Negotiating Lower Ransomware Costs
Wednesday, June 3, 2015 @ 02:06 PM gHale
New ransomware with Russian origins will keep open a communication channel with victims for payment instructions.
Troldesh ransomware, also known as Encoder.858 and Shade, applies full encryption of the files it processes, from content to name and extension, said researchers at Check Point.
It goes out via spam email and starts locking up the data as soon as a victim clicks on it, changing the extension to XBTL. Right after that a ransom message appears and instructs the victim just what to do.
In most cases, the bad guys have a “pay this ransom or else” kind of mentality, however, in an attempt to maximize their profits and to be able to provide clear instructions to affected users, some ransomware operators like Troldesh offer the possibility of communication.
The reason is they want to deliver payment details and offer proof they do have the means to decrypt the locked data, in case someone did not believe them.
Check Point researcher Natalia Kolesova tried that maneuver and got the bad guys to offer a discount from the initial $278 ransom demand. After complaining about not affording to pay the money she got the price lowered to $131, payable via QIWI money transfer system.