Is this the new face of malware? According to a recent Geek article, instead of hiding behind a randomly-generated email address for bitcoin transfers, the creators of Troldesh malware required victims to contact them directly for payment details. Security firm Checkpoint did exactly that—and managed to bargain the group down from 250 Euros to just 7000 rubles.
This isn’t the first time in recent weeks malware creators displayed a measure of humanity; as noted by Network World, the creator of ransomware strain “Locker” took to PasteBin for an apology and then automatically decrypted all encrypted files for free. Perhaps malware designers are just lonely, or maybe the market is so over-saturated with infections that compassion is the only way to stand out in the crowd. No matter the case, however, it bodes well for victims. Apparently even bad guys offer good deals when pressed.
It all started when Natalia Kolesova of Checkpoint decided to spin up a test PC and then knowingly allow infection by the Troldesh ransomware. The malware itself isn’t particularly novel or interesting; capitalizing on the success of Cryptolocker and its progeny, Troldesh scans an infected system for any files that might contain personal data or images—like financial documents, photos and videos. These files are then encrypted, and you receive a warning message that you’ve been locked out along with details about how to make payment.
In the case of Troldesh, however, a Gmail address was provided for victims to make contact and request payment details. Posing as “Olga”, Kolesova contacted the Troldesh designers and was told she must pay 250 Euros for decryption. She was also directed to attach a single encrypted file which they would decrypt for free to prove they were acting in good faith. Instead of providing payment, Kolesova attached the file and wrote back, claiming she couldn’t afford the ransom since her job only paid €250 per month. Surprisingly, the attackers not only decrypted the file as promised but wrote back with a better offer: for just 12,000 rubles, all files would be released, which amounts to a 15 percent discount off the original price.
But “Olga” took things a step further. After biding her time, she wrote back again, pleading with the hackers to release her files for free. Their response? If she agreed to pay 7,000 rubles—just 50 percent of the original demand, all her files would be decrypted. Of course, Checkpoint didn’t take them up on the generous offer and published the findings instead: suddenly, hackers are willing to deal.
So why the switch to discussions over outright destruction? In large measure it’s because the malware and ransomware market is changing. Users are familiar with most types of ransomware and it doesn’t scare them the same way it did five years ago — many are also surfing anonymously, using secure VPN services and being very savvy about what kind of attachments they open and files they download. In other words, there just isn’t as much fear. This has led to the development of new threat vectors; for example, in March BBC reported on Teslacrypt, which specifically targeted video games, encrypting players’ saved games and other data until they paid a ransom.
There’s also the Tox ransomware, which allows would-be hackers to easily create a “personalized ransomware platform”. Two weeks ago, the malware made its way onto the Web and a week later the malware-as-a-service platform “exploded,” according to its creator, who says he’s no black-hat genius but just a teenage student—and now wants to sell the platform because “the situation is getting too hot for me to handle.” As noted above, the creator of Locker took the same path: create something infectious and popular and then quickly bow out.
So where does that leave ransomware? In a state of flux. New strains—and tools for removal—are being developed at breakneck speed. The result is a specialization of code along with a willingness on the part of hackers to deal, since victims won’t simply roll over and pay any longer. If Troldesh is any indication, the future of ransomware may look more like haggling than hostage taking.