Ransomware scum are investing in customer service processes to get more people paying, according to McAfee's lead scientist and principal engineer Christiaan Beek.

Speaking at the RSA Pacific and Japan conference in Singapore today, Beek said that ransomware victims share stories of their experiences handing over bitcoin. If those stories describe difficult processes, ransomware scum have figured out they become a disincentive to pay.

Some have therefore added prominent help features to the sites they use to collect ransoms, even going so far as to offer real-time help.

Impressively comprehensive instructions on how to acquire Bitcoin are another item he sees more of, as they make it easier for victims to pay up.

Those efforts aren't necessarily paying off for ransomware creators: Beek said McAfee and law enforcement agencies alike are getting better at tracing those who use and trade in the cryptocurrency. Criminals are responding, he said, by quickly converting their hauls into a second cryptocurrency in an effort to secure their ill-gotten gains.

Once their funds are secure, Beek said they go on holidays: July and August see a decline in the release of new ransomware variants, as does Christmas time.

Beek also shared some of the experiences he's had participating in the No More Ransom Project, an effort to offer decryption tools and education on ransomware. He told the conference the site is under constant attack, especially when new and potent ransomware outbreaks occur and the crooks behind them attempt to make it hard for victims to find information on how to fight back.

Plenty of attacks on the site are unsophisticated. AWS hosts the site and the company's senior security and compliance consultant Ben Potter told the conference plenty of attackers use either known bad IP addresses or lack the wit to change user agent strings to values that don't give away their intentions.

AWS nonetheless keeps the site simple. Most of its content is static files served from its S3 storage service and web server use is kept to a minimum to keep the site's attack surface small. ®