Tag Archives: Kevin Townsend

Ransomware – should you pay up?

According to Help Net Security, the 2018 Risk:Value Report from NTT Security reveals some disquieting facts about how organizations deal with ransomware:

  • 33% would pay a ransom demand rather than invest in better security.
  • 16% are not sure whether they’d pay up or not.
  • Just over half would be prepared to invest actively in information security.

For the report, NTT “surveyed 1,800 C-level executives and other decision makers from non-IT functions in 12 countries across Europe, the US and APAC and from across multiple industry sectors.”#

I haven’t downloaded the actual report, as to do so requires registration and I don’t particularly want to be regarded as a potential customer by NTT. And, in fact, while there are evidently lots of other interesting data in the report, I want to focus here on the willingness of so many organizations to accede to the demands of the criminals. Let me refer you to an article by Kevin Townsend from 2016, in which he quoted me at some length (and I discussed those issues at greater length here). Better still, here’s a longer section from the text I originally sent him in response to this question:

“…some figures suggest that 40% of corporate victims pay up. Many AV companies say there is little chance of recovery without the keys. FBI says corporates have a risk decision to make. Europol says simply ‘don’t pay’. Is Europol being realistic?”

[Perhaps it’s a positive that the later report suggests a lower figure of victims that pay up, but there are probably too many variables to rely on that being a definite trend. Anyway, since the question seems to have been put hypothetically, it’s quite possible that respondents would react quite differently if they actually found themselves in the position of ransomware victims, by gritting their teeth and ponying up.]

Anyway, this was my (very slightly edited) response:

 In the abstract, there’s an undeniable argument that if you give in and pay the ransom, you’ve directly contributed to the well-being of criminality. In many cases, it’s a purely economic decision: it’s cheaper to pay up than lose the data. In fact, you’re sustaining a protection racket. On the other hand, if you don’t pay up, you probably don’t get your data back – sometimes there is an effective free decrypter available, but most of the time we can’t provide one – and maybe the damage is so severe that you go out of business. You can’t blame people – or companies – to prefer paying up to economic suicide, any more than you can blame them for giving their wallets to people who threaten them with knives. In fact, since we’re talking about corporates rather than individuals, it might be seen as being more responsible to pay up rather than destroy the livelihoods of all staff, including those right at the bottom of the hierarchy who are generally less likely than the Board of Directors to survive the damage to their finances.

If people and companies didn’t pay up, then ransomware attacks would become uneconomic, which wouldn’t stop criminality, but would force crooks to explore other avenues – or maybe I should say dark alleyways. However, the attacks will remain economically viable as long as people aren’t prepared or able to defend their data proactively. It’s easy for those who have the knowledge and resources to implement adequate defences – not as easy as many commentators point out – to say that it’s ‘wrong’ to give in to ransom demands. Of course companies should implement such defences, and that would impact on the viability of the attacks. If they don’t do so because it’s cheaper to pay up than to spend money on a backup strategy, then that is reprehensible. I don’t know how often that happens, though: after all, sound backup practice is a defence against all sorts of misfortune, not just ransomware.

I was taken to task by a commenter on one of my ESET blogs for implying that paying the ransom is sometimes acceptable, pointing out that (I’m paraphrasing) failing to ensure that all an organization’s data could be backed up and recovered as necessary is essentially a symptom of management failure. I’m inclined to agree, in general, as I think my quoted text above bears out. Do incompetence and clinging to false economy make it unacceptable to pay a ransom? Well, that’s a more complicated question. After all, the people who are penalized if an organization chooses not to pay ransom and therefore loses its data are by no means always the people whose incompetence and penny-pinching put their data in jeopardy. I’ll come back to that.

He also asserted that apart from the fact that payment perpetuates the problem, some of the money paid in ransom goes to fund organized crime and even terrorism. Well, that’s a very good point. And while I don’t think it’s necessarily up to me to decide what is or isn’t ‘acceptable’ behaviour on the part of a victim of ransomware, I would at least agree that a ransomware victim (individual or organization) should take into account that possibility. I don’t know how much money paid to ransomware gangs actually does go to organized crime or to fund terrorism, but I’m certainly not going to say it doesn’t happen.

But does that mean that paying ransom should in itself be a crime? Well, we don’t usually go after people who pay up in cases of kidnapping, protection rackets, and so forth, even though those payments may subsidize all sorts of undesirable activities, so I’m not convinced. The more so since I can think of several scenarios that might be seen as being in mitigation. To quote myself again (again, lightly edited):

  • An individual is faced with losing decades worth of family photos or other irreplaceable data.
  • A healthcare organization faces an ethical dilemma because the medical records of thousands of clients are at risk: if they pay, criminals benefit, but if they don’t, the health of many is put at risk. It’s easy to say it’s the victims’ own fault in these cases, but it isn’t necessarily the case: data might be backed up but unrecoverable for a variety of reasons – a failed or incompetent 3rd-party provider, or natural disaster, for instance.

