A comment made by an FBI agent at a little-noticed cybersecurity conference in Boston last week is all of a sudden making big headlines, many of them suggesting that the FBI is telling victims of ransomware to “just pay” the ransom.
The comments by Joseph Bonavolonta, Assistant Special Agent in Charge of the Cyber and Counterintelligence Program in the FBI’s Boston office, were first reported by The Security Ledger.
What Bonavolonta supposedly said is that the encryption used by cybercrooks in the ransomware known as CryptoWall is so good that the FBI “often [advises] people just to pay the ransom.”
Here’s the exact quote:
The ransomware is that good... To be honest, we often advise people just to pay the ransom.
Bonavolonta was also quoted as saying “the easiest thing may be to just pay the ransom,” and the “overwhelming majority of institutions just pay the ransom.”
And he said: “You do get your access back” (to your files once you pay).
It’s true that CryptoWall and some other variants of ransomware tend to get the cryptography right, which means you can’t undo the encryption without paying.
It’s also true that a lot of institutions and individuals do pay the ransom – one study in the UK suggested that up to 40% of victims of CryptoLocker – the forbearer of today’s file-encrypting ransomware – paid to unlock their files.
And it’s true that the crooks often provide the encryption key to decrypt your ransomed files, once you pay somewhere in the range of $300 to $600 in bitcoins.
The ransomware gangs’ business model seems to depend on good “customer service,” if you can call it that – they even offer to let you decrypt one file for “free” as proof that they’ll follow through on the bargain.
However, paying the ransom does present an ethical dilemma: by paying up, you support a criminal enterprise, making it more likely that others will be caught up in the same trap.
That seems to be why so many headlines are blaring about Bonavolonta’s statement – could the FBI really be encouraging people to pay off the criminals, something they would never do if a ransom were demanded in a hostage situation?
Actually, the FBI’s officially sanctioned advice about ransomware doesn’t explicitly mention paying or not paying the ransom – the bottom line in the FBI’s ransomware information page from January 2015 is that victims should contact the FBI.
A FBI spokesperson sent me the following statement:
The FBI doesn't make recommendations to companies; instead, the Bureau explains what the options are for businesses that are affected and how it's up to individual companies to decide for themselves the best way to proceed. That is, either revert to back up systems, contact a security professional, or pay.
The FBI website has some pretty good advice about preventing ransomware that comes close to what Naked Security advises, including:
- Keep your anti-virus active and up to date. That means you’re more likely to block malware attacks proactively.
- Patch your operating system and applications promptly. Many attacks rely on exploiting security bugs that are already have available fixes, so don’t make yourself low-hanging fruit.
- Be suspicious of unsolicited emails, no matter how relevant they may seem. Avoid opening attachments and clicking on links in emails too, especially if you’re not expecting them.
- Make regular backups, and keep at least one offline. That protects you from data loss of any kind, whether caused by ransomware, flood, fire, loss, theft and so on.
As Sophos security expert and Naked Security writer Paul Ducklin explained in an excellent post about the pay-or-not dilemma, it’s pretty easy for people whose precious data isn’t at risk to take a strong position that “you should NEVER pay.”
But if it’s YOUR family photos or financial documents on the line, what would you do?
Our simple advice is summed up here:
- Don’t pay if you can possibly avoid it, even if it means some personal inconvenience.
- Take precautions today (e.g., backups, proactive anti-virus, web and email filtering) so that you avoid getting into a position where you ever need to pay.
We’ve got a lot more advice on dealing with ransomware in the Sophos Techknow podcast below.