Ransomware: Pay it or fight it?

Experts recommend fighting back against CryptoWall and other ransomware, but for many the $500 ransom is a small price to pay.

Ask security experts what to do when hit with ransomware -- the sophisticated malware that infects a device or network, uses military-grade encryption to restrict access, and demands payment for the decryption key -- and you'll typically get the same answer: "never pay the ransom."

But for many, that's simply not an option. For example, last November an employee in the Sheriff's Department in Dickinson County, Tenn., accidentally clicked on a malicious ad and exposed the office network to the infamous CryptoWall ransomware. Detective Jeff McCliss told local News Channel 5 that CryptoWall had encrypted "every sort of document you could develop in an investigation," such as witness statements and evidence photos. Even after consulting with the FBI and U.S. military, McCliss told the news station that the only solution was to pay the $500 to the cybercriminals to get their files back.

This wasn't an isolated case -- for example, a police department in suburban Chicago recently paid a $600 ransom after it was struck by a similar attack, according to the Chicago Tribune. Enterprises that aren't fully prepared for a ransomware attack really have no incentive not to pay. In fact, many of those who do think they're prepared find that they have no option other than to negotiate with their hostage takers.

Organizations that employ real-time backup and frequently test their tools typically survive a ransomware attack unscathed -- they can simply wipe the infected device and restore the backed-up files.

This is hardly the reality for many organizations, especially for mid-sized companies with limited to no IT resources or even larger organizations whose IT staff is spread thin. Even organizations that have prepared for this kind of scenario often find that their file restore functions don't work, says Stu Sjouwerman, CEO of security training firm KnowBe4, which has advised and assisted victims of ransomware. Many organizations that invest in a file backup solution fail to test their restore function. When they need it to work, they find that they cannot restore all the files that they backed up, rendering the backup efforts futile.

"They overlook [testing the restore function] all the time," Sjouerwman says. "It is a best practice, but IT is, as you well know, under a lot of pressure. They are forced to put out fires all day long and in the meantime also put new systems online. So it's hard to find time for that type of thing in a day-to-day IT environment."

From there, the decision to pay basically comes down to whether the data that was encrypted is worth more than the ransom demanded.

In most of these cases, paying the ransom is a "no-brainer" for the organization, Sjouwerman says. That's because ransomware is largely automated, demanding around $500 in exchange for the decryption key for all victims. The ransom for a police department's evidence might be the same for a personal PC user's photos.

"Ransomware is the Walmart of cybercrime. They just have decided to automate the whole process," Sjouwerman says. "And they are massively phishing as many email addresses and companies as they possibly can. For them, they have figured out that the business model is: some people will have backups, some people won't. Of the people that don't, it has to be a no-brainer."

The cybercriminals behind these attacks are concerned with maximizing the likelihood of their victims paying the ransom. Theoretically, they could increase the payout for cases where they've encrypted more valuable data. But the key is to make sure they pay up, and keeping the price within a reasonable range will increase the chances that more victims will pay.

Honor among thieves

Along these lines, many of the people behind ransomware have focused on creating a trustworthy reputation on the Internet, honoring all ransom payments and leaving victims alone once the exchange has been made. In December, Sjouwerman told CSO about a new strain of ransomware called OphionLocker that was designed to recognize the devices it had infected in the past so that it doesn't hit the same victims repeatedly. And in his experience working with ransomware victims, Sjouwerman says every victim that has paid the required ransom amount did receive their decryption key, most of them within an hour of sending the payment.

The objective is to make the decision as easy as possible for ransomware victims -- if they pay up, they will receive access to their files and can put the entire ordeal behind them. "If they are not prepared and they are hit, most of them will pay," Sjouwerman says.

So it's not much of a surprise that ransomware has grown so rapidly since CryptoLocker, the now-defunct ransomware strain that brought this model to the internet, was released in September 2013. Symantec estimated in September (PDF) that CryptoLocker-style ransomware grew 700% in 2014. McAfee recently reported (PDF) a 155% growth of ransomware in the fourth quarter of 2014.

The IT security community may advise against paying the ransom as a means of removing the incentive for cybercriminals to engage in this kind of scam. But that is usually the last thing on the minds of IT decision makers who just want to get their files back and get back to work. For an organization that faces losing weeks' or months' worth of data, they can write off the expense as a learning experience.

"This is in jest and more ironic than anything else, but you almost have to be grateful to the Eastern European cyber mafia to send you a social engineering audit that tests both your employees and your IT department for being click-happy, and also if best practices are being implemented or done," Sjouwerman says. "It's a really cheap audit, for $500."

Join the CSO newsletter!

Error: Please check your email address.

Tags securityfbimalware

More about CSOFBINewsSymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Colin Neagle

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts