Cryptolocker ransomware - Flickr

What do you do if you are the victim of ransomware? For several years, the FBI has recommended that you do not pay when malicious software is used to encrypt or otherwise hold data hostage until a payment is made (a.k.a. ransomware), according to CSO. This position was forcefully echoed by one of the nation’s highest-profile security bloggers – Brian Krebs – in a recent post.

Unfortunately, this advice has not always been followed. The Ponemon Institute reported in a recent study that 48 percent of businesses victimized by ransomware said they paid.

The reality is that the success of ransomware isn’t just increasing. It’s exploding. According to the FBI, the collective amount of ransoms paid in all of 2015 in the U.S. was $24 million. Gartner shared at its 2016 Security & Risk Summit that ransomware is likely to have netted organized cybercrime more than $1 billion in 2016.

The problem is likely worse than the findings. The FBI said many victims don’t report it, “for a number of reasons, including concerns over not knowing where and to whom to report; not feeling their loss warrants law enforcement attention; concerns over privacy, business reputation, or regulatory data breach reporting requirements; or embarrassment.”

The reasons for ransomware’s attractiveness to cyber criminals are not complicated. It doesn’t take all that much expertise – it has been widely reported that it is easy for so-called “script kiddies” to buy or lease the malware on the Dark Web.

ransomware attack is potentially more damaging than a data breach, especially to a business. No organization wants its data stolen, but it can continue to function after it discovers a breach. If all of its data are encrypted and it doesn’t have a backup, it can’t function.

As a white paper by the Institute for Critical Infrastructure Technology (ICIT) noted, the ransom demanded is generally not a crippling amount. For individuals, it tends to be a few hundred dollars in Bitcoin. “From law enforcement’s perspective, a home burglary results in greater loss than a singular ransomware attack,” the report said, which means law enforcement will rarely devote “significant resources” to investigating it.

According to a recent U.S. Government report, there have been approximately 4,000 ransomware attacks per day in 2016– a dramatic increase over the 1,000 attacks per day reported in 2015. Compared to today’s payment of about 2 Bitcoins or $670 daily, the report estimates the average ransom will substantially increase to be $300,000 per day.

According to ICIT, Joseph Bonavolonta, the Boston-based head of the FBI’s CYBER and Counterintelligence Program, got into trouble with Sen. Ron Wyden (D-Ore.) in October 2015 when he said, “To be honest, we often advise people just to pay the ransom.”

After Wyden complained, the FBI “clarified” that its position was, “only to pay the ransom if mitigation steps failed and the only other option was to lose the files.” Those factors, which all contribute to the success rate of ransomware attacks, are some of the same reasons victims are motivated to pay – they are desperate to recover their files, and they can afford the price more easily than they can afford to lose their files.

Of course, there is plenty of logic behind the FBI’s arguments as well. The primary one is that paying simply makes the problem greater – the more criminals make, the more they will attack.

The bureau and others also note that there is no guarantee that criminals will produce an encryption key once the ransom is paid, or get rid of the malware on the device, meaning a victim could get victimized again.

Krebs said victims do have options, even if they don’t have a current backup. He recommended contacting two websites – No More Ransom and Bleeping Computer – which provide free solutions to at least some ransomware variants.

Krebs said No More Ransom, which is backed by security firms and cybersecurity organizations in 22 countries, had saved 6,000 victims of ransomware more than $2 million by December 2016.

But that statistic, say other experts, shows that while it is a laudable initiative, it is unlikely to slow the explosive growth of ransomware – $2 million is barely a rounding error in the total being collected by cyber criminals.

Stu Sjouwerman, CEO of KnowBe4 explained that the decision not to pay is not always that easy. He said it comes down to a cost/benefit calculation. “It becomes a no-brainer if you are faced with a failed backup and more than a month of lost data that could shut you down.”

Ed Cabrera, chief cybersecurity officer at Trend Micro, also noted the divide between what should happen and what does happen. “The consensus is clear that paying ‘should’ never be an option,” he said. “However, as companies fail to plan, they are planning to fail when it comes to ransomware attacks. This is obviously a very lucrative business in the Deep Web and is only going to continue evolving to different file types and systems that are very important to companies and consumers.”

Given the previous statistics, it is apparent that many organizations are failing to plan. CSO sees this as puzzling, because ways to prevent ransomware are reasonably straightforward and widely publicized, including on the FBI website. The most important thing is to back up data regularly, and secure the backups – don’t leave them connected to the computers and networks they are backing up – so they can’t also be infected by an attack.

Krebs has his own Three Rules of Online Security:

  1. If you didn’t go looking for it, don’t install it.
  2. If you installed it, update it.
  3. If you no longer need it (or, if it’s become too big of a security risk) get rid of it.

Ransomware is an increasing risk. If your organization has not already taken precautions, it is at least worth putting it on the agenda for your next security meeting.


Ryan Lahti is the founder and managing principal of OrgLeader, LLC. Stay up to date on Ryan’s STEM-based organization tweets here: @ryanlahti

(Photo: Cryptolocker ransomware, Flickr)