back to article Ransomware victims: Just pay up, grin, and bear it – says the FBI

Firms that fall victim to infection from file encrypting ransomware should simply pay the ransom, Joseph Bonavolonta, an assistant special agent with the FBI, told delegates to Boston's Cyber Security Summit 2015, adding that developments such as CryptoWall are essentially unbreakable. “To be honest, we often advise people …

  1. This post has been deleted by its author

    1. sisk Silver badge

      I can name one excuse: The backup system was affected by the attack and thus all the backups were encrypted by the same ransomware as everything else. This happened to the Public Services department of the local junior college (where my dad's an instructor). They lost 30 years worth of data, but being an educational institution paying the ransom was not an option. The budget just wasn't there.

      Now quite how the backup system was affected I have no clue. That's not my IT department. My IT department would have had a years worth of backup tapes in a fire safe and at least another seven years worth safely tucked away in a safe deposit box. I can only assume that either they used a tapeless backup solution or that the ransomware had been on the system longer than their tape rotation cycle before it was noticed.

      1. This post has been deleted by its author

      2. Anonymous Coward
        Anonymous Coward

        Tell your Papa to Save a Copy...

        ...of the encrypted data. Encryption breaking is a fast advancing technology...if "technology" is the correct term to use here...and a tool to decrypt the hostage data should materialize within a decade. I realize that this is a repulsive solution on many levels, but it's cheap and almost certain.

      3. werdsmith Silver badge

        My IT department would have had a years worth of backup tapes in a fire safe

        Nobody is going to be much impressed if you offer to restore year old backups in a full recovery scenario.

        1. This post has been deleted by its author

        2. sisk Silver badge

          Nobody is going to be much impressed if you offer to restore year old backups in a full recovery scenario

          You misunderstand. We have this week's tapes in the drive, the previous weeks plus the first week of each month from the last year in the tape safe, and the first set from July for the last seven years plus the two weekly sets previous to last week in the safe deposit box. Our worst case scenario is two week's worth of lost data. And that scenario would require someone leaving the fireproof tape safe open (or dousing it with something that burns at 3000+ degrees) and the building burning down. Anything less dramatic than that and we can't lose more than a weeks worth.

        3. MonkeyFedge

          More impressed than if you tell them you can't restore anything though.

      4. theOtherJT

        Re: I can name one excuse

        The backup system was affected by the attack and thus all the backups were encrypted by the same ransomware as everything else.

        Ok, but what the hell was holding the backups? I get that the article said ransomware is becoming increasingly sophisticated, but how sophisticated are we really talking about here?

        My nightly backups go to a large ZFS array running on a BSD box. I'm reluctant to believe they're going to have any joy infecting that.

        The weekly's go offsite to a huge disk repository running some kind of scale out filesystem on Linux (I'll be honest, they won't let me on site with them, so I don't really know what's in there) and from there the monthly's are laid down on 3 tapes which are stored in 3 different safe locations.

        I'm fairly certain whatever this is isn't getting to any of that either.

        The only way I can see this happening is if the "backup" is just a NTFS shared folder on an unloved and unpatched Windows box - which might be sufficient to protect a home user from the little things like "My hard disk failed" but isn't appropriate for a business situation, where valuable data is involved surely?

  2. Anonymous Coward
    Anonymous Coward

    The price you pay for not having back-ups, I guess. Just be glad you're able to get your data back.

    1. This post has been deleted by its author

      1. Mark Simon

        Second Worst Case Scenario

        Dead right!

        Losing your data to some evil hound is bad, and you can probably think of hundreds of things you would like to do if you ever got to meet the bastard, but losing your data to a disk crash is something most of us have experienced and should now be prepared for.

        It amounts to the same thing — you laugh all the way to your backup.

        What’s needed, however, is for the operating system to make frequent backups simple and automatic. Time Machine on the Mac, and whatever else is available on Windows should be a bare minimum.

    2. Don Dumb
      Terminator

      you *are* able to get your data back?

