Skip to content ↓ | Skip to navigation ↓

Ever since the first large-scale ransomware attacks started targeting individual users, companies, and government institutions, we have witnessed that the primary malicious actor is usually a hacker or a hacker collective. More and more victims are now browsing the web looking for a way to get rid of the threat by not paying the ransom sum, a trend which has given rise to several new criminal schemes. Malicious users now pose as “cybersecurity experts” and promise to rid the victims of infections for a stipulated fee that often exceeds the ransomware sum quoted by the malware. In this article, we investigate further into the matter.

Every Scam Begins With The Infection

Every scam scheme begins with a requirement – in our case, this is an active ransomware infection. In many cases, the infection route begins with a social engineering trick. This is actually a very efficient way in comparison to direct hacker attacks, as a new report states that 76% of organizations report falling victim to phishing attacks. During the infection process, the victim computer is attacked by the virus, and depending on its features, the following consequences can be expected:

  • Data Ransomware – The classic way is to use an encryption algorithm (cipher) to compromise valuable user data. This is usually done by using predefined (hardcoded) lists of file types that the encryption engine uses. Example data may include the most commonly used extensions for photos, videos, music, documents, configuration files, games, and even crypto currency wallets.
  • Keylogging – Many of the advanced strains of ransomware also feature keyloggers that actively monitor the victim’s interaction with the computer by observing their mouse movement or keystrokes. Hackers use this strategy to capture account credentials to sensitive sites such as online banking services, email inboxes, and social networks.
  • Institution of Additional Malware – Many advanced ransomware strains are able to install additional malware onto the victim computer.
  • Remote Arbitrary Code Execution – In many cases, the ransomware variants contact a remote Command & Control (C&C) remote server that can be used to launch various commands on the infected machines. In practice, this means that the hackers can obtain remote control of the system. Such hosts can therefore be easily recruited into a dangerous botnet following a ransomware infection.
  • Screen locker Usage – Upon infection, the virus locks the computers and prohibits any ordinary interaction until the ransomware sum is paid.

As we all know, the ransomware strains are not operated by friendly actors. In many cases, we observe the hackers who launch them use blackmail and extortion tactics by forcing the victims to pay a ransomware fee. Depending on the infection, there are two primary methods used to extort the payment:

  1. Direct Sum Request – The exact sum is specified in the ransom note. In the last several months, we have seen timers, screen lockers, and other types of blackmail techniques in use.
  2. Private Sum Request – In this case, the victims need to contact the criminal operators of the virus to negotiate directly the ransomware sum. The hackers may opt to review the affected data, and if they contain a lot of sensitive information, a larger than ordinary sum may be requested by them.

We would like to remind everyone that this is a very serious threat. Upon infection, the victims can choose one of the following options:

  1. Pay the ransomware fee to the hackers – We do not recommend this option. In many cases, the victims do not receive any help at all, and as the payments are done using a crypto currency, the paid sum cannot be traced or restored.
  2. Use anti-spyware solutions – These are specialized software that are created to fight ransomware infections. Their signature sets are updated constantly, and they can actively prevent active and future threats by using advanced heuristics techniques.
  3. Use available decryptors for the malware family – Often when ransomware contain a weak spot in their encryption engine, the experts fimd them and create freely available decryptors that can restore the victim’s files. However if the malware itself possesses advanced features like keyloggers, they cannot be removed by them. In these cases, the victims need to employ anti-spyware solutions.
  4. Attempt to remove the threat by themselves – Computer users may attempt to remove the virus themselves if they know how it behaves. In many cases, this does not lead to an effective removal.

 The Ransomware Decryption Scam

As it turns out, computer criminals have attempted to continue their dangerous tactics by confusing the ransomware victims. This is done by posing as legitimate cybersecurity companies or experts that have the skills to restore and remove active infections without using software solutions. The fraud can easily be spotted if they request a sum that is bigger than the one that is extorted by the ransomware. Many victims have already reported being contacted by such people on the web. It is very possible that these scammers are actually the same ones that control some of the malware infections themselves. There are several ways of spreading this scam:

  • Criminals can set up counterfeit cybersecurity expert profiles and even create establishments that pose as regular companies – They advertise their services as being able to decrypt even decryptable encryption ciphers used by ransomware such as Osiris (actual removal instructions available here) and Thor.
  • Direct contact – The “experts” contact the victims directly offering their services in return for a “repair fee” that exceeds the ransomware fee. Most experts assume that these people simply buy the decryptor from the hackers and take the rest of the money.
  • Advertising on security communities – Many of the hackers can use aggressive marketing tricks by posting comments, links, and information related to their “services”.

By reading some of the testimonials, we can conclude that the hackers have created counterfeit cyber security companies. They usually have a legitimate looking web site and look like any other business. We assume that this is a new business model that is is being tested by the criminals. At the moment, the malicious operators are using the famous virus families and their descendant variants as they generate the bulk of the infections.


Always do what’s right – rely on quality sources especially when it comes to security. Anti-spyware utilities with advanced features and high-quality and up-to-date signature sets are the best weapon when it comes to all types of malware infections and attack campaigns. You can read an article on this topic by clicking here.


Martin BeltovAbout the Author: Martin Beltov graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast, he enjoys writing about the latest threats and mechanisms of intrusion. He mainly contributes to the Best Security Search website.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.