By Peter Stancik posted 30 Oct 2015
The recommendation by the FBI that victims of
ransomware pay up to have their files decrypted created a buzz within IT folks
of all kind. It’s time to ask: Should paying the ransom really be considered an
option?
Joseph Bonavolonta, an assistant special agent with
the FBI, speaking at the Cyber Security Summit 2015 in Boston, surprised the
audience during his presentation: “To be honest, we often advise people just to pay the ransom, because the
ransomware is that good.”
“What’s wrong, however, is
to consider paying the ransom as an alternative to prevention.”
The FBI’s recommendation seems to be in stark
contrast with the position of the IT security industry, which
believes that “paying the ransom should not be an option”.
Don’t get me wrong, we do not claim that there is
no chance that paying the ransom would indeed buy victim the decryption keys
and prevent huge damage from losing their data.
What’s wrong, however, is to consider paying the
ransom as an alternative to prevention. Dealing with extortionists is different
to dealing with, for instance, traffic police. You might think you can save
time by speeding and consider the risk of paying a fine as a better
option to being late to a job interview. It can seem reasonable and
legitimate to you (don’t tell this to the cops).
In such a case you can be sure that paying the fine
solves your problem. But when paying the ransom, you can quite easily end
up empty-handed, with your bitcoins gone and your files still encrypted.
Another reason for favoring prevention over paying
the ransom is that in most cases the former requires no significant effort.
Prevention in this case means that internet users adhere to basic principles of
safe behavior (including having their systems fully patched, installed and
updated) and that a data backup and recovery solution is implemented and fully
functional.
Doing that does not only help to avoid falling
victim to ransomware attacks, it also helps to keep other threats at bay (from
viruses, through to employees going “mad”, to natural disasters).
“Europol considers
ransomware the greatest threat ints latest issue of Internet Organised Crime
Threat Assessment.”
Europol, the law enforcement agency of the European
Union, considers ransomware the greatest threat in its latest issue of Internet Organised Crime Threat Assessment; the FBI said earlier
this year that between April 2014 and June 2015 it had received nearly 1000
complaints related to CryptoWall, one of the most prolific forms of ransomware,
with total reported losses around $18 million; and according to a panel
discussion at Georgetown Law’s Cybercrime 2020: The Future of Online Crime and Investigations
conference in December 2014, ransomware represents the future of consumer cybercrime.
Undoubtedly, ransomware is on the rise. But it
still represents only a fraction of threats that systems and data of both
organizations and consumers face. This is why the idea of “At worst, we’ll pay
up the ransom” is so bad. Ransom should not be considered a price for a very
special form of a security audit.
Remember: it’s not “mere 500 bucks” that is at
stake. It’s your data that can be lost, and your customers that can lose their
trust in you, and your compliance that can be questioned, and …
Do you really wish to see yourself totally
dependent on ‘cybercriminals’ customer service’?
If not, stop considering the ransom an option and
improve your IT security and resilience.