In roughly a decade, ransomware has become the weapon of choice for cybercriminals looking to extort money from their victims. It’s easy to think of the people behind these crimes as ruthless villains. But as one recent study shows, even ransomware groups are now becoming aware of the importance of giving people great customer experience (CX).
Security company F-Secure recently wrote a report called "Evaluating the Customer Journey of Crypto-Ransomware and the Paradox Behind It". According to F-Secure, the ransomware industry has evolved to the point of having CX that would rival many small businesses. This CX includes features such as websites that support several languages, well-written FAQs, customer support forums and even customer service agents who will quickly reply to queries.
F-Secure decided to investigate the oxymoronic-sounding case of criminal customer service with an experiment. F-Secure had their labs create a victim persona called "Christine Walters", a married woman in her 40s with a full-time job and children. Christine is not into tech, but she is naturally inquisitive and wants to understand more about what's happening following her encounter with ransomware.
F-Secure took poor Christine and had her reach out to five active ransomware groups (Cerber, Cryptomix, JigSaw, Shade, and Torrent Locker). F-Secure then mapped out Christine's customer journey, evaluating the CX of each of them.
Looking first at the ransomware groups' user interfaces (UI), F-Secure used a nine-point scale which measured "professionalism", "informative and instructiveness", "language support" and whether or not free trial decryption was offered, finding Cerber to have the best UI.
Cerber offers its victims professional-looking webpages with support for twelve languages. Cerber's pages include a home page with current ransom price and deadline countdown, a FAQ, a support page, a messaging forum and free trial decryption page, giving it an 8.5/9 on F-Secure's scale.
When it came to service, Jigsaw, the ransomware group with the lowest rated UI, had the best customer service. The initial ransom had been set at $USD 150 worth of Bitcoin, but after talking to Christine via email, the agent reduced it to $125 and also chose not increase it to $225 when Christine missed the payment deadline. The agent also was happy to assist Christine in making the Bitcoin payment, finding a suitable vendor for her location and giving step-by-step instructions on how to do it. The agent even granted Christine an extension when she explained that she had plans for the weekend.
F-Secure's CX reviewer was surprised at the level of customer service Christine received from Jigsaw. “It felt like I was dealing with a customer service agent from a legitimate business,” the reviewer said. “It seemed like he [the agent] wanted to solve the case in a way that would work out best for me. Of course, ‘best’ would be never to have had files ransomed in the first place." Using an 11-point scale that evaluated "support channels" and "negotiating", F-Secure awarded Jigsaw 9 points. Cerber only scored a 6, suggesting that when it comes to ransomware, there is no correlation between UI and customer service. Another key finding was that all of the groups were willing to grant extension on deadlines and that three out of four of them were able to offer discounts. Only One group, Torrent Locker, failed to respond to Christine's request for a discount.
The first cases of ransomware appeared in Russia in 2005 and steadily rose until 2016 when there was a massive spike in attacks. According to SonicWall's GRID Threat Network, there were 3.8 million attacks in 2015 and 638 million in 2016, an increase of 1670%.
2016 may have been The Year of the Ransomware, but 2017 is already looking likely to eclipse it. Looking at data for the first quarter of 2017, Kaspersky estimates that ransomware attacks have already risen 250% on the amount seen at the end of 2016.
In May, the U.K.'s National Health Service and thousands of other organisations and businesses globally were hit by a ransomware called WannaCry, causing damage ranging between $1.5 to $4 billion. A month later, ransomware struck again with Petya – and lookalike "NotPetya"- infecting thousands of computers worldwide.
There is a tendency for businesses to think they are "too small" (50 employees) or "too remote" (for example, in Australia) to be targeted by ransomware, and both are untrue. Malwarebytes recently released its "Second Annual State of Ransomware Report" by Osterman Research, which surveyed over 1,000 companies and examined attack frequency, costs, payments and the overall impact of attacks on small-t0-medium (SMB) businesses around the world.
“Businesses of all sizes are increasingly at risk for ransomware attacks,” said Marcin Kleczynski, CEO, Malwarebytes. “However, the stakes of a single attack for a small business are far different from the stakes of a single attack for a large enterprise. Osterman’s findings demonstrate that SMBs are suffering in the wake of attacks to the point where they must shut down operations. To make matters worse, most of them lack the confidence in their ability to stop an attack, despite significant investments in defensive technologies. To be effective, the security community must thoroughly understand the battles that these companies are facing, so we can better protect them.”
Osterman found that while over a third of the 175 Australian SMB's surveyed use anti-ransomware software, 31% had experienced an attack. Of those that had been attacked, 81% faced demands of U.S. $1000 or less. However, the larger problem is disruption, with 22% of those attacked having to cease operations and 18% seeing a loss in revenue as a result. When it came to making payments, Australia SMB's tended to pay more often than their European counterparts, paying 55% of the time. This is much higher than amount of payments seen in France (16%) and Germany (17%).
The research found that while Australian SMBs are deploying a range of solutions to address ransomware threats, more needs to be done to combat the challenge. And when criminal organisations become sophisticated enough to provide CX that rivals some legitimate SMBs, it's officially time to start panicking.