Customer service matters when it comes to ransomware

Technical skills are only part of the equation when building your criminal malware empire.

Getty Images

This week we're finding out that Cerber is 2016's biggest name in ransomware.

Cerber didn't get to the top just by being good at infecting computers, locking up people's files and blackmailing its victims for Bitcoin. The plucky ransomware is on the fast track to fame and fortune thanks to a hard-won reputation for top-notch customer service that wows its victims at every turn. At least that was the conclusion in security company F-Secure's summer report, Evaluating the Customer Journey of Crypto-Ransomware.

Cerber is infecting people through infected Word documents and malvertising, among other attack vectors. Unwitting victims are downloading it via ads that appear in popup windows, so make sure your ad- and popup-blockers are up to date. In August, Cerber was launching eight campaigns every day, and successfully infected 150,000 users worldwide in that month alone.

Sounds pretty lucrative, right? Well, if you think raking in the dough as a ransomware writer sounds like the life for you, "being a people person" probably isn't the skill you plan to develop. But, if you're going to succeed in the hectic business of ransomware, great customer service skills are a must to avoid lost revenue and disappointed victims.

F-Secure was so intrigued by this phenomenon that it decided "to see which crypto-ransomware family offers the best (or, more appropriately, least worst) customer journey from start to finish." To find out who "wowed" their victims and which crypto-blackmailers were just embarrassing customer-service trainwrecks, the researchers set up their own secret-shopper experiment.

Ransomware spreads like wildfire from offices to homes, usually arriving in email attachments (or over infected networks) to aggressively encrypt all your files (including drives, Dropbox files and all locally connected, network-attached or cloud-based storage) while an ominous onscreen timer demands payment within 72 hours.

Mess with the files or decline to pay and forget about ever opening them again.

This would be a golden ticket for ransomware gangs if everyone paid up -- not everyone does. Security company Bitdefender found in its recent white paper, Ransomware, a Victim's Perspective, that only 50% of its victims pay up. Plus, because the malicious software typically goes after people who aren't tech-savvy, the extortioners need to establish communication and trust in order to collect payment in the end.

Ransomware concept with hand wearing black

Image credit: Getty Images/iStockphoto

Enter ransomware's bizarre legacy for customer support. Out of necessity, many different exploit kits (or flavors of ransomware) and the authors behind them have turned their focus to improving the customer experience.

In 2013, ransomware strain CryptoLocker became famous for both its "bastard and fiendish" pervasiveness and its superb, patient and attentive customer support. The malware's authors frequently appeared on forums to help their victims work through technical issues. They'd also help them out with things like troubleshooting MoneyPak transaction codes. A year later, a strain called OphionLocker was noted for identifying each new infected computer so that the extortionists could avoid ransoming the same victim twice.

F-Secure found this intersection of malicious criminal activity and helpful customer service so intriguing, they created "Christine" to evaluate ransomware user support and service quality, including things like "hand-holding" and try-before-you-buy options.

Christine wasn't a real person, but boy did she get owned by ransomware. "Christine Walters is married, in her 40s, with a full-time job and children," the study said. "She's not into tech and knows next to nothing about ransomware, Bitcoin or security issues in general. She's inquisitive, though, and now that she's encountered ransomware for the first time, she wants to know more about it."

Under the cover of F-Secure's study, our sympathetic and extremely unlucky heroine Christine got her computers infected by five different ransomware groups. "We then attempted to contact, as Christine, the gangs behind each of the malware samples using their support channels, the report said. What's more, "a nontechnically oriented person carried out the actual interactions."

Christine made a lot of interesting discoveries in her customer journey. In 100% of the ransomware predicaments she found herself in, the deadline to pay for file decryption could be extended. And the gangs were willing to negotiate the price: "Three out of four variants were willing to negotiate, averaging a 29 percent discount from the original ransom fee."

In the end, the hands-down winner for outstanding customer experience was Cerber. The ransomware ranked high in every category. F-Secure rated it highly for professionalism, noting that its web pages were clean and organized.

According to Christine's experience with Cerber, its convenient support form got quick responses to her queries -- "always the same day and sometimes within minutes." Direct engagement being key to every forward-facing product's success, it's no wonder Cerber is coming out on top.

Critiques included the design of its ransom screen, which needs improvement, and it fell slightly short with Christine's hand-holding needs, at least in comparison with the Jigsaw ransomware support agent, who told Christine at the end of their conversations that they were glad her files were safe and advised her to get a good antivirus.

Erka Koivunen, cyber security adviser for F-Secure, nailed it when she concluded: "The customer-care that the criminals provide appears to be effective and something that many legal web shops and more traditional businesses could take lessons from."