Ransomware - would you pay up?

Filed Under: Featured, Law & order, Malware, Ransomware, Security threats

In the last month, we've written twice about ransomware - malicious software that locks you out of your PC and demands money to let you back in.

The simpler sort of ransomware doesn't actually alter your data. It's a bit like one of those payment pages you see in a hotel room - a captive portal which restricts you to a single web page until you pay an access charge.

In the case of the malware, however, you're paying for a code to restore access to your PC, not just to get onto the internet.

Simple ransomware of this sort is straightforward for the crooks, because it's easy to write - but it can usually be evaded without too much trouble. In the Reveton ransomware video above, you'll see that we use Sophos Bootable Anti-Virus to take control and remove the malware without paying the extortion fee.

The next step up is ransomware which leaves your PC and the operating system running fine - almost to taunt you - but encrypts your important files. You can carry on using your PC, but if you want to access your precious data, there's a fee to pay.

Ransomware of this sort isn't a new idea. Back in 1989, floppy disks infected with the AIDS Information Trojan were distributed around the world in snail-mail envelopes. The program purported to be an expert system to advise you about HIV and AIDS, but after you'd run it 90 times, it scrambled your hard disk.

You could unlock your data, or so the author claimed, by sending $378 to an accommodation address in Panama.

But the author wasn't very good at cryptography. He scrambled only the directories and filenames, and used the same digital key on every PC. The key was easy to work out, because he used a trivial cipher. Tools were published that unlocked your computer for free.

This century's ransomware has lifted the bar rather dramatically, as we described recently in an article entitled Techniques in ransomware explained.

The crooks scramble your files using strong encryption with a randomly-chosen key. Then they send the key to themselves, using a secure upload. No dithering over whether to use HTTPS and public-key cryptography by the well-informed cybercriminal!

Your key is unique. The crooks have the only copy, or so they hope. And the crypto is impractical to crack. So the crooks reason that you have no choice but to deal with them.

So one of the obvious questions which springs to mind in the cases described above is this: "What happens if you DO pay up? Will they unlock you or just say 'sucker!' and leave you locked?"

In a recent case in Australia - ransomware stories are behaving like buses here, in that you don't see one for ages, then three come at once - the national broadcaster, the ABC, thinks it may have an answer. "It depends."

Last week, the ABC reported that a trucking company in Alice Springs, an outback town famous for being a long way from anywhere, had fallen victim to a cyberextortion demand.

Details are scarce in the story - it sounds as though the network was hacked and the demands were made by email, rather than by a malware infection - but the playbook is the same. Pay up $3000, or you lose everything.

The victim decided, very much against police advice, to pay up.

Things didn't go well at first - in the first version of the article, he was still waiting for a reply from the criminals. But after a nervous wait, it seems that today the crooks "honoured" (in the ABC's words, not in mine) their side of the deal and have sent something to the victim.

Of course, as the victim rather nervously remarked, "I think I'll probably get most of my files yet, but in what condition I'm not sure."

Good publicity for the crooks - now we have a nationally-documented case in which paying up seems to work - and tempting for future victims to get sucked in.

But I urge you to listen to the police. Avoid paying up. Avoid getting into a position where this sort of extortion is easy for the crooks. Instead, consider investing the $3000 on some prevention and precaution.

After all, you can lose your data in all sorts of ways other than through ransomware - from fire and theft, through hard disk failure, to plain old user error.

So why not go for precautions - a decent backup regimen, for example, or a solid network security gateway - to protect you against a wide range of risks, including the threat posed by hackers and crooks?


, , , , ,

You might like

12 Responses to Ransomware - would you pay up?

  1. fiftyshadesoffifty · 1104 days ago

    Reblogged this on Fifty Shades of Fifty and commented:
    no I wouldn't pay!!

