FireEye researchers believe that 163 victims, or 13 percent, paid the ransom in Bitcoin. Another 20 victims paid with PayPal My Cash cards. The transactions show the TeslaCrypt gang earning $76,522 between Feb. 7 and Apr. 28, 2015.

By comparison, another file-encrypting ransomware program, called Cryptolocker, is estimated to have earned $3 million for its creators during nine months of operation until May 2014. Another program, called Cryptowall, generated over $1 million in ransom payments during a six-month period in 2014.

One good piece of news is that researchers from Cisco Systems recently developed a tool that is capable of decrypting files affected by some TeslaCrypt versions without having victims pay a ransom.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags malwaredata protectionencryptionscamsFireEyeCisco SystemsDesktop security

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Father’s Day Gift Guide

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?