Tag Archives: paying up

Ransomware: InfoSec, Stats, and Paying Up

A couple of items of general interest regarding ransomware:

  • For Sophos, Bill Brenner’s article InfoSec 2017: a look at the family album of ransomware includes some threat statistics for the period October 2016 and April 2017, plus some ransomware-based talks and events  at InfoSec.
  • For Computer Weekly, Warwick Ashford writes about UK firms stockpiling bitcoins for ransomware attacks, referring to a survey commissioned by Citrix. The survey suggests that the number of companies not willing to pay up if attacked by ransomware has fallen from 25% to 22%, whereas large firms are prepared to pay nearly four times as much as they were a year ago. However, the number of companies with no contingency plans at all seems to have dropped dramatically.

I’ve commented a couple of times recently on the question of Ransomware: To pay or not to pay? and The economics of ransomware recovery.

David Harley

To pay the ransom doesn’t always pay off

Further to the discussion as to whether people or organizations should pay up when hit by ransomware…

  • The hardline security maven view is usually that they shouldn’t because it encourages the proliferation of ransomware attacks.
  • A softer view (more or less mine) is that you can’t blame people – especially individuals – for not sacrificing their treasured photos, documents etc for a principle. But we hear of organizations assuming that it’s cheaper to pay the ransom than it is to protect data properly. If so, not only are they adding to the problem, but they’re making an unsafe assumption. That is, that paying the ransom will get their data back.

Sometimes, we’re told that ransomware operators will ‘return’ the data because not to do so may damage their ‘business model.’ And there’s something in that. However, the operators don’t always return the data. Sometimes they just can’t, through some technical issue or incompetence. Sometimes they just don’t bother.

Judging from a survey report from Kaspersky, it seems the number of times that payment doesn’t result in the release of the data may be higher than we think. The report states that:

17% of people online have faced a ransomware threat, with 6% becoming infected as a result. One– in–five users that pay a ransom don’t get their files back

David Harley

 

Never Pay the Ransom – Good Advice?

Virus Bulletin doesn’t think so, according to the article Paying a malware ransom is bad, but telling people to never do it is unhelpful advice.

While the article certainly isn’t encouraging victims to pay up in general, and acknowledges that if (almost) all victims declined to pay up the criminals would be discouraged, it points out that:

sometimes, none of this helps and the only sensible business decision left is to pay the criminals, much as it is bad and much as there is never a 100% guarantee that this will work.

And I have to agree with that. As previously observed on this site:

Security bloggers almost invariably advise you not to pay the ransom. Easy to say, when it’s not your own data that’s at stake…

On the other hand:

…an ounce of prevention (and backup) is worth a ton of Bitcoins, and doesn’t encourage the criminals to keep working on their unpleasant technologies and approaches to social engineering.

Still, I agree that it doesn’t help to censure people or organizations who choose to pay up when there is no other option for (hopefully) retrieving their data.

David Harley