A couple of items of general interest regarding ransomware:
I’ve commented a couple of times recently on the question of Ransomware: To pay or not to pay? and The economics of ransomware recovery.
Further to the discussion as to whether people or organizations should pay up when hit by ransomware…
- The hardline security maven view is usually that they shouldn’t because it encourages the proliferation of ransomware attacks.
- A softer view (more or less mine) is that you can’t blame people – especially individuals – for not sacrificing their treasured photos, documents etc for a principle. But we hear of organizations assuming that it’s cheaper to pay the ransom than it is to protect data properly. If so, not only are they adding to the problem, but they’re making an unsafe assumption. That is, that paying the ransom will get their data back.
Sometimes, we’re told that ransomware operators will ‘return’ the data because not to do so may damage their ‘business model.’ And there’s something in that. However, the operators don’t always return the data. Sometimes they just can’t, through some technical issue or incompetence. Sometimes they just don’t bother.
Judging from a survey report from Kaspersky, it seems the number of times that payment doesn’t result in the release of the data may be higher than we think. The report states that:
17% of people online have faced a ransomware threat, with 6% becoming infected as a result. One– in–five users that pay a ransom don’t get their files back
Virus Bulletin doesn’t think so, according to the article Paying a malware ransom is bad, but telling people to never do it is unhelpful advice.
While the article certainly isn’t encouraging victims to pay up in general, and acknowledges that if (almost) all victims declined to pay up the criminals would be discouraged, it points out that:
sometimes, none of this helps and the only sensible business decision left is to pay the criminals, much as it is bad and much as there is never a 100% guarantee that this will work.
And I have to agree with that. As previously observed on this site:
Security bloggers almost invariably advise you not to pay the ransom. Easy to say, when it’s not your own data that’s at stake…
On the other hand:
…an ounce of prevention (and backup) is worth a ton of Bitcoins, and doesn’t encourage the criminals to keep working on their unpleasant technologies and approaches to social engineering.
Still, I agree that it doesn’t help to censure people or organizations who choose to pay up when there is no other option for (hopefully) retrieving their data.