Why the FBI is wrong: you should never pay ransomware

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.itpro.co.uk/malware/25613/why-the-fbi-is-wrong-you-should-never-pay-ransomware

ProtonMail, a Swiss-based encrypted email service provider, knows all too
well about the futility of paying a ransom.

It did precisely that this month in order to stop a DDoS attack that was
crippling its networks and those of some upstream providers. However,
despite coughing up the 15 bitcoins (about £3,750) ransom the DDoS
continued. I mention this as it is a great reminder that the bad guys are
called 'bad' for a reason: expecting them to be reasonable and do what you
perceive as the right thing following the payment of a ransom is, frankly,
naive in the extreme.

Yet just last month, FBI agent Joseph Bonavolonta told delegates at a
security conference that "we often advise people just to pay the ransom"
when it comes to ransomware.

While this seems like a crock of the first order, some have suggested there
is sense in the advice. The argument being, from a purely business
perspective, one has to ask whether the time and money spent trying to free
your data from the encrypted clutches of well written ransomware will be
more or less than just paying the ransom and moving on.

The truth of the matter, as the ProtonMail example highlights, is that you
can't actually trust the bad guys, so paying any ransom is always going to
be a gamble. The FBI advice is about as useful as a one-legged man at an
arse-kicking party.

When it comes to paying a ransom to decrypt your data, the odds are stacked
against you in my experience. How so? Well, quite apart from the trust
issue (and yes I am banging on about that, for a very good reason) there's
the coding issue.

Take the Power Worm ransomware that was spotted doing the rounds recently -
it was so badly coded that the attackers couldn't decrypt your locked up
data even if you paid the release fee and they wanted to. Why so? Well,
this variant was so full of bugs that it effectively destroyed the keys
required to decrypt data.

Not that all ransomware code is a pile of crap. The latest iteration of
Cryptowall, for example, appears to be pretty well written, and has tweaked
the encryption process and the way it evades detection in the first place.
This is probably why the folk behind Cryptowall have raked in ransoms in
the order of hundreds of millions of pounds, according to the Cyber Threat
Alliance.

So, going back to our FBI man and his advice, should you pay the ransom?
And is paying up the only way to deal with this type of ransomware? My
answer is always going to be no. A big fat no, in fact. The most effective
way to deal with ransomware is with a pre-emptive twin-pronged strategy
that involves not getting infected and having suitable data backups just in
case you do.

In terms of prevention, ensure you are using endpoint protection that's up
to date so as not to get hit with old threats. Ditto as far as system OS
patches and application updating are concerned: the smaller your insecurity
footprint, the less opportunity for the bad guys to strike.

This is why staff training and awareness also plays into this, with
phishing/social engineering techniques being another common route to
infection. In fact, when it comes to ransomware infection mitigation we are
talking the same old, same old. Don't open files attached to unsolicited
emails, don't click on untrusted links, yada yada yada.

The target of these attacks is your data, but rather than attempts at
exfiltration, the attackers want to lock it down and stop you accessing it,
so you need to focus on that as well. The solution is simple enough: back
it up. More to the point, have a backup strategy that involves multiple
backups (local and cloud) which include 'air-gapped' ones so as not to all
be hooked into the same computers and networks that might get infected.

Minding the gap means that if the worse did happen you can simply wipe
things clean and start again where you left off. Hopefully. Erm, I should
mention that there are some ransomware variants which stealthily encrypt or
decrypt data on-the-fly, in the background, for weeks or months on end, so
that your backups are actually also encrypted and worthless.

However, not going into panic mode post-infection is a good move. You might
be surprised just how much information is out there to help you remove a
ransomware threat and decrypt your data.

Some ransomware malware has already been reverse-engineered, and decrypting
tools are available to unlock your data without any ransom being paid.
Google is your friend, as are open-source threat intelligence depositories
like VirusTotal, so do your research and find out what has attacked you and
whether anyone has already dealt with it.

If all else fails though, rather than pay the ransom, instead consider
paying a security consultant to help you. It means you stand more chance of
recovering your data, and at least your money is going to the good guys...

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!