The previous post described how one of my clients had been hit with the Locky file-encrypting ransomware. After evaluating the options, the decision was made to pay the ransom in exchange, hopefully, for the program that would recover the files. This turned out to be a little challenging.
The ransom demand tries to be helpful, but it does say, “it’s not yet easy to buy bitcoins,” and lists several recommendations for sites that will sell bitcoins.
Of course, we wanted to move as quickly as possible. Not only did we want to regain access to the files, there’s no telling how long the ransom website on the dark web would be around to provide the decrypter. Ideally, we wanted to buy bitcoins online with a credit card. The recommendations suggested that cex.io would accept Visa and Mastercard, so we started there first.
Registering a new account at cex.io involves verifying your email address, which is a pretty familiar process. Unfortunately, the validation email took over 12 hours to arrive. Not being able to send emails quickly didn’t inspire much confidence in a site that wanted to handle our money. By the time their email arrived the next day, we’d moved on to a different site.
Still in search of a site that would handle transactions quickly in the U.S., we found Coinbase (and later wished we’d never heard of them). Although they use direct bank account transfers instead of credit cards, their web site outlines just two steps: “After you sign up, connect your bank account. You’ll need to complete some verification steps before you can use the account. Once the verification steps are complete, you can start a purchase” and “After starting your first purchase, we’ll complete your buy and deliver your bitcoin.”
Based on their claims, we expected to be able to complete a purchase as soon as the bank account was verified. Wrong! Verifying the account was quick, then the sneaky tactics kicked in. The purchase proceeded smoothly, right up until the point when we’d committed the transfer and expected to get our bitcoins. Instead, the web site and the confirmation email both showed that the bitcoins would be credited to the account three days later, on Friday. (Which ultimately turned out to be another lie.)
Of course, there’s no mention anywhere before that point that there will be a delay. Re-reading their two steps to purchase bitcoins, they don’t actually say when they will “complete your buy”, just sometime “after starting your first purchase.” They leave out the 3- to 6-day delay and mislead you into making the wrong assumption.
Then it gets worse. Probably knowing that customers would be upset by this bait-and-switch, there’s a friendly button right on the confirmation screen offering to let you “get your bitcoin faster” by linking a credit card to your account. This is a featured called instant buy. “Instant buy” sounded like what we wanted, and we had wanted to just use a credit card from the outset. We foolishly took the bait, again, and provided our credit card info. Did we get our bitcoins any faster? Of course not.
Not only did we get a message congratulating us with the “good news” that our instant buy limit had been increased (to a fraction of the purchase amount we had made), their customer support responded to our complaint by telling us that “[a credit card] does not retroactively make an existing order complete instantly. It only applies for orders placed after the credit card was added.” This appears to contradict the help pages on their site and definitely contradicts the solicitation to get our bitcoins faster. But there’s so much misdirection and double-speak that it’s hard to tell what’s real. We concluded that the multi-step ruse was mainly to trick us into providing as many payment methods as they could get.
Somewhere around Thursday, the date shown that we’d get our bitcoins changed from Friday to Sunday. There was no notification email about this additional delay, nor any reason visible on the web site.
All day Sunday, the status on the site for our purchase was listed as “arriving today”. Keep in mind that the company is in California, and in the same time zone as my client. So there shouldn’t have been any confusion due to time zones. But, as you probably anticipate by now, this was another lie. No bitcoins arrived on that day.
The bitcoins were credited to the account on Monday morning. While we would never recommend doing business with Coinbase because of the way they choose to treat their customers, at least we were ready to move to the next step. Part 3 (coming soon) will describe what happened when we paid the ransom.