  2. JonBays · 1104 days ago

    You know whats going to happen when you pay them don't you! Either they take the money you get nothing back or you pay the money you get your data back they encrypt your data again and ask for more and on it goes! extortion is an old racket the game is predictable.

    • Cliff Jones · 1104 days ago

      True, except one would hope the victim would be smart enough to immediately back up their data, and take some precautions to prevent further attack.

      I would think either a very thorough scan of ALL systems inside the firewall or a clean reinstall of the same would be in order. The smart cracker would no doubt leave a dormant back door somewhere inside, to reopen the attack without having to rework the perimeter again.

      Since none of my clients have more than 30 systems, I'd be inclined to re-image everything rather than depend on anti-malware software catching everything.

      But I'm not worried about losing any data. Since I entered this business 14+ years ago I have never failed to set up over-the-top backup regimens. I have automated off-site backups to servers that are 25 miles distant from the workplace, on average. One of my selling points is that the only scenario in which you could lose all data would be a meteorite large enough to take out both local and remote servers.

      In that case I doubt anyone would care about lost data.

      My point, if I have one, is that backups are so easy to do and can be made extremely reliable that nobody has any excuse for not have them. Seriously, the only thing you should have to do in a ransomware case is redo the perimeter, identify and remove malware and restore from a backup.

      IT pros who aren't hard-headed insistent on backups isn't doing their clients any service. As for cost, I have actually set up a few clients with backups pro bono even though they couldn't afford the work I had bid. I figure it'll be to my own advantage, not just theirs, to have one rather than not, should the need arise.

  3. Randy · 1104 days ago

    I backup all data that I cannot live without.
    Wiping the disk, reinstalling the OS (I do this at least once a year anyway for housekeeping/maintenance purposes) and restoring my data is easy. Why pay these clowns?

  4. Andrew Covarrubias · 1104 days ago

    I got the blockage one you posted about, literally the day after you wrote about it (that's how I found this blog, and it intrigued me enough to subscribe). I'm not entirely sure how, since I wasn't downloading illegal or otherwise anything at time, nor had I recently run any strange EXEs. I'm going to assume some seemingly innocuous site I visited was infected, it's all I can think of.

    At any rate, I sure as heck didn't pay. Aside from the fact that I don't have that kind of money, I also discovered that this thing is not that cleverly written outside of the encryption itself, and it was really easy to stop it from doing too much damage. As soon as notepad popped up with the message, the first thing I did was open the task manager and quit any processes I didn't recognize. Surprisingly... that's all I needed to do. This one doesn't hide itself at all, and doesn't do anything to prevent you from closing it. Once I was absolutely positive it had stopped (my disk usage wasn't absurdly high anymore), I plugged in my external HDD, backed up anything of value I could salvage, and installed Linux. I may go back to Windows on a dual-boot once 8 comes out, albeit with better protection.

    I was kind of astonished at how much this one doesn't do nearly as effectively as it could. By showing HOW TO DECRYPT FILES.TXT when it started rather than when it finished, it gave me ample time to reduce the damage it could do. By not taking any of the standard measures that these things tend to, it was trivial for me to actually stop it in that time. It seems as though the only things it does smartly are the encryption itself, and to completely break MSE and Windows Firewall (and possibly other A/V software? I didn't have anything else installed to try).

    In regards to the question "Would you pay up?", I personally wouldn't, but I suspect for a lot of people it's a matter of price. I think most people can't afford $3000 (USD, AUD, or otherwise), and won't pay up simply because they can't. I'm sure more people would be able and willing to spend something more manageable, like $100, possibly enough more to turn a bigger profit than they are at the current price.

  5. Alan · 1103 days ago

    I'm surprised no mention of the Sophos Ransomware Decrypter Tool ( http://www.sophos.com/en-us/support/knowledgebase... ) appeared in this article. I know you always get people commenting that it's just a blatant attempt to sell products, even if it's free(!), but surely it would be incredibly useful to anyone who found themselves victim of this type of attack.

