It might be your worst nightmare. You turn on your PC only to discover it’s been hijacked by ransomware that won’t decrypt your files unless you pay up. Should you? What are the pros and cons of paying off cyber-criminals?
It’s a difficult problem, and one with many layers. To access your files, you might need to pay a hefty ransom. And then there’s the issue of cryptocurrency, which is ransomware’s preferred method of payment. Unless you’re already a crypto investor, you might have no idea how to begin the process of getting a Bitcoin account—and the clock is ticking.
And don’t forget—if you pay, there’s a decent chance you won’t be able to reclaim access to your files, anyway. There are also ethical questions about paying off criminals. As any good economist will tell you, any behavior you reward, you’ll invariably get more of.
Taking the High Road
So, what should you do?
“Oh, it’s really simple,” said Raj Samani, chief scientist, and McAfee Fellow. “Don’t pay.”
That’s an easy perspective when they’re not your files being held at virtual gunpoint, but still, it’s probably the right call. There’s a reason the U.S. has an official policy not to negotiate with terrorists, and giving in to ransomware demands does appear to encourage criminals.
Paying out “has given rise to Ransomware as a Service,” contends Sean Allan, a cybersecurity consultant who frequently writes about ransomware. In recent years, ransomware has become such a successful and lucrative business that hackers have packaged turnkey ransomware kits. These allow criminals with little (or no) technical experience to launch their own ransomware attacks with ease. And according to Symantec’s 2019 Internet Security Threat Report, there was a 400 percent increase in the number of attacks from 2017 to 2018. Arguably, much of that growth is due to the number of people and organizations that have paid the ransom.
Of course, not all experts take the high road. Todd Weller, chief security officer of Bandura Cyber, had this to say:
“The practical aspect of ransomware is that the cost of not paying the ransom is materially greater than the cost of paying it. The logic is clear.”
This is especially true if you’re the administrator of, say, a healthcare facility, like one of the 16 hospitals crippled in 2017 by the Wanna Decryptor ransomware virus. You might have little choice but to pay. Less black and white is when a municipal agency is a victim, like the pair of Florida cities that recently paid a combined $1.1 million in ransomware attacks. One could argue that no lives were at stake, but why double down on bad IT practices by rewarding criminals?
It’s a divisive issue. For this article, I polled 30 cybersecurity experts and consultants, and a full one-third was unwilling to issue a categorical “no” to whether you should ever pay. Instead, they equivocated around questions about the lost files and weighing the cost of the ransom against the value of the data.
But Dror Liwer, founder of security company Coronet, summed it up this way: “The cybersecurity industry is saturated with consultants encouraging people to pay. This is not only poor and lazy advice, but it can actually prove harmful to others, as payment encourages attackers to come back again in the future.”
What If You Pay?
You can’t decide whether to pay a ransom demand based on the argument of better angels, though. This is your data we’re talking about. So, consider, if you do choose to pay, there’s no guarantee you’ll get your files back, anyway. Experts disagree on the odds of recovery, but there’s a fair chance you’ll pay and either not receive the decryption key or receive a key that doesn’t work.
“Criminals aren’t interested in customer service,” quips Marius Nel, CEO of tech consultancy 360 Smart Networks.
Indeed, a decryption key might not even exist for your variant of ransomware. If you’re somehow caught in the crossfire of an attack aimed at a nation-state, or by a tool designed initially to attack states that has been repurposed for mundane criminal acts, there might be no key by design.
“Nation-state attacks are designed to damage, not extort,” said Nel.
And don’t forget (Robin Hood and the crew of Serenity notwithstanding), there’s relatively little honor among thieves.
“I have personally seen incidents in which thousands of dollars were paid in ransom, provided partial recovery, and then the criminals asked for more for full recovery,” said Don Baham, president at IT service firm Kraft Technology Group.
There might also be consequences for paying a ransom that affect you long after you get your files back. Some security analysts warn that victims who pay might be retargeted explicitly because they’re put on a list of those who’ve demonstrated a willingness to pay. This is less worrisome for enterprises who can invest in the resources to beef up security after an attack, but individuals might be unaware that the ransomware has left behind a Trojan that can reinfect their system at a later date.
The Good News If You Don’t Pay
One could argue it’s simply immoral to pay ransomware because the money can then be used to fund additional cyberattacks, terrorism, and other illegal activities. But you don’t have to rely on the moral high ground—there are also some excellent practical reasons not to pay.
First and foremost, it’s usually not super-hard to be prepared for a malware attack. If you’re doing things correctly, you should never get infected in the first place or have to pay if you do get bit.
“If you have the right protections in place, such as antivirus, updates, and great computer hygiene, you shouldn’t worry about getting hit,” said Charles Lobert, vice president at IT services company Vision Computer Solutions.
If you do get hit with ransomware, the good guys are more prepared than ever. No More Ransom—a joint project between McAfee and a handful of European law enforcement organizations that now boasts about 100 corporate and government partners—is a free service designed to help you recover your files if you choose not to pay.
“In the past, it felt a little like a ‘Sophie’s Choice,’ where no matter what decision you made, it was going to end badly,” said Samani.
Now, if you are infected, you can go to the No More Ransom site and upload some sample encrypted files from your computer. If they’ve cracked the ransomware family, you can unlock your PC at no cost.
No More Ransom isn’t foolproof, and it’s not a guaranteed remedy. But it does offer a chance to unlock your ransomed computer without having to learn how Bitcoin works.
Of course, if you can restore your files from a backup, that’s always a better solution. Backups are critical, as they protect you from everything, including ransomware and hard drive failure.