If you've been infected with Petya, WannaCry or similar ransomware you probably won't be getting your files back, even if you pay. Most of us know that ransomware encrypts data and then demands payment to decrypt it. Attacks reached their highest historical level in April 2016 according to Enigma Software. This represented a 159 percent jump from March. Although this is an unusual surge, ransomware attacks have been increasing between 9 and 20 percent per month for a while now. There are various reasons for the increase:
Ransomware is now the biggest cybersecurity threat. Not only are new variants constantly being released - making ransomware attacks more difficult to defend against - but the number of attacks are rising. In 2017 it is predicted that cybercriminals will target mission-critical servers and PCs within targeted departments. By holding these key devices hostage, cybercriminals will be applying pressure at the right time in order to get the ransom s quickly as possible.
Public entities were panicking as far back as 2016 when the U.S. and Canadian governments jointly released a ransomware alert in March 2016. In May 2016 a U.S. Senate Judiciary subcommittee held a hearing to explore the issue. Following the Hollywood Presbyterian Medical Center is in California, it is not surprising that the state has drafted legislation to establish specific penalties for ransomware.
In a recent BitDefender study, half of the ransomware victims said they paid, and two-fifths of the respondents said they would pay if they were ever in that situation. Paying the ransom is not a security decision; it's a business decision. Recovering files from backup takes time and effort and can lead to lost revenue.
No! We recommend never paying the ransom. Paying the ransom supports criminals, it perpetuates the cycle and encourages them to continue. In relation to Petya ransomware, like any other ransomware, there is a high chance that you will not get your data back even if you pay. With Petya the email address used in the ransom note is not reachable, it was closed by the email provider.
If an infection has been noticed before the ransom note appears, power off the system immediately. Do not reboot the machine under any circumstances - there is a chance that not everything is encrypted.
Be warned: even if you pay, the attackers may not deliver a valid key or appropriate unlock code to free your files. According to the FBI, most organizations that pay the ransom do get access to their data. This was the experience of Kansas Heart Hospital. It was victimized on May 18 2016 and paid, but the attackers demanded more money for the unlock key. The hospital refused to pay again.
However there is a concern with the Cerber ransomware variant that has been discovered which can potentially “sleep” in the attacked network. At a later date, it would be converted into a botnet, launching distributed denial of service (DDoS) attacks from the comprised network at third parties. The victims would have to pay a ransom again… and again?
As with any business, it is actually in its best interest to follow through on promises. CryptoWall attackers are known for decrypting the files upon payment. They have even walked victims through the procedure to obtain bitcoins and have given victims deadline extensions to procure the ransom. Then again, other ransomware families have less reliable reputations.
What does the law enforcement community recommend? The U.S. Federal Bureau of Investigation issued a notice in June about ransomware, advising victims to contact their local FBI field office if their data is held ransom. But individual FBI agents have cautioned that the Bureau most often cannot unencrypt the ransomed data. One agent was quoted, “The easiest thing may be to just pay the ransom.” Some business professionals suggest that paying encourages criminals to attack again and extort a higher ransom. In the same vein, some victims say that they decided to pay the ransom to preclude the attacker from causing more damage in retaliation. There seems to be no firm data supporting these positions.
The IT community in general is against paying. In a survey of the Spiceworks community, an online network of IT professionals, there was near unanimity against paying the ransom. This opinion was held even by members whose networks had been infected. These victims reported that most data was recoverable from backups, although they experienced data loss due to unmonitored and failed backups as well as the loss of between 1-24 hours of data from their last backup cycle. We are assuming that the organization has a choice of paying the ransom or not. But if it has no unaffected backups, there is no choice but to pay the ransom.
There is much that can be done to mitigate the damage that a ransomware attack can create, and even to prevent one.
Sign up to our blog below if you’d like to get the next blog post delivered right to your inbox.
Sign-up for email updates...