Ransom: To pay nothing or not to pay? That is the question

Three reasons not to pay cyber-extortionists — and what to do if you get hit.

Sometimes, reading an article about what to do in case of a ransomware attack, I come across words like: ‘Think about paying up’. It’s then when I sigh, exhale with puffed-out cheeks… and close the browser tab. Why? Because you should never pay extortionists! And not only because if you did you’d be supporting criminal activity. There are other reasons. Let me go over them here:

First, you’re sponsoring malware

Cybervillains, malicious actors, extortionists, cybercriminal groups… – they’re all bad guys, and if you pay them a ransom, you’re giving them the income they need to keep doing what they do: negatively affecting the lives of innocent people. A vicious circle would set in: they encrypt you, you pay them, they encrypt others…

Basically, there are two ways to wean extortionists off their nasty habit: they can be rounded up (which we periodically assist with), or their activity can be made unprofitable, forcing them to find respectable employment. They don’t seem to realize that programmers earn quite a decent wage.

So how can their activity be made unprofitable? If victims stop paying, that’s how. ‘That’s all very well,’ I hear you say, ‘we too want world peace and fairness and justice for all, but my data just got encrypted and my company could go bust without it.” Even so, don’t pay up! Bear with me…

Second, you might not get your data back

Agreements with cybercriminals are never written in stone – there’s no contract that’s signed. Even if there were, since when have you heard of criminals ever being respectful of legal niceties? Thus, the fact of paying up does not necessarily mean your files will in fact be decrypted.

Recall ExPetr/NotPetya — since a unique user ID was generated completely randomly, it was simply impossible to decrypt the files. Even the attackers themselves couldn’t do it! So all the money in the world wouldn’t have helped at all. And ExPetr/NotPetya is hardly an isolated case. It’s not uncommon for cybercriminals to make coding errors. And while sometimes such errors allow us to create a decoder, other times, on the contrary, they prevent even the coders themselves from developing one.

There was a recent case when a cybersecurity expert publicly asked a cybercriminal group to fix a bug in its ransomware Trojan to stop affected files from being corrupted irrevocably. It’s hard to know whether to laugh or cry! So, to sum up: if you decide to pay up, just remember there’s no guarantee you’ll get your files back – ever.

Third, they can extort more from you

It’s happened before: cybervillains attacked an organization that paid a whopping $6.5 million to get its data back. Two weeks later the same cybervillains encrypted the same data again with the same methods, and were rewarded with yet another hefty ransom!

The real problem in that example was that two weeks wasn’t long enough for the organization to patch the hole that the intruders had crawled through the first time. Crooks who strike lucky once may try again, simply because they can: they’ll probably still have your data (they may have deleted it, but probably not).

The only way out is to not pay up at all – not even once. If you do, you might get a second, third, then fourth demand, because the baddies will come to see you as an easy, steady source of income.

So what should be done?

Let’s say you’ve decided – correctly – not to pay the racketeers. Now what? Your files are encrypted/stolen, and the cybercrooks are threatening to publish everything. What a mess. Here’s what to do:

Stay calm and look for a decryptor. One either already exists here or here, or, if not, may appear later. We release and update them regularly as part of our process of studying malware and catching intruders.

Talk to the vendor you bought your protection system from. First, find out how it happened that you got encrypted. Second, ask the vendor for help with the decryption: it might be that the vendor knows what to do, and they probably will want to help you – a valued customer. They’ve got your security at the forefront of their minds, and they’ve also got their reputation to think about: fairly priceless for a security company.

That said, it’s always better, of course, to strengthen your defenses so as to be able to prevent infections in the first place. But never pay up! If everyone stops paying, the cyberextortionists will gradually end their racket, and the world will be able to breathe a little easier.