JIGSAW Crypto-Ransomware Turns Customer-Centric, Uses Chat for Ransom Attempts

Good customer service is part of running a successful business. It shouldn’t be a surprise that even crypto-ransomware purveyors are now thinking of ways to make the process of paying for crypto-ransomware easier. The innovation brought forth by some new JIGSAW variants? Instead of using dark web sites, it communicates to the user via… live chat.

The threats displayed by these new variants (detected as Ransom_JIGSAW.H) are similar to those shown by the earlier JIGSAW variants:

Figure 1. JIGSAW ransom note

One big difference should be apparent: there is now a link which appears to go to a live chat session:

Figure 2. JIGSAW live chat

The attackers actually have people standing by to answer questions. To see how far they’d go, we posed as New York-based employee whose office PC had been hit by JIGSAW–our responses are on the left, the cybercriminal on the right. Both responses are unedited.

How can I help you

can you really decrypt my files?

yes
its automatic
on payment is received all you have to do is click that you made payment
and the system will verify instantly

why are you guys doing this to us?

I am here to help you get your files back.
Let me know if you need any other instructions or help

im doomed!
my boss gonna fired me

all you have to do is pay $150. New york has Bitcoin atms
or you can visit http://ift.tt/17qUAEO

thats too much for me

sorry. depending on the amount of files encrypted it doubles to $300 after 24 hours and $450 after 72
it doesnt happen to all computers it depends on the file size encryption

is there a way to lower na payment?

We can do $125
that the minimum
and that is within 24 hours

let me see if i can work this with my boss

just send a message if we are not online we will come back online within 10 minutes
And we do decrypt all you files
100%
you have to message me when you make the payment so I can accept the $125 into the system if not it will tell you you haven’t payed enough. Each wallet is unique to the computer so I can verify instantly

The cybercriminals behind this JIGSAW variant didn’t build their own chat client; instead they used onWebChat, a publicly available chat platform. A script that calls the onWebChat client is embedded in the website. The connection to onWebchat’s servers is protected with SSL/TLS, making packet capture and interception more difficult in the absence of a proxy intercepting encrypted traffic. We have reached out to onWebChat and informed them of this issue.

Interestingly, the cybercriminal on the other end of the chat conversation doesn’t actually know when the user was infected. The “timer” is only based on a cookie set on the affected machine–if this cookie is deleted, the countdown resets to 24 hours. As a result, the cybercriminals are actually reliant on the user’s honesty when it comes to finding out how much ransom should be paid!

There are some perverse incentives at work for cybercriminals to decide to focus on their “customers” (i.e., victims) in this way. Whatever those incentives may be, the victims of this crime now have an immediate, human voice to go to when their files are encrypted. This may predispose them to pay up if they are victimized–something we do not encourage.

One more thing to note. While looking into the site hosting this instant chat, we found a second piece of malware that used the same site. This one, however, was “only” lockscreen malware, which can be bypassed and removed by booting into safe mode.

Figure 2. JIGSAW-related lockscreen

The overall similarity (same website, use of the “Ransom ID”, identical ransom demand) leads us to believe that only one threat actor is responsible for both attacks.

This kind of “customer-centric” approach to ransomware is unusual, although not entirely unprecedented. For example, a previous CTB-Locker variant decrypted some of the user’s files for free.

Trend Micro Solutions

Trend Micro offers different solutions to protect enterprises, small businesses, and home users to help minimize the risk of getting affected by crypto-ransomware.

Enterprises can benefit from a multi-layered, step-by-step approach in order to best mitigate the risks brought by these threats. Email and web gateway solutions such as Trend Micro™ Deep Discovery™ Email Inspector and InterScan™ Web Security prevents ransomware from ever reaching end users. At the endpoint level, Trend Micro Smart Protection Suites deliver several capabilities like behavior monitoring and application control, and vulnerability shielding that minimize the impact of this threat. Trend Micro Deep Discovery Inspector detects and blocks ransomware on networks, while Trend Micro Deep Security™ stops ransomware from reaching enterprise servers–whether physical, virtual or in the cloud.

For small businesses, Trend Micro Worry-Free Services Advanced offers cloud-based email gateway security through Hosted Email Security. Its endpoint protection also delivers several capabilities such as behavior monitoring and real-time web reputation in order detect and block ransomware.

For home users, Trend Micro Security 10 provides robust protection against ransomware, by blocking malicious websites, emails, and files associated with this threat.

Users can likewise take advantage of our free tools such as the Trend Micro Lock Screen Ransomware Tool, which is designed to detect and remove screen-locker ransomware; as well asTrend Micro Crypto-Ransomware File Decryptor Tool, which can decrypt certain variants of crypto-ransomware without paying the ransom or the use of the decryption key.

Files with the following SHA1 hashes are associated with this attack:

71670ac6e52967b547d311df8cfb0172cbcd23c7
ca84c5ec27f84348be84e971c85fe52f678ca8da