We all know cryptolocker and we all know the toll it’s taken on many individuals and companies. While the original cryptolocker has been shut down since FBI operation Tovar it has not stalled the many variants of encrypting ransomware from becoming a plague to the user (looking at you cryptowall). The “business model” just isn’t going away and is only seeing improvements as time goes on.
Recently in a blog post it was suggested by the FBI to just pay the ransom. With encryption being so sophisticated and the key never stored on the machine I can honestly say that I agree. If you really need the data that was encrypted and your current backup solution doesn’t suffice for the data you’ve lost there is literally nothing you can do to get that data back other than pay the ransom. It’s a sad state of affairs, but this is where we’re at – proactive backup solutions beforehand or bust. Sure there are tools like Shadow explorer that will work if you’re hit with something that’s not killing the Volume Shadow Service (VSS), but that is an elementary error and most encrypting ransomware campaigns are packing the best payloads that make no mistakes. If you have no recent air gap backup or cloud syncing backup that lets you keep old copies, you really have no options other than starting from scratch again and “sticking it to the hackers” but really only individual consumers have the financial freedom to make that choice. Most scenarios where I know victims paid the ransom are because it was a huge hit to their businesses productivity.
For example, let’s say a small business that works as a reseller ships out thousands of products a day and their label printing machine was hit with cryptowall. They aren’t able to print any of the custom saved labels that use on a daily basis and it’s catastrophic to their business for a couple days. The $300 – $500 ransom really is nothing in comparative to the thousands of orders that they couldn’t ship until they get those shipping labels. Most of the time they spend deciding if they should pay isn’t because it’s too much money, or they “shouldn’t support terrorists” but the concern that they wouldn’t get their files back and would be effectively scammed again. In the end, after failed searches for backups and having this huge await shipment line, they just decide it’s worth it to risk throwing the money away and pay the ransom. They get their files back pretty quickly and now can resume shipping.
Most stories are similar to this and when I’ve asked them how paying the ransom went they’ve said that if they knew it would be that easy to get their files back, they would have paid sooner. This is where we are at – criminals putting a gun to our files and demanding payment. It’s worked great the past couple years since it started and it’s only getting better; I see no end sight to this.
Looking forward is even more troubling since once the bad guys start figuring out who can afford more of ransom is when things start getting real hairy. Sure $500 is nothing to resume business as usual, but what if it was a $50k ransom? There would be entirely different discussions internally before deciding to pay.