In desperation, many ransomware victims plead with attackers

TeslaCrypt creators negotiated with victims, earned over $76,000 in two months

Hand on keyboard

Hand on keyboard

The shamelessness of ransomware pushers knows no bounds. After encrypting people's files and then holding them to ransom, they portray themselves as service providers offering technical support and discounts to their "customers."

Researchers from FireEye recently collected messages from a Web site set up by the creators of a ransomware program called TeslaCrypt to interact with their victims. The messages offer a rare glimpse into the mindset of these cybercriminals and the distress they cause.

They are tales of desperation: a father who's struggling to survive "in this expensive world" and has been robbed of his baby's pictures; a company's employee who lost business files to the malware and now fears losing his job; a housecleaning business set up by maids who can't afford to pay the ransom; a person who has no money and now can't even file his tax returns because of the malware; a non-profit that raises money for curing blood cancer and pleads for a refund.

Other messages reflect the frustration of people who don't have the technical skill to obtain bitcoins -- the TeslaCrypt ransom is typically $550 if paid in Bitcoin cryptocurrency or $1,000 if paid with PayPal My Cash cards.

In some cases the attackers agreed to lower their demands, most likely not because they empathized with the victims, but because smaller payments were better than no payments at all.

When someone said they could only afford to pay $100 the attackers responded that the minimum possible price is $250. However, in a different case they offered to restore someone's files for $150.

Other people paid, but they could still not recover all of their files, the messages show. For example, someone had a computer with two file-encrypting ransomware programs installed on it. Decrypting the files affected by TeslaCrypt didn't help because the files had already been encrypted by the other program. In another case someone complained that they can only decrypt files located on the C: drive.

Ironically, the advice the attackers gave to some paying victims was to back up their encrypted files before attempting to decrypt them with the provided tool. "To avoid losing data," they said.

This highlights the importance of having a solid data backup plan in the first place. Files should be backed up regularly to storage media that is not always connected to the computer and which can only be accessed after additional authentication. Otherwise, in case of a ransomware infection the backups might get encrypted as well.

The FireEye researchers discovered and tracked 1,231 Bitcoin addresses used by the TeslaCrypt gang between February and April. TeslaCrypt generates a unique Bitcoin address where the ransom must be paid for every infection, meaning that each of the 1,231 addresses represents one victim.

After analyzing transactions involving those addresses, the FireEye researchers believe that 163 victims, or 13 percent, paid the ransom in Bitcoin. Another 20 victims paid with PayPal My Cash cards. The transactions show the TeslaCrypt gang earning $76,522 between Feb. 7 and Apr. 28, 2015.

By comparison, another file-encrypting ransomware program, called Cryptolocker, is estimated to have earned $3 million for its creators during nine months of operation until May 2014. Another program, called Cryptowall, generated over $1 million in ransom payments during a six-month period in 2014.

One good piece of news is that researchers from Cisco Systems recently developed a tool that is capable of decrypting files affected by some TeslaCrypt versions without having victims pay a ransom.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags Cisco SystemssecurityFireEyeDesktop securityencryptionscamsdata protectionmalware

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles


GGG Evaluation Team

Kathy Cassidy


First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni


For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell


The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi


The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott


My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?