Ransomware – should you pay?

Unfortunately, we’ve had cause to write rather regularly in recent times about ransomware, and what it can do to you.

As straight-talking Naked Security writer John Zorabedian put it recently:

Ransomware is about the bluntest sort of malicious software you are likely to experience.

Ransomware shoves itself unavoidably right in your face.

It deliberately locks you out of your computer or your files, and then demands money to let you back in.

There are two main sorts of ransomware:

  • Lockscreen ransomware. Pops up a window that takes over your computer or mobile device, so you can’t use any other applications, make calls, or run your anti-virus. This ransomware usually accuses you of some sort of crime, but offers to let you keep on working once you have paid a “fine.”
  • File-encrypting ransomware. Leaves your applications running just fine, but scrambles your data files so you can’t open them any more. This ransomware usually pops up a window offering to sell you the decryption key.

The good news is that with a bit of technical savvy, or help from a friend that has the savvy, it is usually possible to work your way past most lockscreen ransomware without paying up.

The bad news is that with most recent file-encrypting ransomware – well-known ones are CryptoLocker, CryptoWall and TeslaCrypt – there isn’t a savvy shortcut.

Loosely speaking, if you don’t have a backup of your scrambled files, you are stuck.

If the crooks have implemented the encryption process properly, the only way to get your files back is to to pay them for a copy of the decryption key.

Public-key cryptography

Most modern ransomware uses public-key cryptography, which is where you have separate keys for locking and unlocking a file.

The public key can be given to anyone to encrypt files, but only the private key can later decrypt them.

So, the crooks generate a public-private keypair on their own servers, and send only the public key to the ransomware running on your computer.

That means that the malware can scramble your data, but the key needed to unscramble it never shows up on your computer – not on disk, and not even in memory.

There’s no point in scouring your computer in the hope of finding a local copy of the private key: your private key exists only on the crooks’ servers until you pay up.

No-one else’s private key will work for your files, either, so there simply isn’t a shortcut.

You need that private key, and to get it, you have to pay the ransom.

What to do?

So the big question, usually left unanswered in technical discussions of ransomware, is, “Should you pay?”

At a typical price point around $300 to $600 (£200 to £400), ransomware can be expensive.

On the other hand, think about what might be in those scrambled files: your baby videos; those tax return documents you were supposed to keep for seven years; the dissertation you need to turn in on Friday…how much are those worth?

For better or for worse, most ransomware gangs have acquired a bit of an “honour among thieves” reputation, so that if you do pay over the money, you almost certainly will get your files back.

On the other hand, law enforcement and security experts are very likely to say, “These are crooks! This is extortion! If you can possibly take it on the chin, we urge you NOT TO PAY!”

But those are easy words to say if it’s not your data on the line.

Interestingly, one reason for not paying extortionists is that there is often no way to ensure that they won’t come back to gouge you for a second payment, or a third, and so on.

But, as described above, modern file-scrambling ransomware doesn’t actually steal your files.

The crooks don’t have a copy of anything of yours, just the private key to unlock the scrambled files on your own computer.

In theory, then, once you’ve paid up, decrypted your files and disinfected the malware, you and the crooks are back on an even footing, and they can’t come back for more.

Should you pay?

We’re not going to moralise about whether it’s always unacceptable to support criminality by paying up, even if you are in a difficult position.

We’ll leave you with plainer advice, namely, “It’s OK to pay, but it’s much better not to.

So, keep these two points in mind:

  1. Don’t pay if you can possibly avoid it, even if it means some personal hassle.
  2. Take precautions today (e.g. backup, proactive anti-virus, web and email filtering) so that you avoid getting into a position where you ever need to pay.

Remember: if you don’t have backups and you lose your laptop, you’re in the same trouble – worse, actually – than you would be with ransomware.

After all, there’s no-one you can pay any amount of money to in order to get your data back if your hard disk is at the bottom of Sydney Harbour. (It happens.)

(Audio player above not working? Download, or listen on Soundcloud.)

Find and remove malware with the free Sophos Virus Removal Tool

The free Sophos Virus Removal Tool is a simple tool for Windows users that works alongside your existing anti-virus to find and get rid of any threats lurking on your computer. Download and run it, wait for it to grab the very latest updates from Sophos, and then let it scan through memory and your hard disk. If it finds any threats, you can click a button to clean them up.

Click to go to download page...