Destroying ransomware business models is not your job, so just pay up

The FBI's advice to suffer and lose data only makes sense if you're the FBI


COMMENT It's not your job to defend the world against criminals, so the decision to pay a ransomware demand is all about business.

The likes of FBI Cyber Division deputy chief James C. Trainor disagree. The Bureau recently advised organisations not to pay lest they "embolden" criminals and encourage others to take start using ransomware.

Trainor added that "by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.”

That last point is worth noting, but the general advice is worth less than the paper it is written on.

It isn't just this reporter's informed opinion; system administrators and hackers everywhere have so often recommended paying ransoms that whispers in this hack's ears that hearing "one organisation has paid off ransomware attackers" borders on boring.

Law enforcement authorities need not extend themselves to ask the opinion of hackers. Police units across America have themselves paid off ransomware crims, as have doubtless scores of other government organisations, hospitals, and schools.

Asking organisations to avoid paying ransoms is as futile as asking staff to trigger alarms during a stick up. I've worked a fistful of bars in my time and in each the policy is to avoid a hostage situation and let insurance cover the losses.

The cops are the only ones who really care if the criminals are caught, and so it is with ransomware.

So the victim has three choices.

Restore a backup.

Format and lose data.

Or pay.

The latter option comes down to the type of ransomware that has been deployed.

If it is Cryptowall, the latter versions of Cryptxxx, or one of a few others, than you'll probably find no way to decrypt files without paying.

The upside here is that those ransomware variants are built by professional crims, and anecdotally there appears to be a higher chance that distributors of those ransomware variants will provide the necessary decryption key on payment.

There is considerable risk here and all payments should be made with the expectation that crims will take the money and run. Scammers abound, yet the very worst offenders may be outed with a cursory Google search for net chatter about a given ransomware variant.

Ransomware is, however, one of the world's worst net menaces precisely because the fluid professional business model of providing keys for payment encourages other victims to pay up.

The cops want this model to break by placing the onus on victims to not pay. Breaking criminal business models is not, however, the job of the system administrator, nor the family tech geek responsible for storing that sad lone copy of family photos.

The key points for any business or individual in paying is the reputation of the ransomware, the value of the lost data, the cost of disruption from restoration, and the size of the coffers.

Rapid research and pre-planning is key.

To this end the FBI and others would be better saving their breath and offering advice about how victims can identify and then decrypt their ransomware infections, rather than delivering sermons from an ivory tower. ®


Other stories you might like

  • Venezuelan cardiologist charged with designing and selling ransomware
    If his surgery was as bad as his opsec, this chap has caused a lot of trouble

    The US Attorney’s Office has charged a 55-year-old cardiologist with creating and selling ransomware and profiting from revenue-share agreements with criminals who deployed his product.

    A complaint [PDF] filed on May 16th in the US District Court, Eastern District of New York, alleges that Moises Luis Zagala Gonzalez – aka “Nosophoros,” “Aesculapius” and “Nebuchadnezzar” – created a ransomware builder known as “Thanos”, and ransomware named “Jigsaw v. 2”.

    The self-taught coder and qualified cardiologist advertised the ransomware in dark corners of the web, then licensed it ransomware to crooks for either $500 or $800 a month. He also ran an affiliate network that offered the chance to run Thanos to build custom ransomware, in return for a share of profits.

    Continue reading
  • China reveals its top five sources of online fraud
    'Brushing' tops the list, as quantity of forbidden content continue to rise

    China’s Ministry of Public Security has revealed the five most prevalent types of fraud perpetrated online or by phone.

    The e-commerce scam known as “brushing” topped the list and accounted for around a third of all internet fraud activity in China. Brushing sees victims lured into making payment for goods that may not be delivered, or are only delivered after buyers are asked to perform several other online tasks that may include downloading dodgy apps and/or establishing e-commerce profiles. Victims can find themselves being asked to pay more than the original price for goods, or denied promised rebates.

    Brushing has also seen e-commerce providers send victims small items they never ordered, using profiles victims did not create or control. Dodgy vendors use that tactic to then write themselves glowing product reviews that increase their visibility on marketplace platforms.

    Continue reading
  • Oracle really does owe HPE $3b after Supreme Court snub
    Appeal petition as doomed as the Itanic chips at the heart of decade-long drama

    The US Supreme Court on Monday declined to hear Oracle's appeal to overturn a ruling ordering the IT giant to pay $3 billion in damages for violating a decades-old contract agreement.

    In June 2011, back when HPE had not yet split from HP, the biz sued Oracle for refusing to add Itanium support to its database software. HP alleged Big Red had violated a contract agreement by not doing so, though Oracle claimed it explicitly refused requests to support Intel's Itanium processors at the time.

    A lengthy legal battle ensued. Oracle was ordered to cough up $3 billion in damages in a jury trial, and appealed the decision all the way to the highest judges in America. Now, the Supreme Court has declined its petition.

    Continue reading

Biting the hand that feeds IT © 1998–2022