Web Gateways,
Redefined.

Designed for Distributed. Built for the Cloud.
Delivered as a Service.

Blog

Understanding the Keys to Writing Successful Ransomware

It’s ironic that we have to look to the authors of ransomware for examples of some of the leading aspects of software engineering. And while what they are doing is reprehensible and criminal, they ply their trade with improvements in customer service, using the cloud to package their programs, and excel at understanding the psychology of their ultimate victims. With all this effort going towards developing malware, it isn’t that surprising that this category has become very adept at making money. Perhaps legit software vendors can learn from some of these experiences, while hopefully avoiding some of the darker forces. There are also some important lessons from these activities that IT folks can learn to help better defend their networks.

First, there is using the cloud. We have already written about how several ransomware authors are making use of the cloud to deliver some of the key elements of their code. The malware authors deploy a NW Javascript library that appears harmless, but allows access to operating system functions to better control their target PCs. This ups the ante in terms of danger and also complicates efforts to protect such infected computers. A second aspect of using the cloud is how some ransomware samples download their initial infection from a series of shared Google Docs accounts, to try and make these sources more difficult to track.

But coding prowess is just one side of the ransomware effort. Another is the ability to exploit human psychology and social engineering. One group researching the underlying operations of Cryptowall found that the ransomware was advertising different pricing at different geographical locations. For instance, for victims in the US, the fee was several hundred dollars higher than the fees for countries like Russia, Mexico and Israel. This demonstrates that the purveyors of malware understand median incomes and will change demands when their victim’s locale calls for it.  If the ransom isn’t paid on time, it doubles.  This shows prior criminal experience and understanding of how we all think: act now to pay less!

Another part of the underlying Cryptowall infrastructure is how it exploits the Bitcoin payment network, moving money from collector accounts until it’s ultimately out of the network and presumably into the criminal’s own bank for final payment.

Finally, there is the built-in live chat support. Many legit apps and SaaS-based services now come with live operators who will enter into text chats with end users to help them solve any problems and answer questions on how to pay their ransoms. A ransomware sample called Jigsaw now offers this chat “feature” to better collect their ransoms from their victims. “By providing a human voice to go to and by making the process of paying the ransom easier, the purveyors of the new Jigsaw variant appear to be trying to convince users into paying up,” according to Trend Micro researchers that first uncovered the chat routine. Jigsaw also exploits some social engineering of its own, starting off by locking just a few files and then adding more to its encrypted repository if the victim hesitates to pay the ransom.

The malware authors offer “better support than [users] get from their own Internet service providers,” says Angela Sasse, a psychologist and computer scientist at University College London who is quoted in this Nature magazine article. She says that many of the victims of ransomware rave about the customer service and support they got to pay their ransoms.

All of this shows that ransomware is attracting more professional developers, as the funds collected from their malware efforts are also attracting more ill-gotten gains. It’s too bad that all this coding couldn’t be used for good rather than evil.


Read about improving your defenses agains Ransomware and other evasive threats