Earlier this month, the media covered an FBI presentation on ransomware. What was noteworthy was that the FBI warned that because ransomware encryption is so good, the easiest thing for victims to do may be to pay the ransom to recover their files. Such advice has spurred a debate in the security community about whether it is appropriate to suggest that cybercrime victims pay ransom.
Since the first appearance of CryptoLocker, new variants of extortion-based attacks have been on the rise. Beyond malware, groups, such as DD4BC and Armada Collective, are using DDoS attacks as an extortion tool, threatening to knock the victim’s website offline unless a ransom is paid. The hacking of source code repositories and cloud services has also provided a means for extortion, as evidenced by case of Code Spaces last year.
Ransomware, when done right, encrypts files so they cannot be recovered without payment. It is important to note that some ransomware is so poorly coded that victims cannot retrieve their data even if they pay. Such is the case with the recent Power Worm ransomware.
Until recently, many forms of ransomware had weaknesses that allowed for the recovery of encrypted files. In the Cryptolocker case, the private keys were eventually recovered and a free service was developed to allow victims to recover their files. With the proliferation of ransomware variants, efforts to obtain the private keys have unfortunately been unsuccessful. Cryptowall version 4 and the newly observed Linux ransomware, for example, have been making the rounds and, lacking backup files, there is no easy way to recover the encrypted files.
This leaves victims with two choices: pay the ransom to get their files back, or lose their files -- potentially forever.
On one hand, there are those who advise not to pay the ransom because the money funds criminals and perpetuates their activities. On the other hand, because the value of the information is usually much more than the ransom, it can be argued that paying makes good “economic” sense.
An analogy often used to describe ransomware is the use of mob rules. In old-fashioned mob movies, two guys walk into a grocery store saying “Hey, nice store. Would be a shame if something were to happen.” The reason the mob “insurance” scams worked is because the value of the protection was higher than the cost of the insurance -- and the mob delivered on their promises. In the case of ransomware, the value of the data is higher than the ransom and operators go through great effort to ensure users get their data back. Occasionally there are errors, but in general, people get their data back.
In an ideal world, consumers and organizations would be prepared. With sound backups in place, ransomware infections would merely be annoying exercises involving file restoration. Ensuring backups of critical or valuable information has been a best practice for decades. Because reality rarely matches the ideal, here are some key takeaways when dealing with ransomware:
- Avoid announcing decisions to pay the ransom, as it may induce other cybercriminals to launch similar attacks. Such was the case when ProtonMail came under attack and announced publicly that they paid the ransom. This led to follow on attacks, likely by other individuals.
- Report the ransom payment details to the FBI’s Internet Crime Complaint Center (IC3) or other law enforcement or security industry contacts. The payment details allow investigators to track the payments to identify the individual behind the ransomware campaigns.
- If you don’t want to report a ransomware attack to law enforcement, consider sending details of ransom payments to bambenek (at) gmail (dot) com so that data can be used to try to identify the criminals behind these campaigns and bring them to prosecution.
Hopefully, the continuing stream of stories about new victims will encourage people to adopt effective backups. The reality is, independent of the debate in the security community, people simply are going to pay the ransom because the economics are soundly in favor of doing so. To use a domestic analogy, if my wedding pictures were only in electronic form and they were encrypted with ransomware, I’d pay the ransom to get those files back – after all, my couch is not that comfortable for a good night’s sleep.
A brief video overview of the ransomware threat is available at Malware: The New Scourge of Ransomware A Study of CryptoLocker and Its Friends. Presentation slides are available here.
- John Bambenek