Does crime really pay? In the case of ransomware, the answer is clearly yes, as hackers and cyber criminals increasingly rely on these lucrative extortion-style attacks to force internet users to pay money in order to unlock their own encrypted computer files.
From bank details to personal family photos, a ransomware attack will typically lock down everything on a computer system until the money is paid – usually demanded in the form of a cryptographic currency such as bitcoin. Indeed, based on the success of such attacks, an entire underground industry has evolved around the use of ransomware tools, even going as far to offer a twisted form of 'customer service' to walk unwitting victims through the payment process.
On 12 May NHS hospitals across England fell victim to a massive cyberattack which installed ransomware on thousands of computers, locking hospital staff out of their computers and demanding a ransom payment. Hospital staff were forced to use pen and paper as computers were shut down to prevent further damage to the IT network.
Photographs claiming to be of the ransomware used in the attack show a $300 (£230) payment in bitcoin was demanded to unlock each compromised computer.
Research from security firm Bitdefender has previously reported that four in ten UK ransomware victims have paid to recover their documents – and over 30% of those surveyed claimed they would pay up to £400 – the paper predicts the problem is only expected to get worse in the years ahead.
So, if you are hit with an unexpected ransomware attack, should you pay? For those working in the security industry the answer is a resounding no.
"My recommendation would be to not pay at all, as you would quite simply be funding criminal behaviour," Mark James, security specialist at security firm ESET told IBTimesUK. "Making sure your applications, operating system and security software is up to date and making sure you backup regularly is the best defence against this type of behaviour. Backup options these days are so cheap it really is a no brainer, do not pay."
Files on lockdown
"Ransomware is a particularly nasty form of malware because once you are hit with its encryption, your files are toast," warns Rahul Kashyap, principal systems engineer with security firm Bromium. "Anti-virus can't do anything to bring those encrypted files back to you.
"Many times, when you are hit with ransomware it is impossible to get your files back because the payment processing may fail or the encryption keys may not work. The ransomware trend will only continue if those infected continue to pay the ransom. We cannot encourage this behaviour, so we suggest these ransoms are not paid."
Currently, the most popular type of ransomware is arguably 'Cryptolocker/Cryptowall' – a 'malware-as-a-service' tool that can cost as little as $3,000 worth of bitcoin on the dark web. Yet like all software, ransomware comes in many forms – from simple screen-lockers to mobile-friendly versions. Traditionally, ransomware works by encrypting a selection of sensitive files before generating a cryptographic key for each one – rendering the data unusable to the victim. To illustrate the scale of the problem, the Cyber Threat Alliance, a group of cyber-security vendors who regularly share threat intelligence, recently estimated the damage done by CryptoWall alone was over $300m worldwide.
Often, victims will see a warning screen like this:
According to the more nuanced Sean Sullivan, a security expert with Helsinki-based security firm F-Secure, the response to a ransomware attack should depend on what type is found on the system. "I would not pay "police themed" browser/desktop-locking ransomware," he told the IBTimesUK. "Paying doesn't do anything. The crooks historically just take the money. This is true in all of the cases I've researched.
"Conversely, when it comes to data file encrypting crypto-ransomware on a Windows PC – paying the ransom does typically result in a decryption tool being delivered to the victim. The crooks honour the deal.
"But I recommend that you don't just pay what is asked. Negotiate. If you honestly can't afford the ransom, make your case via the support form. There are numerous cases documented in which negotiations resulted in a lower ransom fee. And if you have data that you need to recover, paying £300 is better than paying £500."
"No honour among thieves"
Troy Gill, manager of security research at US-based security firm AppRiver said that 'feeding the fire' by paying the criminals should be avoided when possible. "Keep in mind that the only reason these thieves keep making these attacks is because people are paying them," he told IBTimesUK.
"If all of the victims stopped paying ransoms, they wouldn't have a successful business model, whose core objective is to steal your money. Just remember, there is no honour amongst thieves so don't be surprised if they take your money and never give you the key to unlock your files. Additionally, these thieves are often associated with larger criminal organisations that use the money to fund their illegal activities, so do you really want to reward them further?"
In the most recent example of a wide-spread serious ransomware attack, a US hospital was breached with the hackers demanding over 9000 bitcoins – about $3m - to unlock vital computer files. Following the breach, LAPD and FBI security experts were called in to investigate. Yet there is evidence that even these expert law enforcement groups are unsure about how to best respond to the threat of ransomware.
"To be honest, we often advise people just to pay the ransom," admitted Joseph Bonavolonta, assistant special agent in charge of the FBI's Cyber and Counter-Intelligence Program in its Boston office, during a security conference last year. "The ransomware is that good."
However, one thing is certain: not many security experts would agree, at least in public, to this assessment. Yet as Amichai Shulman, chief executive and technical expert at security firm Imperva told the IBTimesUK: "As long as the FBI suggest that people pay the ransom, this industry is going to thrive."