Ransomware, should you pay or not?

Imagine you are working on your computer and suddenly it is locked. A message appears telling you unless you pay a ransom, your data will be leaked, or you are accused of having been involved in illegal acts.

The rise of ransomware is no surprise as it is easier for an attacker to execute and obtain money in comparison to other cyber attacks. Details on how to attack with ransomware might be released via RaaS (Ransomware as a Service) which enables even low skilled cyber thieves to launch ransomware attacks. Ransomware and associated money transfers are harder to trace for banks and law enforcement and Bitcoin has also helped making the money transfer less traceable.

Ransomware gets on your computer by several methods, downloading of attachments, social media apps and exposed web servers. How do you react if affected?

No easy decision. If you pay, you support crime. If you don’t pay, you get exposed or lose your data, it can even destroy your business. It’s easy to tell others not to pay, it is very different when you are the victim.

Be proactive and prepared! Here are some tips that can help minimize the problem and get you back on your feet quickly:

picture_disk_backupSimply do your backups!

  • Do your backups! Regularly, make it a habit! Really do it!
  • Upon an attack, immediately detach an attacked computer from the network.
  • Have multiple backups: Backup the whole machine, backup the project directory, backup the desktop, backup the home directories.
  • Retrieving from a dedicated project backup is much easier then retrieving a complete backup. However, in case of a ransom attack you will need the complete backup.
  • Keep your backups offline, and preferably offsite.
  • Have you ever simulated retrieving information from backup? Go through the pain once, while you are not nervous, pressed for time, or under stress to lose data. An unusual situation is easily a source of operator error and you might lose the backup as well.
  • One more step you can take for your protection, especially if you are a home-user and don’t have a second computer to do research after your computer is attacked:
    • Buy or reuse a cheap second disk (available under $50). Swap disks, install a working operating system or backup onto that extra disk. Check that it really works, and swap disks again. Now, if your computer later is hacked, you can swap disks a third time, put the cheap disk into your computer and have a working system to really browse for solutions to the problem. While your attacked main disk is safely removed, no further damage happens during browsing. Once you are calmed down, have done your research, and you know what you are doing next, you can mount both disks and treat the damaged main disk as a data disk and fix it while it is not running as main disk.
  • You should file a report with the FBI (ic3.gov).

One might compare ransom demands with “protection” money paid to organized crime. Today, this is not true anymore.  “Protection-money” used to be for the local crime organization. When another crime organization entered a local area it used to result in crime wars. Victims had to pay the “protection fee” just to one, the local, organization.

Ransomware is different. It is global. Just because you paid your ransom to today’s hacker will not prevent any other hackers to unleash their own ransom malware onto you again tomorrow.

Here is a list of recent ransomware attacks (that have been exposed):

Cerber
appeared in the first quarter of 2016. Interestingly enough, it excludes computers from ‘typical’ hacker countries. It also infects all connected networks and even makes the computer speak to you.

Simple Locker
is an Android ransomware and blocks access to your device, and is a copycat of Cryptolocker.

Locky
infected computers in healthcare facilities and hospitals in the United States, New Zealand, and Germany in 2016 by encrypting certain file types. It affects files not only on the main drive but also scans and infects all accessible network shares.

Samas
appeared in the last quarter of 2015, and compromised the networks of healthcare facilities in 2016.

Koler
threatens victims with arrest if they don’t pay up.

Cryptolocker
affected more than 500,000 users in 2013/14. Supposedly only 1.3% paid the ransom. Luckily, the decryption keys were made public for all other victims (source BBC).