A comment made by an FBI agent at a little-noticed cybersecurity conference in Boston last week is all of a sudden making big headlines, many of them suggesting that the FBI is telling victims of ransomware to “just pay” the ransom.
The comments by Joseph Bonavolonta, Assistant Special Agent in Charge of the Cyber and Counterintelligence Program in the FBI’s Boston office, were first reported by The Security Ledger.
What Bonavolonta supposedly said is that the encryption used by cybercrooks in the ransomware known as CryptoWall is so good that the FBI “often [advises] people just to pay the ransom.”
Here’s the exact quote:
The ransomware is that good... To be honest, we often advise people just to pay the ransom.
Bonavolonta was also quoted as saying “the easiest thing may be to just pay the ransom,” and the “overwhelming majority of institutions just pay the ransom.”
And he said: “You do get your access back” (to your files once you pay).
It’s true that CryptoWall and some other variants of ransomware tend to get the cryptography right, which means you can’t undo the encryption without paying.
It’s also true that a lot of institutions and individuals do pay the ransom – one study in the UK suggested that up to 40% of victims of CryptoLocker – the forbearer of today’s file-encrypting ransomware – paid to unlock their files.
Even police departments that have had their files scrambled by ransomware have paid to get them back – such as one municipal police department in Massachusetts, and a sheriff’s office in Tennessee.
And it’s true that the crooks often provide the encryption key to decrypt your ransomed files, once you pay somewhere in the range of $300 to $600 in bitcoins.
The ransomware gangs’ business model seems to depend on good “customer service,” if you can call it that – they even offer to let you decrypt one file for “free” as proof that they’ll follow through on the bargain.
However, paying the ransom does present an ethical dilemma: by paying up, you support a criminal enterprise, making it more likely that others will be caught up in the same trap.
That seems to be why so many headlines are blaring about Bonavolonta’s statement – could the FBI really be encouraging people to pay off the criminals, something they would never do if a ransom were demanded in a hostage situation?
Actually, the FBI’s officially sanctioned advice about ransomware doesn’t explicitly mention paying or not paying the ransom – the bottom line in the FBI’s ransomware information page from January 2015 is that victims should contact the FBI.
A FBI spokesperson sent me the following statement:
The FBI doesn't make recommendations to companies; instead, the Bureau explains what the options are for businesses that are affected and how it's up to individual companies to decide for themselves the best way to proceed. That is, either revert to back up systems, contact a security professional, or pay.
The FBI website has some pretty good advice about preventing ransomware that comes close to what Naked Security advises, including:
- Keep your anti-virus active and up to date. That means you’re more likely to block malware attacks proactively.
- Patch your operating system and applications promptly. Many attacks rely on exploiting security bugs that are already have available fixes, so don’t make yourself low-hanging fruit.
- Be suspicious of unsolicited emails, no matter how relevant they may seem. Avoid opening attachments and clicking on links in emails too, especially if you’re not expecting them.
- Make regular backups, and keep at least one offline. That protects you from data loss of any kind, whether caused by ransomware, flood, fire, loss, theft and so on.
As Sophos security expert and Naked Security writer Paul Ducklin explained in an excellent post about the pay-or-not dilemma, it’s pretty easy for people whose precious data isn’t at risk to take a strong position that “you should NEVER pay.”
But if it’s YOUR family photos or financial documents on the line, what would you do?
Our simple advice is summed up here:
- Don’t pay if you can possibly avoid it, even if it means some personal inconvenience.
- Take precautions today (e.g., backups, proactive anti-virus, web and email filtering) so that you avoid getting into a position where you ever need to pay.
We’ve got a lot more advice on dealing with ransomware in the Sophos Techknow podcast below.
(Audio player above not working? Download, or listen on Soundcloud.)
Image of Bitcoin padlock courtesy of Shutterstock.com.
Computer Guy MD
Carbonite can restore data from a backup point prior to the infection, which is a much better option! Removing the virus is not difficult, so having a cloud backup is very important to safeguard from Ransomware.
twatter (@a3456gf)
Most of the times recovery software doesn’t work as the ransomware overwrites the deleted, unencrypted data with 0s on the disk.
was hacked - didn't pay - and survived!!
good point – you think the backup companies would be all over advertising this option.
If anyone wants a word doc attachment that appears to be the cause of ransomware, I have one and I’ll gladly send it to whomever wants.
I would think the FBI would want to be collecting these things whenever they could get them!
John Powers
Just another expense for sloppy bookkeepers unfortunately. Decent backup would certainly help, but there would still be downtime and costs involved . Treat data it like car ,house or property insurance..we live in a sea of marauding sharks.
Tom
Sounds like the FBI, which isn’t the best source of computer security advice, is just giving up on computer security. “We give up, we can’t fix this, just pay off the crims.” This is like the old cop and robber dilemma: if there’s no crime, why would we need police, maybe they want the crime to take place so they have something to do. Just do backups!
Paul Ducklin
Actually, it doesn’t sound that way at all. There’s no sense of “giving up” on the criminals – I think the FBI is simply being pragmatic here. If you *have* been hit by ransomware, that’s bad, but there are often only three ways out of it at that point:
Restore your backups.
Take it on the chin.
Do a deal with the crooks.
For my part, I’m pleased to hear that the FBI isn’t sticking dogmatically to the line, “Never pay up, they are crooks,” which is what you might expect to hear from law enforcement. I’m sure they’d prefer people not to pay, and I’ll join in by saying, “Big respect to you if you refuse to pay.” Yet the Feds are being realistic by admitting that, yes, paying usually works, and no, you are not committing a crime yourself by paying up.
In short, the FBI is telling it like it is.
