Destroying ransomware business models is not your job, so just pay up
The FBI's advice to suffer and lose data only makes sense if you're the FBI
COMMENT It's not your job to defend the world against criminals, so the decision to pay a ransomware demand is all about business.
The likes of FBI Cyber Division deputy chief James C. Trainor disagree. The Bureau recently advised organisations not to pay lest they "embolden" criminals and encourage others to take start using ransomware.
Trainor added that "by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.”
That last point is worth noting, but the general advice is worth less than the paper it is written on.
It isn't just this reporter's informed opinion; system administrators and hackers everywhere have so often recommended paying ransoms that whispers in this hack's ears that hearing "one organisation has paid off ransomware attackers" borders on boring.
Law enforcement authorities need not extend themselves to ask the opinion of hackers. Police units across America have themselves paid off ransomware crims, as have doubtless scores of other government organisations, hospitals, and schools.
Asking organisations to avoid paying ransoms is as futile as asking staff to trigger alarms during a stick up. I've worked a fistful of bars in my time and in each the policy is to avoid a hostage situation and let insurance cover the losses.
The cops are the only ones who really care if the criminals are caught, and so it is with ransomware.
So the victim has three choices.
Restore a backup.
Format and lose data.
The latter option comes down to the type of ransomware that has been deployed.
If it is Cryptowall, the latter versions of Cryptxxx, or one of a few others, than you'll probably find no way to decrypt files without paying.
The upside here is that those ransomware variants are built by professional crims, and anecdotally there appears to be a higher chance that distributors of those ransomware variants will provide the necessary decryption key on payment.
There is considerable risk here and all payments should be made with the expectation that crims will take the money and run. Scammers abound, yet the very worst offenders may be outed with a cursory Google search for net chatter about a given ransomware variant.
Ransomware is, however, one of the world's worst net menaces precisely because the fluid professional business model of providing keys for payment encourages other victims to pay up.
The cops want this model to break by placing the onus on victims to not pay. Breaking criminal business models is not, however, the job of the system administrator, nor the family tech geek responsible for storing that sad lone copy of family photos.
The key points for any business or individual in paying is the reputation of the ransomware, the value of the lost data, the cost of disruption from restoration, and the size of the coffers.
Rapid research and pre-planning is key.
To this end the FBI and others would be better saving their breath and offering advice about how victims can identify and then decrypt their ransomware infections, rather than delivering sermons from an ivory tower. ®
- Black Hat
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Kenna Security
- Palo Alto Networks
- Trusted Platform Module
- Zero trust