Imagine you have been hit by a ransom Trojan. If you do not have a backup – you pay. You either pay the price with money, or you pay it with your files. That’s it. Money or files, no win. Criminals are wise enough not to demand too much for your data. They calculate their ransomware pricing based on country of residence, company size, etc. For individuals in economically developed countries, 300-600 USD can be a justified amount for restoring all home video files, tax documents, a dissertation and the like. That’s a yet more reasonable price for companies to keep their businesses up and running. And most do end up paying. That’s why ransomware threats are multiplying. A good way to stop this plague is to render it unprofitable. There are rare live-or-die situations where lives may depend on files, but in 99% of cases, the answer should always be – do not pay. Furthermore, not only should we just stop funding the cyber-criminals this way but also spread the word that we are not going to pay up. We should influence the public opinion and make people understand that the buyout is bad and won’t help. A good example of not paying is with email providers. It’s mainly DDoS attacks rather than encryption, though, but the idea is very similar – getting money by means of blackmailing and cyber extortion. Quite a few premium email services, among which are FastMail, Hushmail, Zoho and Runbox, were reportedly targeted by DDoS attacks that were accompanied by offenders’ demands to pay for stopping those onslaughts. All of the companies refused to pay. It’s because several firms overtly stated they wouldn’t pay that we hear hardly any reports of such extortion attacks now. Here’s another point: if something is really important to me, I do protect it by all possible means. Critical personal information should be backed up and protected. Laziness or other random factors may keep people from protecting their digital life, so that can be a lesson for the future. Do the right thing – back up the files that really matter. Do not let this crime evolve further. It’s hard to predict what shape cyber extortion can take. There have already been incidents with critical infrastructure – Israel’s Electricity Authority got hit by ransomware a few weeks ago, where a power outage was very close. Researchers foresee ransomware attacks against medical devices and wearable gadgets. Their security is indigent, and the protection is hard to implement. The money that the criminals are getting now can be used for adjusting ransomware code to compromise these devices. With our money, criminals will have the resources to go beyond cyber extortion alone. This can be terrorists funding their death campaigns. Paying just supports a criminal enterprise. Please note that depending on your location, it may be illegal to pay the ransom as it could be regarded as financing criminals. Ransomware keeps growing, obviously, because people do pay, but do we really know how many get their files back at the end of the day? The Internet is full of success stories but a lot of these reports proved to be fake as they were posted by criminals themselves. Another indisputable fact is some businesses avoid publicly talking about their losses. If you want to pay, think of what can possibly go wrong. Even if the private decryption key is provided, you may face restoration glitches like software or hardware failures because of poorly written ransomware code or mistakes of your admins. You may end up losing both the money and the files. It’s worth noting that when you submit the ransom, you are definitely a target to be hit again. The fraudsters can either get you infected again, or they may even ask for another payment after receiving the first one. What is more, paying is not that quick and easy. If you pay and successfully decrypt all files and it looks like the infection is gone, there is no guarantee that nothing bad, such as a backdoor, is left. It’s recommended to wipe your drive or rebuild the network completely after the fact. Do not pay just because you believe the data can be decrypted. Do some research on your own or hire a security consultant. A number of known ransomware variants are not sophisticated and got decrypted – this applies to TeslaCrypt, LeChiffre, the Linux ransomware, and a few more. There are many online forums dedicated to researching ransomware and informing users about the results. New tools are being devised to get around the crypto, and private keys are published online once in a while. Interestingly enough, there have been stories where criminals published the keys themselves for various reasons. Use all possible options to recover. Do not make a hasty decision to pay even if no solutions are currently available. Wait for a while – the encryption may be circumvented some time later. A lot of researchers are constantly working on ransomware issues. And be prepared. Ransomware will teach us to make backups. Lastly, here’s some special advice regarding ransom Trojans – do not be afraid of the countdown timer that says you will have to pay twice as much after the deadline. Just set your BIOS time back. May this reduce your stress and give you more time to find a recovery technique.
About the Author: David Balaban is a computer security researcher with over 10 years of experience in malware analysis and antivirus software evaluation. David runs the www.Privacy-PC.com project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc. Title image courtesy of ShutterStock