Some ransomware operators might have found a new way to monetize their work.
Ransomware—computer viruses that lock a victim's files and demand a payment to get them back—has become so common that experts believe it's now an "epidemic."
Security experts have always assumed that ransomware hackers are in it for the ransom. But a shocking claim made by one ransomware agent suggests there may be another motive: corporate sabotage.
In an exchange with a security researcher pretending to be a victim, one ransomware agent claimed they were working for a Fortune 500 company.
"We are hired by [a] corporation to cyber disrupt day-to-day business of their competition," the customer support agent of a ransomware known as Jigsaw said, according to a new report by security firm F-Secure.
"The purpose was just to lock files to delay a corporation's production time to allow our clients to introduce a similar product into the market first."
Ransomware is an attractive endeavor for cybercriminals. By asking for relatively low amounts of money from victims—as low as $150 or $400—it has a high rate of success. And by targeting thousands of internet users indiscriminately, it scales really well. But if this operator's statements are true, it seems like a gang of cybercriminals has found a new way to get paid twice: once by ransom, and once by companies to disrupt their competitors.
The operator thought they were talking to just another ransomware victim, but it was actually an F-Secure researcher posing as "Christine Walters," a fake persona of a 40-year-old from Finland who knows little about computers and nothing about ransomware.
F-Secure researchers used "her" to contact the operators and support agents of several ransomware families. (Ransomware operations now commonly have "support portals" where victims can get help to understand how to unlock files or use bitcoin to pay for the ransom).
In their exchanges, the ransomware agent told "Christine," that they were surprised she got infected because their operation was targeting specific victims chosen by a corporate client.
"I don't even know how you got it," the agent said. "Never have we done anything in Finland."
The agent never gives too many details, just tantalizing hints. At one point, they say that "the purpose was just to lock files to delay a corporation's production time to allow our clients to introduce a similar product into the market first."
"Yes, big name corporation. Fortune 500 company. What I still don't understand is that the target is in the USA and you and another person in Finland got the email and the client always gives us the contact emails so you are on someone's mailing list," the agent told "Christine," according to F-Secure.
I tried reaching out to the agent via email, but didn't get an answer for days. When I prodded them again for an interview, I simply got a short response: "I decline. Thank you."
"If this indeed was a case where ransomware was used on purpose to disrupt a competitor's operation, it's the only case we know of."
The agent's claim that the gang was getting paid by a corporate client to target a specific organization is unprecedented, according to F-Secure.
"If this indeed was a case where ransomware was used on purpose to disrupt a competitor's operation, it's the only case we know of," Mikko Hypponen, the chief research officer at F-secure, told me in an email.
In their last message with "Christine," the agent says their gang does a lot of for-hire jobs, and even offered "Christine" some advice on how to stay more secure.
"It's not just corporations. Politicians, governments, husbands, wives. People from all walks of
life contract us to hack computers, cell phones, etc. Once again I believe you are on the wrong contact list because we have no customers in Finland and we don't target individuals with family photos or music on their system. It's usually something much more complicated than that," the agent said. "You were lucky. If the virus would have been a self-destruct virus your computer would have crashed beyond recognition. Get a good antivirus."
Without knowing who the actual target was, and without more details from the agent, it's impossible to verify this story. Still, given the situation, the agent didn't really have many reasons to make it up.
"We have no way of confirming the claims of the operator," Hypponen said. "But I don't know why he would lie about something like this during a random chat with one of their victims."
If this is true, the ransomware epidemic is about to get even nastier.