I have heard numerous people as good as insist to me that “there must be *some* way to crack the encryption without paying, why don’t you find it?” And while there are some security holes in some ransomware versions…that’s not always true. If the crooks did the programming correctly, you are pretty much stuck with the three solutions above.
Bradford Rand
This has been the best & most logical comments I have read in response to Mr. Bonavolanta’s statement. There is no easy solution here. What he was saying… and for usually less than $500 you can get your data back almost instantaneously. Your other choice is too potentially lose your data permanently (perhaps millions of dollars) or spend weeks and tens of thousands of dollars attempting to decrypt the rasomware. His most important point is Back up your Data – so then you can refuse to pay the criminals off if you get into this situation. By a pratical business point of view – Mr. Bonavolanta is right on. You need to get your business up and running as fast as possible. After the breach, your company will certainly learn its lesson and hopefully never be in this situation again.
I was there, I am the producer of this Cyber Security Summit of Boston.
Tom
I agree that if you don’t do backups and have to get your IT system running, you probably have no choice but to pay up. I’ve been a system administrator for 25 years and have been doing backups since the days when my server had a modem for remote administration and QIC for backups. It’s just difficult for me to understand how a business, even a small business, would not have some backup strategy in place. Even today, I do both cloud and external USB drive backups (which I disconnect when finished). Even without a major disaster having a backup can make a tech look like a hero, “I deleted my 15 sheet Excel file, can you get it back for me?” And I don’t judge, we all do silly things. Small businesses can hire a part time tech to come in a few hours a week or use one of popular online backup services. The motto should probably be, “Back up or pay up.” Even small businesses often hire cleaning janitorial services, why not tech as well?
As far as the FBI and computer security advice, the US government has a long history of one agency not taking the advice of another, I wonder if the FBI reads CERT bulletins? The FBI is pretty good at catching criminals but may lack the technical know how when it comes to computer security.
Josh
It’s not really a give-up situation. The FBI assists companies that have been hit. The thing is, it is often far cheaper to pay the criminals than it would be to hire a cybersecurity firm to try and decrypt your data (which they likely wouldn’t be able to do, anyway). If your critical data hasn’t been appropriately backed up, paying the bad guys is likely the cheapest option.
twatter (@a3456gf)
Not at all. As it has been quoted, the FBI detailed the available options.
If you get infected with ransomware it’s the sign that you do not care about information security.
EMH
In other words: The FBI can’t magically break 2048-bit RSA. Wow, stop the presses.
This isn’t a shot at the author here. Rather, I’m perplexed that people are somehow surprised at this. The FBI’s job is crime fighting, not decryption, so if an affected victim appeals to them to get their data back, what else is the FBI going to say? The obvious first suggestion is to go to backups, but presumably the average victim would’ve already thought about that (either that, or the suggestion works and the problem ends there). And again, such support isn’t the FBI’s job. If decryption isn’t going to help them ID and arrest criminals – and how would it? It’s not like the act of decryption identifies the criminal – I don’t see them even wanting to get involved. So what else are they going to say?
Realistically, the only way the FBI can even come close to helping decrypt affected files is to arrest the criminals and somehow get the decryption keys out of them. That first requires knowing who the criminals are, then getting their hands on them – a whole circus in itself, seeing as how they all appear to be overseas in countries where police cooperation with the FBI is likely weak to nonexistent – then going through whatever legal process exists to compel them to cough up the info. So how long is a person or business willing to wait before decrypting their stuff? Years? I don’t think so.
Sure, the phrasing without context is a bit shocking. But once people are over that, I don’t see why the news should remain so surprising.
Mahhn
gads, use Clonezilla (or similar) and make an image of your PC. Keep a copy of sensitive files off line. HDs are cheap, get an external. This is so basic.. It’s the way.
Batman1111
I wouldn’t pay up, easy to work around. It’s just a farce!!!
Paul Ducklin
The FBI is right. For most, though admittedly not all, modern Windows ransomware, a backup or a pay-up is your only way out.
As for “easy to work around,” good luck with that. Old-school lockscreen ransomware could be bypassed. A lot of modern encrypting ransomware is not so easily side-stepped.
twatter (@a3456gf)
Here’s a more comprehensive list of practices against ransomware:
1.) Use antivirus + antimalware software (optimally from 2 different companies)
2.) Do regular backups (different mediums, offline stored)
3.) Do not use explorer. Use a 3rd party browser with adblocker plugin
4.) Prevent the execution of files from /temp /appdata (you can set this through group policy or the cryptoprevent tool)
5.) Do not browse the net carelessly, avoid clicking on short links, or links from unknown sources
6.) Always verify the the sender of the email and the attachment.
7.) Make file extensions visible (many ransomware spreads with files named xxxx.pdf.exe and similar)
8.) Make sure that your OS and apps are up do date (including browser plugins like java and flash)
9.) if you have to open a file or link from unknown source, do it first in an offline virtual machine
stuart
Is this any different to overworked police forces suggesting to private citizens, (victims of theft) that they should just submit an insurance claim because frankly the limit to police resources means that recovery of goods is unlikely to ever happen?
Anonymous
Most of the folks here seems to think backups are a magical panacea. But if your backup is performed using your normal user account and the backup location remains online, (both common in home and small business settinggs) the malware can (and apparently in some cases, does) encrypt the the backup files. The original blogger does say “Make regular backups, and keep at least one offline.” but that is not completely foolproof. How fast can you unplug a disk drive? Do you know how many instructions your machine can execute in a millisecond?
The point is, how you do the backup can matter. A strategy to protect against human error or accidental events my not be sufficient to protect against deliberate attack.
Charles Onyango
Truly there should be a way of dealing with cyber criminals internationally. Computer experts and FBI should develop a tracking facility which is able which is able to block and expose such criminals.