Ransomware – would you pay up?

In the last month, we’ve written twice about ransomware – malicious software that locks you out of your PC and demands money to let you back in.

The simpler sort of ransomware doesn’t actually alter your data. It’s a bit like one of those payment pages you see in a hotel room – a captive portal which restricts you to a single web page until you pay an access charge.

In the case of the malware, however, you’re paying for a code to restore access to your PC, not just to get onto the internet.

Simple ransomware of this sort is straightforward for the crooks, because it’s easy to write – but it can usually be evaded without too much trouble. In the Reveton ransomware video above, you’ll see that we use Sophos Bootable Anti-Virus to take control and remove the malware without paying the extortion fee.

The next step up is ransomware which leaves your PC and the operating system running fine – almost to taunt you – but encrypts your important files. You can carry on using your PC, but if you want to access your precious data, there’s a fee to pay.

Ransomware of this sort isn’t a new idea. Back in 1989, floppy disks infected with the AIDS Information Trojan were distributed around the world in snail-mail envelopes. The program purported to be an expert system to advise you about HIV and AIDS, but after you’d run it 90 times, it scrambled your hard disk.

You could unlock your data, or so the author claimed, by sending $378 to an accommodation address in Panama.

But the author wasn’t very good at cryptography. He scrambled only the directories and filenames, and used the same digital key on every PC. The key was easy to work out, because he used a trivial cipher. Tools were published that unlocked your computer for free.

This century’s ransomware has lifted the bar rather dramatically, as we described recently in an article entitled Techniques in ransomware explained.

The crooks scramble your files using strong encryption with a randomly-chosen key. Then they send the key to themselves, using a secure upload. No dithering over whether to use HTTPS and public-key cryptography by the well-informed cybercriminal!

Your key is unique. The crooks have the only copy, or so they hope. And the crypto is impractical to crack. So the crooks reason that you have no choice but to deal with them.

So one of the obvious questions which springs to mind in the cases described above is this: “What happens if you DO pay up? Will they unlock you or just say ‘sucker!’ and leave you locked?”

In a recent case in Australia – ransomware stories are behaving like buses here, in that you don’t see one for ages, then three come at once – the national broadcaster, the ABC, thinks it may have an answer. “It depends.”

Last week, the ABC reported that a trucking company in Alice Springs, an outback town famous for being a long way from anywhere, had fallen victim to a cyberextortion demand.

Details are scarce in the story – it sounds as though the network was hacked and the demands were made by email, rather than by a malware infection – but the playbook is the same. Pay up $3000, or you lose everything.

The victim decided, very much against police advice, to pay up.

Things didn’t go well at first – in the first version of the article, he was still waiting for a reply from the criminals. But after a nervous wait, it seems that today the crooks “honoured” (in the ABC’s words, not in mine) their side of the deal and have sent something to the victim.

Of course, as the victim rather nervously remarked, “I think I’ll probably get most of my files yet, but in what condition I’m not sure.”

Good publicity for the crooks – now we have a nationally-documented case in which paying up seems to work – and tempting for future victims to get sucked in.

But I urge you to listen to the police. Avoid paying up. Avoid getting into a position where this sort of extortion is easy for the crooks. Instead, consider investing the $3000 on some prevention and precaution.

After all, you can lose your data in all sorts of ways other than through ransomware – from fire and theft, through hard disk failure, to plain old user error.

So why not go for precautions – a decent backup regimen, for example, or a solid network security gateway – to protect you against a wide range of risks, including the threat posed by hackers and crooks?