In desperation, many ransomware victims plead with attackers
Researchers from FireEye recently collected messages from a Web site set up by the creators of a ransomware program called TeslaCrypt to interact with their victims. The messages offer a rare glimpse into the mindset of these cybercriminals and the distress they cause.
They are tales of desperation: a father who's struggling to survive "in this expensive world" and has been robbed of his baby's pictures; a company's employee who lost business files to the malware and now fears losing his job; a housecleaning business set up by maids who can't afford to pay the ransom; a person who has no money and now can't even file his tax returns because of the malware; a non-profit that raises money for curing blood cancer and pleads for a refund.
Other messages reflect the frustration of people who don't have the technical skill to obtain bitcoins -- the TeslaCrypt ransom is typically $550 if paid in Bitcoin cryptocurrency or $1,000 if paid with PayPal My Cash cards.
In some cases the attackers agreed to lower their demands, most likely not because they empathized with the victims, but because smaller payments were better than no payments at all.
When someone said they could only afford to pay $100 the attackers responded that the minimum possible price is $250. However, in a different case they offered to restore someone's files for $150.
Other people paid, but they could still not recover all of their files, the messages show. For example, someone had a computer with two file-encrypting ransomware programs installed on it. Decrypting the files affected by TeslaCrypt didn't help because the files had already been encrypted by the other program. In another case someone complained that they can only decrypt files located on the C: drive.
Ironically, the advice the attackers gave to some paying victims was to back up their encrypted files before attempting to decrypt them with the provided tool. "To avoid losing data," they said.
This highlights the importance of having a solid data backup plan in the first place. Files should be backed up regularly to storage media that is not always connected to the computer and which can only be accessed after additional authentication. Otherwise, in case of a ransomware infection the backups might get encrypted as well.
The FireEye researchers discovered and tracked 1,231 Bitcoin addresses used by the TeslaCrypt gang between February and April. TeslaCrypt generates a unique Bitcoin address where the ransom must be paid for every infection, meaning that each of the 1,231 addresses represents one victim.
After analyzing transactions involving those addresses, the FireEye researchers believe that 163 victims, or 13 percent, paid the ransom in Bitcoin. Another 20 victims paid with PayPal My Cash cards. The transactions show the TeslaCrypt gang earning $76,522 between Feb. 7 and Apr. 28, 2015.
By comparison, another file-encrypting ransomware program, called Cryptolocker, is estimated to have earned $3 million for its creators during nine months of operation until May 2014. Another program, called Cryptowall, generated over $1 million in ransom payments during a six-month period in 2014.
One good piece of news is that researchers from Cisco Systems recently developed a tool that is capable of decrypting files affected by some TeslaCrypt versions without having victims pay a ransom.