If you accidentally install Troldash (via spam email) on your computer, it will encrypt your hard drive and lock up your files. Troldash will display an email address to contact the criminal, who will offer to sell you the key to decrypt your hard drive. Natalia Kolesova, a researcher at the security firm Checkpoint, intentionally installed Troldash on a test machine and engaged in an email exchange with the scammer to see if he or she would negotiate the 250 euro ransom.
Posing as a victim named Olga, the researcher contacted the scam artist, and received a reply with instructions to pay 250 euros to get the files back.
Suspecting the reply was automated, Ms Kolesova pressed for a more human response, asking more details about how to transfer the money, and pleading with the hacker to not make them pay.
Responding in Russian, the scammer offered to accept 12,000 roubles, a discount of around 15%. After Ms Kolesova pleaded further, the email response read: "The best I can do is bargain."
Eventually the unknown man or woman was talked into accepting 7,000 roubles - 50% less than the first demand.
"Perhaps if I had continued bargaining, I could have gotten an even bigger discount," Ms Kolesova concluded.
Brian Krebs offers an in-depth look at a "cashout" service used by ransomware crooks to get money from their victims. Ransomware is malicious software that encrypts your personal files and demands that you pay a ransom for the key to decrypt them; the crooks who run the attacks demand that their victims buy prepaid MoneyPak cards and send the numbers for them by way of payment. But converting MoneyPaks to cash is tricky -- one laundry, which pipes the money through a horse/dog-track betting service -- charges a 60% premium.
* The ransomware victims who agree to purchase MoneyPak vouchers to regain control over their PCs.
* The guys operating the botnets that are pushing ransomware, locking up victim PCs, and extracting MoneyPak voucher codes from victims.
* The guy(s) running this cashout service.
* The “cashiers” or “cashers” on the back end who are taking the Moneypak codes submitted to the cashing service, linking those codes to fraudulently-obtained prepaid debit cards, and then withdrawing the funds via ATMs and wiring the proceeds back to the cashing service, minus their commission. The cashing service then credits a percentage of the MoneyPak voucher code values to the ransomware peddler’s account.
How much does the cashout service charge for all this work? More than half of the value of the MoneyPaks, it would seem. When a user logs in to the criminal service, he is greeted with the following message:
“Dear clients, due to decrease of infection rate on exploits we are forced to lift the price. The price is now 0.6. And also, I explained the rules for returns many times, we return only cheques which return on my side if you cash them out after then we lock the account! There are many clients who don’t return anything, and I will work only with these people now. I warn you.”
Cashout Service for Ransomware Scammers