      @AC - "The price you pay for not having back-ups, I guess. Just be glad you're able to get your data back."

      That assumes that paying the ransom *will* actually get your data back. There's nothing stopping the perpetrators from simply pocketing the money and going silent. It's amazing the amount of trust people place in faceless, ruthless, criminals who have no incentive to actually do what they are claiming to. Considering some organisations can barely afford to pay the ransom, paying the ransom without any confidence that you will get your data decrypted really is taking a risk.

      Especially as a smart criminal could simply give the decryption key, while remaining present on the network and re-encrypting the data again (perhaps they already have), for another payout in a year's time. Before you know it there's an unhealthy protection racket going. I'm betting that a small organisation that gets badly hit by a ransomware attack would doubtful be completely secured after the cleanup, which probably wouldn't completely cleanup the mess, the best targets are the ones who you've already hit.

      <evil thought>The best time to hit an organisation with a ransomware attack would be just as they are rebuilding the network and storage following a previous ransomware attack, then you can be sure that all data is within the reach of the attack. You probably wouldn't even have to leave the network, just stay low in a rootkit somewhere on a network device, biding your time.</evil thought>

      1. werdsmith Silver badge

        Re: you *are* able to get your data back?

        That assumes that paying the ransom *will* actually get your data back. There's nothing stopping the perpetrators from simply pocketing the money and going silent. It's amazing the amount of trust people place in faceless, ruthless, criminals who have no incentive to actually do what they are claiming to.

        Apart from good old customer service.

        If these criminals took the money and failed to deliver the hostage data back, then no subsequent victim is going to pay them knowing they will get nothing for the money.

        1. Don Dumb

          Re: you *are* able to get your data back?

          @wierdsmith - "If these criminals took the money and failed to deliver the hostage data back, then no subsequent victim is going to pay them knowing they will get nothing for the money."

          Except that people don't like to state that they paid ransoms and thus wouldn't like to admit they paid a ransom that didn't work.

          It would seem that there are some stories of ransomware ransoms not resulting in decryptions. An indication - https://blog.kaspersky.com/cryptolocker-is-bad-news/3122/ "It comes as no surprise that a few infected users that paid the ransom are saying that they never received the decryption key in return"

          Because many groups use ransomware, one could make a lot of money without having to give out decryption keys, as somany will payout in desperation in case they are held by a group that does decrypt. It is still a case of putting a lot of trust into a group that doesn't deserve it.

      2. This post has been deleted by its author

        1. Don Dumb
          Stop

          Re: you *are* able to get your data back?

          @1980s_coder - "No, because in this case once the data has been de-crypted, you should do a fresh, full backup of everything, (just as you should have done before for forensics), re-install OS and applications from read-only media, or digitally signed sources, and finally manually restore your configuration files and user data, after looking through them to be sure that they are safe and uncompromised."

          You misunderstand me. Yes, one *should* do as you stated, but considering many companies have gotten into this situation and didn't had good backups, what are the chances they don't do anything or everything that you list? Just look at some of the examples above.

          Many small organisations barely had the money to pay the ransom, I'm betting they had terrible sysadministration before, that got them into the mess and they wont have the resources or nous to properly prevent the situation afterwards.

          Most organisations that do as you state proably wouldn't have gotten a ransomware problem in the first place (because they had good security, long term offline backups, etc). I'm betting most organisations that do get ransomware infections they can't clear up without paying ransoms are still good targets after they have had to pay the ransom. Just cows to be milked.

        2. Tom 13

          Re: you should do a fresh, full backup of everything

          And ensure the malware that got you in the first place is now part of your recovery process?

          Yeah, I know you mean after you've cleaned up the system, but how can you be sure you did that successfully? Sure you can build all the new systems from scratch, but at some point you have to get he data from the infected system to the clean one.

          Yes a merely competent sys admin should be able to recover you from a ransomware threat just by going to the backups. I'm just not convinced that even an excellent sysadmin can get you a clean system after a bad one has been compromised.