    Fortunately, I've never had to test the tool, so have no idea how effective it is :-)

    • Paul Ducklin · 1103 days ago

      Thanks! You just mentioned it for me so now I can't be accused of blatancy :-)

      FWIW, the decrypter tool only works with certain strains of ransomware, so it's usually recommended by Support on a case-by-case basis.

      In particular, this sort of decryption can only handle the "middle ground" in ransomware - malware, like the AIDS Info Trojan, that has cryptographic flaws so that the key can be recovered.

      Sad to say, but if the crooks do the crypto properly (strong algorithm, randomly-chosen high-entropy key not written to disk, and a secure upload to their external "key vault") then you're sunk.

  6. Bedder · 1103 days ago

    I would pay up using a cloned credit card number and would be interested to see how the ransomware extortionists coped wit the $3000 dollar loss when they have to repay the credit card company. haha!
    Seriously although a believer in the 'all or nothing' principle for computer security, compartmentalisation of an organisation by using Linux and Windows operating systems is a good idea. IE R&D and Accounts departments to help prevent or limit problems.

  7. Nigel · 1103 days ago

    I’m puzzled. What does the $3,000 figure refer to as the cost of backing up?

    For my part, it didn't cost anywhere near $3,000 (at today's conversion rate, that's $3,176.86 US dollars) to provide full backup for my main workstation (a Mac Pro)...and that includes bootable backups of three boot volumes, and backup of a data-only volume.

    The cost (in US$) of the (1TB) backup drive for my four-volume primary drive was about $60. The initial cost of the backup software was $99...which I paid 10 years ago, and renew as needed every 2 years or more at a cost of $49. So if I were starting from scratch, today, it would cost less than $200 to have a fully functioning backup of my entire system.

    If I include the cost of external enclosures and backup drives for all the other systems on my LAN (a Mac Mini, two iMacs, a MacBook Pro, and an HP notebook), the cost is still just over $100 per machine. Add the cost of offsite (cloud) backup at $89 per year for a Mac Pro server I maintain (which also has its own backup drive). Even accumulating all the costs of all the backup drives I've used across multiple systems over the past 10 years it doesn't total anywhere near $3,000...AUD, USD, or otherwise.

    Maybe someone who maintains multiple large data servers might run into that kind of expense, but I don't see how an individual user could spend anywhere near that much. Am I missing something?

    • Paul Ducklin · 1103 days ago

      The bloke in the article runs a trucking business, so he's probably got a bit more infrastructure to protect, insure, backup, redundantise, firewall, and so forth.

      (And you haven't costed your time into looking after your own computer.)

      I didn't say you had to spend all of the $3000, either :-) Just that if you're thinking you'll keep $3k under your mattress in case someone stands over you digitally for it...

      ...then you might do better to spend the $3k proactively on precautions. Including, but not limited to, a decent backup regimen (not just the storage devices, as you've costed).

      Let the IT guys earn a bit of a crust, eh :-)

  8. Mike · 1100 days ago

    I reinstall frequently (mentioned above) and use a flash drive or SD card to ensure I have a copy of all my docs, pics, and other important data. The biggest problem by far is managing all of the passwords I have for various accounts. I can cope with my data being in the cloud as a first chance effort to backup, but a local copy beats slow downloads each and every time. And with the ability to backup 50 gigs using blu-ray, I see few reasons and lots of excuses.

    The larger problem is that sites like this are only frequented by techies and not the every day computer end user who needs the information to safeguard family photos, important documents, and other digital data of apparent high value.

  9. Julian O'Brien · 1096 days ago

    We were hacked at my dental surgery and they demanded the 3 grand which we did not pay. They also deleted the files on our 2 backup disks. We have lost everything including appointment book, recalls... fortunately we have old fashion patient cards with important matters and x-rays, photos. Hopefully in time, a boffin may be able to salvage our data?

    Dr Julian

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog