In desperation, many ransomware victims plead with attackers

TeslaCrypt creators negotiated with victims, earned over $76,000 in two months

Hand on keyboard

Hand on keyboard

The shamelessness of ransomware pushers knows no bounds. After encrypting people's files and then holding them to ransom, they portray themselves as service providers offering technical support and discounts to their "customers."

Researchers from FireEye recently collected messages from a Web site set up by the creators of a ransomware program called TeslaCrypt to interact with their victims. The messages offer a rare glimpse into the mindset of these cybercriminals and the distress they cause.

They are tales of desperation: a father who's struggling to survive "in this expensive world" and has been robbed of his baby's pictures; a company's employee who lost business files to the malware and now fears losing his job; a housecleaning business set up by maids who can't afford to pay the ransom; a person who has no money and now can't even file his tax returns because of the malware; a non-profit that raises money for curing blood cancer and pleads for a refund.

Other messages reflect the frustration of people who don't have the technical skill to obtain bitcoins -- the TeslaCrypt ransom is typically $550 if paid in Bitcoin cryptocurrency or $1,000 if paid with PayPal My Cash cards.

In some cases the attackers agreed to lower their demands, most likely not because they empathized with the victims, but because smaller payments were better than no payments at all.

When someone said they could only afford to pay $100 the attackers responded that the minimum possible price is $250. However, in a different case they offered to restore someone's files for $150.

Other people paid, but they could still not recover all of their files, the messages show. For example, someone had a computer with two file-encrypting ransomware programs installed on it. Decrypting the files affected by TeslaCrypt didn't help because the files had already been encrypted by the other program. In another case someone complained that they can only decrypt files located on the C: drive.

Ironically, the advice the attackers gave to some paying victims was to back up their encrypted files before attempting to decrypt them with the provided tool. "To avoid losing data," they said.

This highlights the importance of having a solid data backup plan in the first place. Files should be backed up regularly to storage media that is not always connected to the computer and which can only be accessed after additional authentication. Otherwise, in case of a ransomware infection the backups might get encrypted as well.

The FireEye researchers discovered and tracked 1,231 Bitcoin addresses used by the TeslaCrypt gang between February and April. TeslaCrypt generates a unique Bitcoin address where the ransom must be paid for every infection, meaning that each of the 1,231 addresses represents one victim.

After analyzing transactions involving those addresses, the FireEye researchers believe that 163 victims, or 13 percent, paid the ransom in Bitcoin. Another 20 victims paid with PayPal My Cash cards. The transactions show the TeslaCrypt gang earning $76,522 between Feb. 7 and Apr. 28, 2015.

By comparison, another file-encrypting ransomware program, called Cryptolocker, is estimated to have earned $3 million for its creators during nine months of operation until May 2014. Another program, called Cryptowall, generated over $1 million in ransom payments during a six-month period in 2014.

One good piece of news is that researchers from Cisco Systems recently developed a tool that is capable of decrypting files affected by some TeslaCrypt versions without having victims pay a ransom.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags securitymalwaredata protectionencryptionscamsFireEyeCisco SystemsDesktop security

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?