          1. This post has been deleted by its author

  3. Christoph Silver badge

    And that is called paying the Dane-geld;

    But we've proved it again and again,

    That if once you have paid him the Dane-geld

    You never get rid of the Dane.

    1. elDog Silver badge

      Paying the Dane-geld - Yup

      You never get rid of the Dane.

      Many of us with some Northern European genetics have been infected before and will be paying for our lives and our descendents. However, there are worse things like not having any hard discks at all.

  4. moiety

    So which FBI office copped a dose?

  5. TaabuTheCat

    Restoring... Maybe.

    It's easy to be glib and just tell people to back their stuff up, but with the increasing sophistication of these programs, quick restores may not fully address the problem. Some of the slow-encrypting variants that make a mess of your files *over time* defy the "we'll just restore from yesterday's backup" answer. If the crook is patient and careful enough to stay under the radar for some period of time, good luck figuring out your good restore points - and for what files. It's not that it can't be done, but it's going to be one hell of a research project to get your files back - assuming your backups go back far enough.

    Don't underestimate the ability of these guys to make a huge mess of your tidy little IT environment. If you don't have canary files hanging around with really solid alerting, and good endpoint detection tools (and NO, AV doesn't quality) then you'd better pray you don't get targeted by a patient adversary.

    1. elDog Silver badge

      Re: Restoring... Maybe.

      And don't forget that they may have infected the OS and even the firmware.

      Mount that nice backup volume such as a USB disk and watch it also become infected/destroyed.

      1. werdsmith Silver badge

        Re: Restoring... Maybe.

        And don't forget that they may have infected the OS and even the firmware.

        Don't most people now just magic up a new VM from a template on an ESX or HyperV host?

    2. JoeF

      Re: Restoring... Maybe.

      Besides proper backups implement access controls. Most people don't need Admin rights on their work PCs, most people don't need write access to shared directories.

    3. This post has been deleted by its author

      1. Pascal Monett Silver badge

        @1980s_coder

        Yes but that is exactly the problem : many computer users are new to the environment and have barely enough knowledge of IT to do their work correctly, let alone prepare and execute contingency plans for things they have never even heard of.

        Computers are a great tool, but they are also a world of risk that few users are even aware of. People who just work with them don't even know what they risk until it happens - and most of them don't even bother with the backups people who do know keep telling them about.

        I think most people view computers like their car : bring it to the garage when it breaks. Only then do they learn that, unlike a car, repairing can well mean losing everything they stored in it.

        1. This post has been deleted by its author

    4. werdsmith Silver badge

      Re: Restoring... Maybe.

      There are legitimate versions, businesses that do disk recovery for busted raid sets, or HDDs for people that have had problems that required backups and discovered them to be not what they'd hoped...

      (a backup strategy is not up to much if it isn't regularly tested).

      These data recovery companies don't charge a normal hourly rate consistent with other expertise in the business. They charge 10s of thousands for a days work because they can and because the loss of that data will cost the business far more.

  6. king of foo

    Trusting a US government agency on data/security matters post Snowden????

    Can't No Such Agency provide a recent backup of the data..

  7. Triboolean
    Flame

    Blame the victim

    "Have backups" Yes, always a good idea.

    But this crap of blaming the victim as if thievery was the norm and just trying to go about your business is a target on your back when the bad guys come calling? Gimme a break.

    <rage level="nuclear">A proper solution is to track down the human garbage that does this and take them out.</rage>. Err, A proper solution is to track them down, give them a fair trial, and then hang them.

    1. Boris the Cockroach Silver badge
      Big Brother

      Re: Blame the victim

      Which is a far better use of the NSA/GCHQ 's time than trying to listen in on every single phone conversation on the planet at once.

    2. a_yank_lurker Silver badge

      Re: Blame the victim

      Hanging, your to kind - dousing in boiling oil is more like it.

