To Pay or Not to Pay – That’s the Ransomware Question

Ransomware is a growing problem for consumers and businesses alike. In Symantec’s most recent quarterly security report, the company’s researchers found all targeted attacks — including ransomware — grew 91 percent year-over-year.

That’s raising a big question for those targeted by cyberextortionists: Should the ransom be paid? Security experts interviewed by TechNewsWorld generally opposed making ransomware payments, but some inserted a caveat or two for consideration before rejecting a ransom offer.

“It’s easy to say you shouldn’t pay the ransom, but you may have to do it to save your business,” said Troy Gill, a senior security analyst with AppRiver.

Still, “I don’t recommend paying the ransom, because there’s nothing keeping these guys from following through on their threats after they receive the ransom,” he observed.

No Guarantees

Paying online extortionists can be a perilous exercise.

“Users who are confronted with ransomware should never pay the ransom,” said Tod Beardsley, an engineering manager at Rapid 7.

“There is no guarantee the attacker will make good on the promise of releasing data or control after the ransom is paid,” he explained, “and the attacker has every incentive to simply wipe the drive remotely anyway in order to cover his tracks.”

Moreover, ransomware usually isn’t planted by itself on an infected machine.

“If users have ransomware, it’s virtually certain they are hosting keystroke loggers as well,” he said.

Nevertheless, a consumer or user may have their backs against the wall and have no choice but to pay a ransom.

“However, keep in mind that there is no guarantee paying the ransom will actually result in the bad guys holding up their end of the bargain and giving you back your data, and it also does nothing to prevent your system from being compromised again in the future,” cautioned Greg Martin, cofounder and CEO of ThreatStream.

Variations on a Theme

The backers of Cryptolocker, a ransomware strain that encrypts much of the data on the computers it infects, have a checkered record of providing the keys needed to decrypt files after a ransom is paid, but newer strains, like Cryptowall, are better about delivering what’s necessary to recover files held for ransom.

“The developer has little motivation to not provide the decryption key after a ransom is paid, because if word gets out that paying doesn’t get your data back, people will stop paying,” said Matt Willems, an engineer with LogRhythm Labs.

The strain of ransomware a target is infected with should influence the decision to pay off extortionists or not, Willems noted.

“There is some question around the methods used by the developers to hide files,” he said. “Some appear as though they may not be encrypted at all, but just archived and obscured.”

Others do not reach out to a command-and-control server so the decryption key must be held locally, Willems continued. If they’re held locally, then they can be discovered and used to decrypt the files on a machine without paying a ransom.

In addition, some keys are reused and can be found on online forums where they can be obtained for free. What’s more, there are antidote applications available for some variants, like Simplelocker.

“Before paying, it’s worth doing some research on the specific piece of malware you’re up against,” Willems recommended.

Best Practices

Of course, the best answer to the should-I-pay-the-ransom question is to avoid having to answer it at all.

“The key is to remove power from the extortionists, and you do that by backing up your system regularly,” said Kenneth Bechtel, a malware research analyst with Tenable Network Security.

“This basic best practice is cheap and easy, thanks to removable hard drives,” he added. “With backups, there’s no need to pay the ransom to get your data back or interact with extortionists in any way, which can increase your risk.”

While making backups may be good computer hygiene, it’s been a bear for many consumers.

“Platform providers should be putting concerted efforts into making this a completely seamless process, so that the user’s confidence is raised,” said David Britton, vice president of industry solutions for 41st Parameter.

“In this way, the fraudsters would have no effective leverage to make a ransom demand,” he pointed out. “The user could simply wipe and restore their device to a pre-infection version.”

Breach Diary

  • June 16. Domino’s Pizza confirms hackers stole personal information of more 600,000 customers in Europe and threatened to publish the data on the Internet unless the company pays the bandits a ransom of US$40,800.
  • June 16. Three community colleges in Riverside County, Calif., notify more than 35,000 students their personal information is at risk after it was mailed to an external email account by an employee who mistyped an email address.
  • June 17. Netskope security researchers discover vulnerability in In some versions of some browsers the app downloads executable files instead of data files stored on the service.
  • June 17. UK Office for Security and Counter Terrorism is forced by a legal mandate to reveal secret government policy used to justify mass surveillance of every Facebook, Twitter, YouTube and Google user in the United Kingdom.
  • June 17. Avast releases Ransomware Removal software that removes Simplocker malware from Android phones and decrypts any data encrypted by the malicious app.
  • June 18. Computer security firm BAE Systems reports that an unnamed hedge fund company lost millions of dollars after cybercriminals installed malware on its systems. Malicious software inserted a lag time in the fund’s trading system so the criminals could use information from the system to perform trades before the fund could.
  • June 18. Code Spaces, a cloud-based storage service, shutters Internet presence after intruders gained access to its Amazon Web Service account and destroyed most of its customers’ data stored there.
  • June 18. Cybersecurity firm Bromium releases survey of 300 information security professionals that finds 72 percent of respondents identified users as their biggest security headache.
  • June 18. Rady Children’s Hospital in San Diego reveals detailed personal information of some 14,000 patients is at risk after information was sent to several job applicants by mistake earlier this month.
  • June 19. U.S. Supreme Court hands down decision protecting whistleblowers from retaliation when they make truthful statements while giving compelled testimony.
  • June 20. U.S. congress on vote of 293-123 approves budget amendment prohibiting the spending of federal money on “backdoor searches” of U.S. citizens by the NSA.

Upcoming Security Events

  • June 23-27. Hack in Paris. Disneyland Convention Center, Paris, France. Training sessions: 1200-1800 euros; conference: 75-285 euros; HIP14 training and conference: 100 euros.
  • June 23-26. Gartner Security & Mangement Summit. Gaylord National, 201 Waterfront Street, National Harbor, Md. Registration: US$2,450; public sector $2,050.
  • June 24. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
  • June 27-28. B-Sides Manchester (UK). Reynold Building, Manchester University (M1 7JA). Free.
  • July 12. B-Sides Detroit. COBO Center, 1 Washington Blvd., Detroit. Free.
  • July 19. B-Sides Cleveland. B side Liquor Lounge & The Grog Shop, 2785 Euclid Heights Blvd., Cleveland Heights, Ohio. Free.
  • Aug. 2-7. Black Hat USA. Mandalay Bay, Las Vegas. Registration: through June 2, $1,795; through July 26, $2,195; after July 26, $2,595.
  • Aug.5-6. B-Sides Las Vegas. Tuscany Suites and Casino, Las Vegas. Free.
  • Aug. 7-10. Defcon 22. Rio Hotel & Casino, Las Vegas. Registration: $220.
  • Aug. 16-17. B-Sides Dubai. Dubai World Trade Center. Free.
  • Aug. 23. B-Sides Minneapolis-St. Paul. Nerdery! Free with registration.
  • Aug. 29-30. B- Sides Hyderabad. Hyderabad International Convention, India. Free with Registration.
  • Sept. 17-19. International Association of Privacy Professionals and Cloud Security Alliance Joint Conference. San Jose Convention Center, San Jose, Calif.
  • Sept. 18. Cyber Security Summit. The Hilton Hotel, New York City. Registration: $250; government, $50.
  • Sept. 29-Oct. 2. ISC2 Security Congress 2014. Georgia World Congress Center, Atlanta. Registration: through Aug. 29, member or government, $895; non-member, $1,150. After Aug. 29, member and government, $995; non-member, $1,250.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Cybersecurity

Technewsworld Channels