Paying a malware ransom is bad, but telling people never to do it is unhelpful advice

Posted by   Martijn Grooten on   Apr 26, 2016

I'm not usually one to spread panic about security issues, but in the case of the current ransomware plague, I believe that at the very least a sense of great concern is justified. And the threat is unlikely to disappear any time soon.

While there are certainly many things we can do to significantly reduce the risk of us getting infected — from applying all necessary patches and keeping offline backups, to running software that alerts us when files are suddenly being modified en masse — ultimately, ransomware does what we all should be doing: encrypting our files. The subtle but essential difference is that it does so with a key we don't have.

One reason why ransomware is so successful is that the ransom demanded is usually only a few hundred dollars — affordable to most people (ransomware tends to target users in Western countries) and often cheaper than the (perceived) value of the data that would otherwise be lost. However, security experts regularly tell affected individuals and organizations never to pay the ransom.

I think this is unhelpful advice.

For sure, paying the ransom should always be the last resort. We should help victims, and the jack-of-all-trades sysadmins who are likely going to assist them, find other ways to recover the data. Maybe backups have been kept. Maybe this particular ransomware is one for which a decryption tool is available. And maybe losing the data — which could also have happened because of a physical failure of the hard drive — is an expensive but valuable lesson on the importance of keeping backups.

But sometimes, none of this helps and the only sensible business decision left is to pay the criminals, much as it is bad and much as there is never a 100% guarantee that this will work. Crooks will be crooks, after all.

Of course, if everyone followed the advice never to pay a ransom, ransomware authors would come to find that it wasn't worth their effort, and the threat would eventually disappear. But this wouldn't happen instantly, and it really would depend on almost everyone not paying the ransom.

And if security experts suddenly had the power to make everyone follow their advice, maybe we should just tell people to patch instead.

locky_16mar.png

twitter.png
fb.png
linkedin.png
googleplus.png
reddit.png

 

Latest posts:

Subtle change could see a reduction in installation of malicious Chrome extensions

Google has made a subtle change to its Chrome browser, banning the inline installation of new extensions, thus making it harder for malware authors to trick users into unwittingly installing malicious extensions.

Paper: EternalBlue: a prominent threat actor of 2017–2018

We publish a paper by researchers from Quick Heal Security Labs in India, who study the EternalBlue and DoublePulsar exploits in full detail.

'North Korea' a hot subject among VB2018 talks

Several VB2018 papers deal explicitly or implicitly with threats that have been attributed to North Korean actors.

Expired domain led to SpamCannibal's blacklist eating the whole world

The domain of the little-used SpamCannibal DNS blacklist had expired, resulting in it effectively listing every single IP address.

MnuBot banking trojan communicates via SQL server

Researchers at IBM X-Force have discovered MnuBot, a banking trojan targeting users in Brazil, which is noteworthy for using SQL Server for command and control communication.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.