    3. Tom 13

      Re: Blame the victim

      While the major blame always falls on the criminal, sometimes it IS appropriate to blame the victim. If you know you have to walk through the seedy part of town, you don't dress up in your best tux and adorn yourself with diamond studded gold cuff links/finest silk evening gown and best pearl necklace.

      The thing is, in physical space you get that separation between the good part of town and the seedy part. With the internet, it all comes right to your doorstep including the worst drug dens of seediest part of the seediest town on the planet. If you aren't willing to deal with that reality, get off the internet.

  8. Scott Broukell
    Meh

    Erm . . .

    I know a certain ISP in the UK who could do with some encryption right now - just saying.

  9. Anonymous Coward
    Anonymous Coward

    This is precisely why

    ...all hackers and purveyors of malware should be executed. They'll never commit another crime after they are dead.

    1. Flatpackhamster

      Re: This is precisely why

      The Lord Vetinari school of thought.

      1. Arctic fox
        Headmaster

        Re: This is precisely why

        I think that with Lord Vetinari scorpion pits rather than hanging would have been involved.

        1. Peter Stone
          Happy

          Re: This is precisely why

          No, the scorpion pits are too quick & clean. for this crime it would have to be......... The kittens!!

      2. allthecoolshortnamesweretaken

        Re: Vetinari

        Nah, Vetinari would add them as one more item to his bags of tricks and use them as he would see fit.

  10. Anonymous Coward
    Anonymous Coward

    Sure, maybe backups aren't perfect, though I have faith in mine. But if you don't even TRY, then sorry, you lose all right to complain.

    1. This post has been deleted by its author

  11. Anonymous Coward
    Anonymous Coward

    pay the criminals

    and get nailed by the FBI!!!!

  12. Anonymous Coward
    Anonymous Coward

    I for one...

    am glad the FBI doesn't write the script on what to do when a PERSON is held hostage for ransom. Thankfully people aren't as important as a business' data.

    I wonder if there's a training class where they teach federal agency employees how to use both sides of their mouth when speaking.

    1. Roo
      Windows

      Re: I for one...

      "I wonder if there's a training class where they teach federal agency employees how to use both sides of their mouth when speaking."

      I think you'll find they talk out of their arse nearly all the time.

    2. allthecoolshortnamesweretaken

      Re: I for one...

      I think you'll find that they did write the script.

      https://en.wikipedia.org/wiki/Federal_Kidnapping_Act

      https://www.fbi.gov/about-us/cirg/tactical-operations

  13. chivo243 Silver badge
    Unhappy

    Sad story is

    More times than not, the crims are many steps ahead of johnny law. I guess it goes back to Necessity is the Mother of invention?

    Law enforcement and anti-virus software, always behind the curve.

    1. GrumpyOldBloke

      Re: Sad story is

      The sad story is that many times the crims are Johnny Law. Whether it be the CIA smuggling drugs to fund weapons or fast and furious smuggling weapons to fund drugs or those amazing ransom ware authors whose activities fall smack bang in the middle of the oft stated purpose of the nsa/gchq/asio et all and yet nothing can be done. With Russia having blown up many US proxy assets in the Mid East we can expect these ransom ware scams to increase. Distopia on a regional scale doesn't come cheap.

      1. asdf Silver badge

        Re: Sad story is

        > With Russia having blown up many US proxy assets in the Mid East

        Keep thinking it was anything the Russians did and not general US government policy incompetence. They would want that. The Russians are betting the farm in Syria precisely because they have even less influence in the Middle East now than even the US.

        1. GrumpyOldBloke

          Re: Sad story is

          ISUS R US were advancing prior to the Russian bombing, now they are not. While the Russians' are definitely trying to get back to the position they had in the ME prior to the wars against Iraq and are protecting their bases in Syria I don't think you can chalk this up to US incompetence. The US were dressing mercenaries as freedom fighters and pretending they were supporting the good guys in a civil war (friendly organs of their enemies eating moderate terrorists) - it had worked before. Their bluff has been called and they are back to a slow expensive cold war against Russia possibly aided by China. Only this time it is the US and NATO economies in ruins plus NATO members under pressure from sanctions and refugees from all the other 'civil wars'. We will have to see if Russia has the manufacturing strength and the cyber security to push back against the warlords in Washington, London and Tel Aviv. Putin with his ~90% approval rating can take his country with him. Our side - I am not so sure.