There might be an argument for criminalizing ransom payment where a company could access backups but chooses not to because it’s cheaper to pay up, but that’s still penalizing the victim for the actions of the criminal.

David Harley

Kevin Townsend: some actions against tech support scammers

Kevin Townsend, for Security Week, reports on action against tech support scammers in the US and UK.

Tech Support Scammers Fined in US, Jailed in UK

Kevin says:

Ohio Attorney General Mike DeWine and the Federal Trade Commission (FTC) announced Monday that operators of a nationwide computer repair scam have been banned from the tech support business as part of settlements with the FTC and Ohio.

Includes some commentary from me.

David Harley

Social Engineering and Ransomware

SecurityWeek contributor Kevin Townsend asked me about a report from the UK’s De Montfort University on the psychology of ransomware splash screens. Here’s the article he published – Researcher Analyzes Psychology of Ransomware Splash Screens – and here are some further thoughts from me published on the ESET blog: Social engineering and ransomware.

David Harley

No More Ransom: new partners

The ‘No More Ransom‘ site has quietly added a number of ‘Associated’ and ‘Supporting’ partners. For SecurityWeek, Kevin Townsend explains the difference/partner hierarchy, and quotes a number of industry figures (including me, at some length): No More Ransom Alliance Gains Momentum.

It’s good news, but I think there’s more they could do.

David Harley

Europol says ‘No More Ransom’

Europol, the European Union’s law enforcement agency, has announced an initiative to address the ransomware issue. (Hat Tip to Kevin Townsend, who first brought it to my attention.)

The agency’s announcement tells us that:

No More Ransom(www.nomoreransom.org) is a new online portal aimed at informing the public about the dangers of ransomware and helping victims to recover their data without having to pay ransom to the cybercriminals…

…The project has been envisioned as a non-commercial initiative aimed at bringing public and private institutions under the same umbrella. Due to the changing nature of ransomware, with cybercriminals developing new variants on a regular basis, this portal is open to new partners’ cooperation.

The site includes:

  • Crypto Sheriff – a form for helping victims try to find out which malware they’re affected by and whether a decrypter is available. Sounds like a potentially useful resource, even though the little graphic reminds me a little of the late, lamented Lemmy rather than a hi-tech search facility. Somewhat similar to MalwareHunter’s ID Ransomware facility.
  • A Ransomware Q&A page
  • Prevention Advice
  • An About page
  • Advice on how to Report a Crime
  • And a limited range of decryption tools from Kaspersky (mostly) and Intel.

Infosecurity Magazine’s commentary notes that:

‘In its initial stage, the portal contains four decryption tools for different types of malware, including for CoinVault and the Shade Trojan. In May, ESET claimed that it had contacted TeslaCrypt’s authors after spotting a message announcing they were closing their ‘project’ and offered a decryption key.

‘Raj Samani, EMEA CTO for Intel Security, told Infosecurity that both Intel Security and Kaspersky had developed decryption tools to apply against Teslacrypt, and these will be posted to the website shortly.

Well, I’m not in a position to compare the effectiveness of various TeslaCrypt decrypters, and I do understand that it’s important for the “The update process for the decryption tools page …[to]… be rigorous.” Kaspersky in particular has a good reputation for generating useful decrypters. And the AVIEN site is certainly not here to pursue ESET’s claim to a portion of the PR pie. Still, there are decrypters around from a variety of resources apart from the companies already mentioned (see Bleeping Computer’s articles for examples). I hope other companies and researchers working in this area will throw their hats into the ring in response to Europol’s somewhat muted appeal for more partnerships, so that the site benefits from a wider spread of technical expertise and avoids some of the pitfalls sometimes associated with cooperative resources. As it states on the portal:

“the more parties supporting this project the better the results can be, this initiative is open to other public and private parties”.

Here are some links for standalone utilities that I’ve listed on the ransomware resource pages here. [Note, however, that these haven’t been rigorously checked, or not by me at any rate.]

Standalone Decryption Utilities

I haven’t personally tested these, and they may not work against current versions of the ransomware they’re intended to work against. Note also that removing the ransomware doesn’t necessarily mean that your files will be recovered. Other companies and sites will certainly have similar resources: I’m not in a position to list them all.

Bleeping Computer Malware Removal Guides

ESET standalone tools

Included with tools for dealing with other malware.

Also: How do I clean a TeslaCrypt infection using the ESET TeslaCrypt …

Kaspersky Tools

CoinVault decryption tool
CryptXXX decryption tool

Trend Micro Tools

Emsisoft Decryptors

18-4-2016 [HT to Randy Knobloch] N.B. I haven’t tested these personally, and recommend that you read the ‘More technical information’ and ‘Detailed usage guide’ before using one of these.

David Harley