3.11.15

Ransomware: To pay or not to pay?



By Peter Stancik posted 30 Oct 2015 

The recommendation by the FBI that victims of ransomware pay up to have their files decrypted created a buzz within IT folks of all kind. It’s time to ask: Should paying the ransom really be considered an option?
Joseph Bonavolonta, an assistant special agent with the FBI, speaking at the Cyber Security Summit 2015 in Boston, surprised the audience during his presentation: “To be honest, we often advise people just to pay the ransom, because the ransomware is that good.”
“What’s wrong, however, is to consider paying the ransom as an alternative to prevention.”
The FBI’s recommendation seems to be in stark contrast with the position of the IT security industry, which believes that “paying the ransom should not be an option”.
Don’t get me wrong, we do not claim that there is no chance that paying the ransom would indeed buy victim the decryption keys and prevent huge damage from losing their data.
What’s wrong, however, is to consider paying the ransom as an alternative to prevention. Dealing with extortionists is different to dealing with, for instance, traffic police. You might think you can save time by speeding and consider the risk of paying a fine as a better option to being late to a job interview. It can seem reasonable and legitimate to you (don’t tell this to the cops).
In such a case you can be sure that paying the fine solves your problem. But when paying the ransom, you can quite easily end up empty-handed, with your bitcoins gone and your files still encrypted.
Another reason for favoring prevention over paying the ransom is that in most cases the former requires no significant effort. Prevention in this case means that internet users adhere to basic principles of safe behavior (including having their systems fully patched, installed and updated) and that a data backup and recovery solution is implemented and fully functional.
Doing that does not only help to avoid falling victim to ransomware attacks, it also helps to keep other threats at bay (from viruses, through to employees going “mad”, to natural disasters).
“Europol considers ransomware the greatest threat ints latest issue of Internet Organised Crime Threat Assessment.”
Europol, the law enforcement agency of the European Union, considers ransomware the greatest threat in its latest issue of Internet Organised Crime Threat Assessment; the FBI said earlier this year that between April 2014 and June 2015 it had received nearly 1000 complaints related to CryptoWall, one of the most prolific forms of ransomware, with total reported losses around $18 million; and according to a panel discussion at Georgetown Law’s Cybercrime 2020: The Future of Online Crime and Investigations conference in December 2014, ransomware represents the future of consumer cybercrime.
Undoubtedly, ransomware is on the rise. But it still represents only a fraction of threats that systems and data of both organizations and consumers face. This is why the idea of “At worst, we’ll pay up the ransom” is so bad. Ransom should not be considered a price for a very special form of a security audit.
Remember: it’s not “mere 500 bucks” that is at stake. It’s your data that can be lost, and your customers that can lose their trust in you, and your compliance that can be questioned, and …
Do you really wish to see yourself totally dependent on ‘cybercriminals’ customer service’?
If not, stop considering the ransom an option and improve your IT security and resilience.