          1. asdf Silver badge

            Re: Sad story is

            >Only this time it is the US and NATO economies in ruins

            As compared to Russia or even China's economy? US economy is fine. As far as push comes to shove the US is not doing shit (other than lame covert symbolic stuff) in Syria as long as they don't mess with the US homeland. Obama talks a good game but he knows Assad and Russia winning is not even close to the worst option.

    2. Anonymous Coward
      Anonymous Coward

      Re: Sad story is

      Law enforcement and anti-virus software, always behind the curve

      until they start giving the AV companies a prior copy of the virus they intend to release or Minority Report comes to fruition, they'll always be behind

  14. sisk Silver badge

    Backups!

    More important now than ever thanks to ransomware.

  15. dan1980

    Paying ransomware seems rather on par with paying patent trolls: prudent for an individual int he short term but perpetuating the problem in the long term.

  16. Anonymous Coward
    Anonymous Coward

    Even from a pure individual pragmatism perspective

    this advice looks incomplete.

    If you 'just' pay the ransom I guarantee you'll be flagged as a soft target and it will happen again sooner rather than later. For most people and organisations that aren't high profile security is about being more diligent than the mass of other potential targets out there.

    If you're secure enough not to get hit or get hit but can detect early, segregate data and restore from good backups then you're unlikely to be specially targeted again in the short term. Any organisation, small or large, that gets hit, quietly pays up and considers that that's the end of the matter will definitely find a different but eerily similar looking set of Danes on their doorstep again soon.

    If you get hit and have no alternative to paying then pay but for God's sake put some money and time into planning the layered defences you should have had in place beforehand. If you consider that you can't afford that because you just spent the money on a ransom then your judgement is probably not good enough to run a business that anyone should deal with.

  17. Tikimon Silver badge
    FAIL

    Divert some FBI/NSA/etc TOR and encryption-busting effort to this!

    Hey FBI wankers! Why don't you and the rest of the anti-privacy gang divert some of the resources you're using to break encryption, HTTPS, and TOR to this problem? You've got billions budgeted to rape away our Constitutional protections, but can't spare a few processor cycles to break Ransomware for the public benefit? Instead you shake your head sorrowfully and say "just pay up"?!?! Do you puling bastards do ANYTHING for the citizen anymore, or are you simply the New Stasi?

    Bazdmeg az anyad kurvapicsajat, lo fasz a seggedbe! (grrrr...)

  18. Anonymous Coward
    Anonymous Coward

    Or...

    The cops could do their jobs. What other criminals do they want us to bend over for?

  19. Bill Michaelson

    Backup procedure enhancement

    Apparently backup procedures need a validation component. This is probably application-specific, but certainly practical in most cases, isn't it? Can a backup region be seeded with validation markers that would be corrupted by rogue encryption that the ransomware cannot detect?

  20. Vendicar Decarian1

    So let me get this straight. Companies produce bad software that is vulnerable to online attacks, and that often gives the attackers root access to the OS.

    Then they put this software on line so it can be attacked and often give root access to the attackers.

    Then when users of this software are attacked and bad things happen, they demand action from government to stop the attacks, while ignoring the fact that they would be secure if

    1. The software wasn't crap.

    2. The software wasn't on line.

    3. They were too stupid to realize 1 and 2.

    Hold software developers responsible for their failures and software will become secure overnight.

    1. Boris the Cockroach Silver badge

      A little correction is

      needed

      Hold software sellers and their executives responsible for their failures and software will become secure overnight.

      There, because as we've found out with VW, its all too easy to blame the guys on the shop floor when in reality, its board level decisions cocking everything up

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019