Good customer service is part of running a successful business. It shouldn’t be a surprise that even crypto-ransomware purveyors are now thinking of ways to make the process of paying for crypto-ransomware easier. The innovation brought forth by some new JIGSAW variants? Instead of using dark web sites, it communicates to the user via… live chat.

The threats displayed by these new variants (detected as Ransom_JIGSAW.H) are similar to those shown by the earlier JIGSAW variants:

Figure 1. JIGSAW ransom note

One big difference should be apparent: there is now a link which appears to go to a live chat session:

Figure 2. JIGSAW live chat

The attackers actually have people standing by to answer questions. To see how far they’d go, we posed as New York-based employee whose office PC had been hit by JIGSAW–our responses are on the left, the cybercriminal on the right. Both responses are unedited.

How can I help you can you really decrypt my files? yes

its automatic

on payment is received all you have to do is click that you made payment

and the system will verify instantly why are you guys doing this to us? I am here to help you get your files back.

Let me know if you need any other instructions or help im doomed!

my boss gonna fired me all you have to do is pay $150. New york has Bitcoin atms

or you can visit www.localbitcoins.com thats too much for me sorry. depending on the amount of files encrypted it doubles to $300 after 24 hours and $450 after 72

it doesnt happen to all computers it depends on the file size encryption is there a way to lower na payment? We can do $125

that the minimum

and that is within 24 hours let me see if i can work this with my boss just send a message if we are not online we will come back online within 10 minutes

And we do decrypt all you files

100%

you have to message me when you make the payment so I can accept the $125 into the system if not it will tell you you haven’t payed enough. Each wallet is unique to the computer so I can verify instantly

The cybercriminals behind this JIGSAW variant didn’t build their own chat client; instead they used onWebChat, a publicly available chat platform. A script that calls the onWebChat client is embedded in the website. The connection to onWebchat’s servers is protected with SSL/TLS, making packet capture and interception more difficult in the absence of a proxy intercepting encrypted traffic. We have reached out to onWebChat and are working with them about this issue.

Interestingly, the cybercriminal on the other end of the chat conversation doesn’t actually know when the user was infected. The “timer” is only based on a cookie set on the affected machine–if this cookie is deleted, the countdown resets to 24 hours. As a result, the cybercriminals are actually reliant on the user’s honesty when it comes to finding out how much ransom should be paid!

There are some perverse incentives at work for cybercriminals to decide to focus on their “customers” (i.e., victims) in this way. Whatever those incentives may be, the victims of this crime now have an immediate, human voice to go to when their files are encrypted. This may predispose them to pay up if they are victimized–something we do not encourage.

One more thing to note. While looking into the site hosting this instant chat, we found a second piece of malware that used the same site. This one, however, was “only” lockscreen malware, which can be bypassed and removed by booting into safe mode.

Figure 2. JIGSAW-related lockscreen

The overall similarity (same website, use of the “Ransom ID”, identical ransom demand) leads us to believe that only one threat actor is responsible for both attacks.

This kind of “customer-centric” approach to ransomware is unusual, although not entirely unprecedented. For example, a previous CTB-Locker variant decrypted some of the user’s files for free.

Trend Micro Solutions

Trend Micro offers different solutions to protect enterprises, small businesses, and home users to help minimize the risk of getting affected by crypto-ransomware.

Enterprises can benefit from a multi-layered, step-by-step approach in order to best mitigate the risks brought by these threats. Email and web gateway solutions such as Trend Micro™ Deep Discovery™ Email Inspector and InterScan™ Web Security prevents ransomware from ever reaching end users. At the endpoint level, Trend Micro Smart Protection Suites deliver several capabilities like behavior monitoring and application control, and vulnerability shielding that minimize the impact of this threat. Trend Micro Deep Discovery Inspector detects and blocks ransomware on networks, while Trend Micro Deep Security™ stops ransomware from reaching enterprise servers–whether physical, virtual or in the cloud.

For small businesses, Trend Micro Worry-Free Services Advanced offers cloud-based email gateway security through Hosted Email Security. Its endpoint protection also delivers several capabilities such as behavior monitoring and real-time web reputation in order detect and block ransomware.

For home users, Trend Micro Security 10 provides robust protection against ransomware, by blocking malicious websites, emails, and files associated with this threat.

Users can likewise take advantage of our free tools such as the Trend Micro Lock Screen Ransomware Tool, which is designed to detect and remove screen-locker ransomware; as well asTrend Micro Crypto-Ransomware File Decryptor Tool, which can decrypt certain variants of crypto-ransomware without paying the ransom or the use of the decryption key.

Files with the following SHA1 hashes are associated with this attack: