back to article Worried ransomware will screw your network? You could consider swallowing your pride, opening your wallet

As ransomware infections continue, conventional wisdom on how to respond to threats is going out the window. The idea of agreeing to an extortionist's demand, and paying a ransom to restore your company's scrambled data, long considered a non-starter, is something businesses should mull over as a viable option, according to …

  1. Richy Freeway

    Have done just this.

    A customer of mine got hit by the ACCDFISA v2.0 ransomware on Saturday, they didn't realise til they got back on Monday. Business was down for all of Monday before they decided to pay the £3750 ransom. A day later we got the decrypter though and the following day they were back in action.

    They didn't have regular backups in place so this was their only option. If they'd remained closed any longer they would have started losing customers and may not have survived.

    It sucks, but what ya gonna do.

    They learnt an expensive but valuable lesson.

    1. Pascal Monett Silver badge

      Did they ? So they now have a solid backup procedure in place, reliable and tested ?

      Just asking.

      1. Wellyboot Silver badge

        And the ransomware removed? Because the gits wil be back soon for their next regular payment..

      2. robidy

        There is a reason why you don't pay ransoms...it encourages the f**kers to do it again and again and again as it's profitable!

        1. c1ue

          Sorry, but that thinking is foolish. Ransomware is a multi-billion dollar business - clearly this crime does pay. Suffering 10x or 100x losses because of a 3rd party government recommendation - which, by the way, conveys no financial or technical return, is the real questionable activity.

          1. Doctor Syntax Silver badge

            "Ransomware is a multi-billion dollar business"

            It's three things. For some it's a multi-billion dollar business; they're in organised crime. To work that sort of operation requires some degree of business organisation. It means that records have to be kept so that the payment can be related to the correct key. It means maintaining servers to run a large scale operation. Those servers also present a risk of being traced and traced back to the operators. That sort of thing needs effort and frankly some wannabes will find that boring which leads us onto...

            ...opportunistic criminals. If they can get hold of some software that just overwrites files with randomish garbage so that they look encrypted they don't have any of the overheads or boring stuff. If your data falls to these guys you're not going to get it back and, according to the article that's currently a 40% chance and, I suspect, rising.

            Then there's the randomisation as a weapon operators. You're not going to get anything back from them. The main intent is the damage.

            If you count on getting data back because it's a multi-billion dollar business operators you're going to rely on the organised crime operators carrying out a search and destroy operation on the opportunistics who are poisoning the well.

    2. Halfmad

      Re: Have done just this.

      No, they didn't learn lessons in the past as Ransomware has been around for years and business "leaders" need to sort their shit out.

      I'm sick if hearing lessons learnt etc when clearly they aren't looking at mistakes others have been making for ages. I know one person businesses with better backup plans than many large companies because the person in charge is actually giving a shit.

      1. GnuTzu
        FAIL

        Re: Have done just this.

        Great. With more funding, ransomware and its delivery mechanisms will only get more prolific and pernicious. But sure, ignore the effects on the market. And, when this gets around to some situation involving some kind of too-big-to-fail, the tax payer will end up bearing the burden. That's how it works right; businesses get to make decisions that affect the market with little if any responsibility for the damage they do.

        1. katrinab Silver badge

          Re: Have done just this.

          Too big to fail doesn’t get any bigger than the NHS, the world’s 4th largest employer and owner of the largest fleet of pcs. They didn’t pay up.

          1. doublelayer Silver badge

            Re: Have done just this.

            And it's very good they didn't, as it was WannaCry, which DID NOT return any data. Just like the case mentioned in the article several times, Maersk. The article fails to mention that Maersk was hit with NotPetya, which was meant as a warfare tool and wouldn't have returned their information in any case. The multiple millions they spent were going to have to be spent, there was no option to try their luck with the fake criminals involved. Yet that critical detail didn't get mentioned. I usually like your articles, El Reg, as they're carefully researched by technical people, but that hole is far too big to be left unexplained.

            On the topic of taxpayers paying for ransom, it has happened in the case of SamSam malware attacks on various cities, most of which are American ones. The higher-profile ones like Atlanta chose not to pay, but SamSam has obtained several thousand taxpayer dollars from America and will probably continue to target governments because they're found to be behind the times and potentially willing to pay up.

    3. JohnFen

      Re: Have done just this.

      "It sucks, but what ya gonna do"

      They should have done the right thing. Paying the ransom is despicable.

      1. Persona Silver badge

        Re: Have done just this.

        But in this instance paying the ransom meant that they didn't have to close their business, let down their customers and fire their staff. Think of it as a "consultancy" payment in return for a very effective lesson on why they should invest in a reliable backup system.

        1. Doctor Syntax Silver badge

          Re: Have done just this.

          The right thing was not to have had good backups.

    4. Doctor Syntax Silver badge

      Re: Have done just this.

      "They didn't have regular backups in place so this was their only option."

      Ransomware was only one of the problems that could have cost them their data in that situation. What if it had been one of the others? What would they have done then?

  2. Pascal Monett Silver badge
    FAIL

    "If you can't back up the data that is operationally important . . "

    Then you are incompetent. Either as an IT manager, or as a board member.

    I cannot imagine any situation where business-critical data cannot be backed up. There are mirror servers, one-way synchronization, hell, I can't even begin to think of all the ways data can be put somewhere to be stored on tape or disk arrays.

    I am sure of one thing : a proper IT administrator will have a backup of business-critical data, and know how to restore it. The only real issue is ensuring that the backup is not infected.

    1. big_D

      Re: "If you can't back up the data that is operationally important . . "

      Mirror servers are never a backup option. They are a redundancy option, in case one server fails. But if the main server gets hit with ransomware, the data on the mirror is lost as well, because, well, it mirrors the encryption! (Or corruption as one CEO found out to his cost, he told the IT they didn't need a backup any more, because he had invested in a new mirrored system... A couple of weeks later, he barfed an update on the database (he was a developer who grounded his own software company and "knew everything") and wanted to simply revert to the the backup on the mirror only... The mirror had the same corruption, naturally. A day later and a backup solution was back in play!)

      1. Anonymous Coward Silver badge
        Boffin

        Re: "If you can't back up the data that is operationally important . . "

        But with a mirror server, you can then take one mirror offline to perform a backup without affecting the in-use system. Then put it back in where it can sync change to get up to date.

        Not ideal, but in some circumstances it's the best way to do things.

        1. big_D

          Re: "If you can't back up the data that is operationally important . . "

          Yes, or just use Veeam etc.

          But, again, the mirror isn't a backup solution. You are using the mirror to help perform the backup, but it isn't the backup.

        2. Anonymous Coward
          Anonymous Coward

          Re: "If you can't back up the data that is operationally important . . "

          That was maybe true 20 years ago. Nowadays any modern OS supports mountable filesystem snapshots that make this a breeze without needing a mirror.

    2. Robert Carnegie Silver badge

      Re: "If you can't back up the data that is operationally important . . "

      What about the company-critical spreadsheet that lives on the finance director's lightsaber-USB-stick tie-pin... (hypothetical example, in reality I don't know where he keeps it).

      1. doublelayer Silver badge

        Re: "If you can't back up the data that is operationally important . . "

        Actually, since that drive is probably left disconnected a lot and few ransomwares attack small removable drives (not unheard of but most I've seen only attack internal drives), that spreadsheet is probably safe. The IT department should have informed the finance person concerned that the spreadsheet should be stored in compliance with policies, but assuming they did that, they shouldn't be held responsible if it is later lost because it wasn't.

      2. big_D

        Re: "If you can't back up the data that is operationally important . . "

        He would get a written warning, if that was the case.

        IT policy, by us, clearly states all company data has to be stored on company servers. Not locally on the PC and the use of external media has to be through encrypted media supplied by the IT department. Using your own media or cloud services is a disciplinary offence.

        1. Persona Silver badge

          Re: "If you can't back up the data that is operationally important . . "

          The encrypted media supplied by the IT department does not really help in this scenario. As soon as the user plugs it in and enters the encryption password to access it becomes just as vulnerable to malware as any unencrypted media.

        2. Robert Carnegie Silver badge

          Re: "If you can't back up the data that is operationally important . . "

          But then how would he take it home to work on... and, malware loves removable media.

    3. c1ue

      Re: "If you can't back up the data that is operationally important . . "

      Sorry, but you don't seem to have any experience with real world ransomware attacks.

      Most business ransomware attacks are not due to someone clicking on a link in an email or visiting a dodgy web site. They're network penetrations where the attackers looks around for some time before executing the "monetization" ransomware encryption.

      And as a result, they can and do take down all the "easy" backup solutions, whether mirrored physical, attached redudancy storage, cloud backups etc.

      You have to have something completely offline and with data being tested before update in order to avoid the data poisoning.

      Yes, there are some companies deploying tools like entropic profiling to detect when data has been encrypted (encrypted data shows a much more uniform entropy profile than random data), but this is only works well once large swathes of data have been effected.

  3. hmv

    Just no

    Personally I'd tell 'em to refuse to pay and chalk it up to experience (even if that means the business goes to the wall). There's no way in hell I'm going to advise someone to do something I regard as unethical. Some of us have standards.

    1. sitta_europea Silver badge
      Thumb Up

      Re: Just no

      "... Some of us have standards."

      +1

    2. Anonymous Coward
      Anonymous Coward

      Re: Just no

      Ethics? Where do you stand on Richie's example above of a company either going to the wall or paying (what may be a relatively trivial to them) £3750?

      How do your ethics square with that company not being able to make payroll at the end of the month, going bust and putting all its staff out on the street?

      There's no easy answers in the real world and sometimes you have to hold your nose and do something you don't want to. As long as they *did* learn their lesson and have implemented a proper backup then this may well be the "right" thing to do.

      1. Just Enough

        Re: Just no

        "they *did* learn their lesson"

        And their lesson is it's cheapest and easiest to fund the ransoming of some other company's data. Let's not shy away from the facts here. If you pay ransomware, you are funding continuing criminal action against others and putting other companies' staff out on the street.

        1. Anonymous Coward
          Anonymous Coward

          Re: Just no

          No, per my original statement, "learning their lesson" means implementing proper security and backups in an attempt to prevent the same thing happening again. My point was it may be cheapest and easiest to do this once, but if you're going to get milked on a regular basis then you've learned nothing.

          No one is shying away from the fact it's funding criminality, what I'm saying is, the greater good for the company and those it employs may be to do this, this once. If you read the article properly, you'll see the point made that the ransomware genie is out of the bottle and one attack does not now fund the next; it'll happen with or without someone paying.

          1. doublelayer Silver badge

            Re: Just no

            And the next step will happen when the following discussion occurs. The IT staff, of course, are not present. This version as written from the perspective of a small business:

            Finance: "We had to pay four grand to get our data back."

            Operations: "Our technical advisor says we should hire a systems administrator and pay for a backup system so this can't happen again."

            Finance: "How much will that cost?"

            Operations: "The salary for the IT person plus whatever a backup costs. How much does a backup system cost?"

            Finance: [Types in Google search box] "Well, this says that backups can be done to tapes. You need a reader and some tapes. Readers cost ... about three grand. Tapes cost ... about fifty. They recommend taking an incremental backup every day and a full one every week. I think that means we need a tape for every weekday and another two every week, or about seven a week."*

            Operations: "How much will that cost a year?"

            Finance: "Well, three thousand plus three hundred fifty a week comes to about twenty thousand a year not including the salary of the administration guy."*

            Operations: "Yikes. That's quite a lot."

            Finance: "Yes it is. That's why I've written a small Excel spreadsheet to calculate how often an attack like this will happen. Based on the number of ransomware attacks per annum for the last ten years and the number of other victims in the world, I anticipate that we'll probably see one of these every four years or so. This means paying the ransom will cost us on the order of one thousand per year, while backing up will cost a lot more."**

            Operations: "Let's do that then."

            Finance: "You should know that there is some chance of being hit with multiple ransomware attacks in one year, so you can't be guaranteed a low level of risk. However, we can weather at least eight of them and still have less costs than a backup system by my Google math."**

            *This is obviously not how backups work. However, I've heard people do that type of mathematics before to try to estimate costs.

            **I'm presenting a rather unintelligent finance and operations staff. Plenty of companies wouldn't get into this type of situation. However, not every company is run competently, and you don't need a lot of incompetent companies of this nature to fund even more ambitious and sophisticated ransomware that will in fact destroy someone else's company, government, or infrastructure system.

            1. katrinab Silver badge

              Re: Just no

              Volume Shadow Copies cost nothing, and protects against most of these threats.

              It is not a backup, but you should do this in addition to a backup, as restoring from them when it does work is a lot quicker.

              1. Anonymous Coward
                Anonymous Coward

                Re: Just no

                I'm sorry you will get downvoted as long as you use the Windows name.

                Tell people to use Linux Btrfs or BSD ZFS snapshots and you'll get a lot of upvotes - even if they work the same way as VSS

                Anyway care must be taken that the malware is unable to delete the snapshots.

                Snapshots are anyway a layer of defense, and one that when properly used can drastically reduce recovery times.

                1. katrinab Silver badge

                  Re: Just no

                  Well yes, but ransomware is a mostly Windows problem. Switch to FreeBSD and you probably won't have to worry about it.

            2. Robert Helpmann??
              Childcatcher

              Re: Just no

              **I'm presenting a rather unintelligent finance and operations staff. Plenty of companies wouldn't get into this type of situation. However, not every company is run competently, and you don't need a lot of incompetent companies of this nature to fund even more ambitious and sophisticated ransomware that will in fact destroy someone else's company, government, or infrastructure system.

              There is a question very similar to this on one of the harder information security certification tests. The question is stated in terms of being a purely business perspective, but that is often how decisions are made - a simple cost-benefit analysis with $$$ as the deciding metric.

            3. Doctor Syntax Silver badge

              Re: Just no

              "This means paying the ransom will cost us on the order of one thousand per year, while backing up will cost a lot more."

              The calculation should, of course, take into account the nearly events probability of not getting anything back at all and of losing the data to any of the possible hardware problems that could take the data out with no possibility of paying a ransom to get it back. Saving on ransoms is simply a side benefit of the backup system which should have been there for other purposes.

              1. doublelayer Silver badge

                Re: Just no

                Hence the footnotes. This is not an accurate calculation. A technical person could redo those numbers to the satisfaction of many a finance person, but that doesn't matter if the finance person does an inaccurate initial calculation and decides not to ask a technical person on the basis of that calculation.

          2. JohnFen

            Re: Just no

            "My point was it may be cheapest and easiest to do this once"

            That's because they've just shifted the real cost off their shoulders and onto the shoulders of the rest of us.

        2. Muscleguy

          Re: Just no

          You assume the crims will plough all their ill-gotten gains back into their business. At what point do they take a profit then? It would seem to me that operating costs are fairly minimal. An anonymous digital funny money account, a hired botnet and some coders. A pretty lean operation.

          The real problem with all crime though is laundering the proceeds. I think of that every time I pass a tanning salon which is fairly often as our local shopping centre has one between the Iceland and the Coop. The cops will have you believe it has been sorted out but I suspect the crims have just gotten smarter about it.

          1. JohnFen

            Re: Just no

            "You assume the crims will plough all their ill-gotten gains back into their business."

            It doesn't actually matter if they do or not. Paying the ransom just means that there will be more victims either way.

          2. doublelayer Silver badge

            Re: Just no

            "You assume the crims will plough all their ill-gotten gains back into their business."

            I assume nothing of the kind. I only assume that they like money, so getting it would convince them that they should keep up with this plan rather than doing something else to get it. Or, for example, that stories of lots of people paying will convince other people to start writing and distributing ransomware because they too like money.

            1. Anonymous Coward
              Anonymous Coward

              Re: Just no

              So basically you're saying you'd take the hit, liquidate your company and make your staff redundant and start all over again, rather than pay a relatively small ransom, all to protect potentially hypothetical other unknowns who have been as stupid as you were and got themselves infected? Get back to us when that happens and I'll be first to applaud your ethical stance.

              1. doublelayer Silver badge

                Re: Just no

                Not exactly. I'm not saying I would never pay the ransom under any circumstances whatsoever. I can imagine a situation in which 1) I know I'll get the data back if I pay, 2) there is a confirmed bad result if I don't such as all the employees losing their jobs immediately, and 3) I don't have the alternative of restoring from backup. Even then, I'd have to consider very carefully.

                I'm pretty sure I will never face this situation, though, because I do back things up responsibly. If, for example, some quick math tells me that it might be cheaper to pay the ransom than restore from backups, which was mentioned in the article as if that's a good reason, I would then never accept paying the ransom. For one thing, I would require performing a clean reimaging of every affected machine at the very least, so we'd be paying that bill one way or another.

                If I didn't have backups for some reason, I'd have to ask what the costs would be if we didn't pay the ransom. They'd have to be extremely high for me to decide to pay it. As I said above, "Every employee will definitely lose their jobs tomorrow" is strong enough that I'd have to consider it. However, lots of other things would not be so strong. I care much less about the investors or owners than I do about the employees, so "We'll lose a lot of money" almost certainly wouldn't cut it. If I was the person involved, the reason there are no backups is almost certainly an incompetent superior who rejected my suggestions for backup or violated the policy, and once again, I have no sympathy for that. So "that person will lose their job" wouldn't matter to me either. If this was a small company without employees, E.G. a company run by a few people who all own part, I would probably be willing to let it fold rather than do something this unethical. If they're going to pay, they can do so without me.

              2. Doctor Syntax Silver badge

                Re: Just no

                "So basically you're saying you'd take the hit, liquidate your company and make your staff redundant and start all over again, rather than pay a relatively small ransom, all to protect potentially hypothetical other unknowns who have been as stupid as you were and got themselves infected?"

                Are you saying that there's no need for a backup arrangement because data can only be lost through ransomware and not through the possibility of a physical problem such as a drive failure? Are you saying that all those of us who maintained backups years before ransomware was a thing were wasting our time?

                1. Anonymous Coward
                  Anonymous Coward

                  Re: Just no

                  No, of course not, you're trying to put words in my keyboard. For a so-called Doctor of Syntax, that's unforgivable. Where exactly in the paragraph you've quoted does it say anything even in the same ballpark as that? Are you even a real doctor?

                  I've been religiously maintaining backups on a daily basis since you were still in syntax school, long before there was this kind of malware to cover all bases, including the cases you mention. In this case however, I'm arguing for the company outlined above where in their indivdual situation, the "moral" choice may well be to protect their employees, hold their collective nose and make the payment hoping for the best. As also stated above, this is only a lesson-learned if they subsequently implement full and tested backup solutions amongst other defences. Now read this again before commenting wildly inappropriately.

    3. veti Silver badge

      Re: Just no

      It's easy to talk big about ethics, when you're not being asked to decide whether 10,000 other people will have jobs tomorrow.

      People who do make decisions like that, know that there's a balance.

      1. Doctor Syntax Silver badge

        Re: Just no

        "People who do make decisions like that, know that there's a balance."

        People who make decisions like that should have made them years ago. In that case the thread of ransomware will just be an additional one to the many threats for which they have already covered themselves. They then won't have to make the call of making a payment with a little better than evens chance of rescuing their business.

    4. Doctor Syntax Silver badge

      Re: Just no

      "There's no way in hell I'm going to advise someone to do something I regard as unethical."

      It may well be illegal as well.

  4. sitta_europea Silver badge

    I can't believe I'm reading this.

    I'd rather my business die than pay a ransom.

    And I'm confident enough of my security and backups that I'll tell the criminals to fuck off right now.

    1. jmch Silver badge

      "I'd rather my business die than pay a ransom."

      Easy to say for personal business / sole ownerships without so much to lose, or for giant corporations who can take a massive hit to rebuild all their systems. What about SMEs, which are the majority of companies out there? If you employ 10, 50, 100 people... are you happy for them all to lose their job because you won't pay a ransom? Are you happy to screw the clients whose money you've taken but whose orders you can't fulfil? Are you happy to bankrupt yourself or your partners / investors just to not take a hit on your pride?

      "I'm confident enough of my security and backups "

      Good for you, but the point of the article is addressed exactly to those who don't have good security and backups. They ALREADY screwed up and are already in the shit. So then what?

      Absolutely, the way to go is invest in good security and good backups, and certainly anyone who has neglected these has already put in jeopardy through their negligence their workers' jobs, their clients products/services and their partners' investments. But once you're in that situation you have to make a judgement call on the cost of paying the ransomware (even factoring in the possibility of not getting an unlock key) against the cost of rebuilding all your data or bankrupting the business. And sometimes that equation is going to come down on the side of paying the ransom.

      1. JohnFen

        "If you employ 10, 50, 100 people... are you happy for them all to lose their job because you won't pay a ransom?"

        No, not happy. But you have to do what's right, and what's right is to not pay the ransom, period.

        To take any other stance is like saying "sure, I may have ebola, but if I don't go to work and spread it around anyway I won't be able to pay rent."

        1. veti Silver badge

          You have a very firm idea about what's right, but how do you come to that conclusion? What weight do you attach to "don't reward wrongdoers" vs "be a reliable business and employer"?

          You can't act as if there is only one moral requirement to consider. Well, you can, but then you're not being very moral.

          1. JohnFen

            "how do you come to that conclusion?"

            The same way everyone else makes ethical assessments -- according to my own sense of ethics. Topping the list of my ethical sense is "don't harm innocent others". I think paying the ransom does exactly this.

            "You can't act as if there is only one moral requirement to consider."

            I never said, and don't believe, that there is only one moral requirement to consider. There are always multiple viewpoints, and in the real world we rarely have a clear black and white choice between "ethical" and "unethical". It's almost always that we have to choose a course that is a shade between those two.

            After weighing the arguments put forth in the comment I replied to, though, I think that the "most ethical" course is to avoid harming innocent others.

      2. Anonymous Coward
        Childcatcher

        "What about SMEs,"

        Oooh, oooh , me ... me ... ask me! I own a vSME (the v is for very - three directors and 20 odd employees). I will not pay a ransom ... ever.

        I spend quite a while growing up in a funny land called West Germany in the 1970s and '80s and some people didn't like us and sometimes tried to blow up people like my parents (me and my brother might have been collateral damage) with explosives. Not nice. This particular nonsense is not so lethal as that but the principle is near enough the same. If you pay criminals/terrorists once then you will continue to pay, one way or another. Sometimes the price is money, sometimes not. They do not play by the same rules as you and you will lose.

        My best effort so far to detect ransomware in action (above and beyond AV) is to use "find" to detect numbers of changed files over 1,2,3, ..., 21 days (eg: -mtime +1 flag) and email the results for inspection by a human. The idea is that we already have backups that are unchangeable (WORM) with retention that is longer than ransomware works over and we use scripts to look for large numbers of modified files to detect wholesale encryption in action. Business really, really critical data (not email - piss off!) is given even more attention.

      3. MachDiamond Silver badge

        "Easy to say for personal business / sole ownerships without so much to lose, or for giant corporations who can take a massive hit to rebuild all their systems."

        Or a municipality such as Baltimore, MD which is looking at something like $18m to rebuild and, hopefully, harden their systems (and segment them as well). Would risking $50k in ransom be worth a chance to unencrypt their data against that $18m they know they'll have to spend? (I'm pulling the ransom amount from a nether region I can't normally view).

        In Baltimore's case, the attack brought to light how poor their system was put together and operated just from a few of the reports I have seen. There's never enough money to do it right, but they seem to be able to find the money to do it over.

        1. Doctor Syntax Silver badge

          I suspect that any public servant paying public money to a criminal enterprise (or, given the all too often nature of public administrations, an undisguised criminal enterprise) could well result in their being prosecuted.

      4. Doctor Syntax Silver badge

        "Good for you, but the point of the article is addressed exactly to those who don't have good security and backups. They ALREADY screwed up and are already in the shit. So then what?"

        Drifting through life thinking "if the worst comes to the worst I can always pay the ransom" is exactly the attitude that can land them in the situation where the worst comes to the worst and it isn't ransomware.

    2. c1ue

      Sounds good. We'll see what happens if, god forfend, it happens to you. "Not Paying" has been pushed out to the public for decades - it isn't working.

  5. big_D

    Trust...

    The problem is, once you've paid and got your data back, can you actually trust your computers ever again? Are they really clean? Is all the malware gone? Is it syphoning off information? Will it be hit again?

    Even if I paid, the first thing I'd do is make a secure copy of all the information (a backup), nuke the PCs and servers from high orbit and install everything from scratch anyway. As I have the backups anyway, why would I bother wasting money to recover the last couple of hours of work, since the last backup, when I'm going to re-install everything anyway? The extra couple of hours work redoing the last few transactions won't make a huge difference at the end of the day, anyway.

    A company I know of was informed by the Federal Office for the Protection of the Constitution that the IP-address of one of their servers had appeared on a well known hacker board. They provided consultation, but their advice was, even if the drives were removed, new ones plugged in and a restore from a known good backup performed, there was no guarantee that the hackers hadn't put something nasty in the UEFI. The best option was to put the server through a shredder and install a new, factory fresh server from scratch and restore the data.

    1. Anonymous Coward Silver badge
      Joke

      Re: Trust...

      "there was no guarantee that the hackers hadn't put something nasty in the UEFI. The best option was to put the server through a shredder and install a new, factory fresh server from scratch and restore the data."

      Dell's marketing department going to new lengths to secure a sale?

    2. sal II

      Re: Trust...

      If it was a VM would they advise me to shred only the host or the entire cluster...

      What a load of BS

  6. Anonymous Coward
    Facepalm

    Here we stopped the "kidnapping industry" when laws blocked ransom payments

    And that was for human beings, not data.

    The more people pay, the more the "business" becomes profitable. It's useless to say "use it only as a last attempt" - crooks are already giving less and less time to pay before menacing to delete the keys to put pressure on victims.

    1. Robert Carnegie Silver badge

      Re: Here we stopped the "kidnapping industry" when laws blocked ransom payments

      Where's "here"? Globally, kidnapping for money is still a thing. Also in "failed states".

      As for the deadline... tell 'em the finance steering committee only meets quarterly. Also, this is the year of "shareholders reject the executive compensation plan" - you'll have heard what happened to Hamelin Inc. trading as Rats R Us. :-) So paying the ransom demand... the moral is, when robbing and extorting honest CEOs and local politicians, don't be greedy.

      Although, leaving a trail of dead victims who couldn't or didn't pay will also encourage your latest to be generous.

      1. Anonymous Coward
        Anonymous Coward

        "Where's "here"?"

        Italy. Kidnapping became a criminal business in the '70s and early '80s (remember John Paul Getty III?). Criminal groups like mafia find it very lucrative - and kidnappings became a quite common crime.

        Until a law was passed that allowed to freeze assets to avoid ransoms to be paid. Criminals found that they risked a lot for nothing.

        1. veti Silver badge

          Re: "Where's "here"?"

          Very different economics. Kidnapping people is extremely high risk, requires a huge reward to make it a viable business.

          Malware, not so much. The marginal cost per infection is zero. So if 99% of your victims don't pay, no problem - just infect another million.

          We've tried preaching "don't pay, ever", and it's been about as effective as abstinence-only sex education. Maybe acknowledging reality isn't such a bad idea.

          1. Anonymous Coward
            Anonymous Coward

            Re: "Where's "here"?"

            Exactly because it is low risk and low cost that it risks to become a huge problem - especially since cryptocurrencies made it too safe. Moreover this kind of criminals don't bother if they put many lives at risks - and if people thinks they have no choice but to pay, crooks will also ask for more money.

            It requires a proper legal framework to stifle this kind of criminals - "wire fraud" or the like is outdated.

            Maybe acknowledging reality is that you lost you data, so others will understand that thinking "oh well, no need to make systems secure, in the worst case I'll pay" is utterly stupid.

            1. veti Silver badge

              Re: "Where's "here"?"

              That's a straw man. Nobody has suggested that paying a ransom is a substitute for security.

              Security is hard, and sometimes it fails. When it fails, a rational manager should consider all the available options.

            2. veti Silver badge

              Re: "Where's "here"?"

              The point I'm getting at is, with kidnapping you need a good degree of certainty that the ransom will be paid. Without that, the economics just don't work. If you can prevent payment in just 75% of cases, nobody will risk kidnapping.

              With ransomware, preventing even 95% of payments makes no real difference. So this approach doesn't work. You could try banning cryptocurrency, but I think we all know what that would lead to.

              1. Doctor Syntax Silver badge

                Re: "Where's "here"?"

                "I think we all know what that would lead to"

                Making crime more difficult?

          2. Robert Carnegie Silver badge

            Re: "Where's "here"?"

            Ok, another alternative plan, legalise hacking to demand money... if the government does it. Try this: if the tax office can get malware onto your company computers and perform encryption and denial of service, then they're entitled to demand extra tax from the company in return for releasing the encryption. That will motivate the finance director to support keeping your systems secure and also well backed up, to not pay even when the government successfully breaks in. And this will keep out other bad guys as well.

            Although I suppose there are quite a lot of foreseeable problems with this scheme...

    2. c1ue

      Re: Here we stopped the "kidnapping industry" when laws blocked ransom payments

      It wasn't the laws. It was stepped up law enforcement activity.

  7. Schultz
    FAIL

    'Paying the ransom isn't going to make a difference' - Wrong

    If it's profitable, then the market will grow. There'll be more resources dedicated to finding exploits and programming ransomware.

    Remember, capitalism works and doesn't particularly care about ethics. If you reward the unethical parts of the market, then you contribute to problem.

    1. JohnFen

      Re: 'Paying the ransom isn't going to make a difference' - Wrong

      Remember that the person who said that was with MalwareBytes Labs, and it really looks for all the world like MalwareBytes Labs is effectively in cahoots with these criminals.

      1. Robert Carnegie Silver badge

        Re: 'Paying the ransom isn't going to make a difference' - Wrong

        I think "Malwarebytes" actually works against malware, but I may be mistaken?

    2. veti Silver badge

      Re: 'Paying the ransom isn't going to make a difference' - Wrong

      But it IS profitable. That much has been established, you can't wish it away. Saying "it wouldn't be profitable if..." is about as useful as saying "wouldn't it be nice if there was no crime?"

  8. Will Godfrey Silver badge
    Mushroom

    Unbelieveable

    Dod the ransomware bastards manage to get a sleeper into the organisation?

    Is someone high up being blackmailed?

    I can't think of any other explanation. This is just totally wrong from any point of view. To say nothing of the fact it simply WON'T WORK!

    Shouting? I wanted to scream it out.

  9. Nick Kew

    Next Generation Ransomware

    I wonder who's working on a new generation of ransomeware, that'll manipulate data (crude example: add a couple of million to someone's bank balance) before encrypting it all?

  10. DontFeedTheTrolls
    Boffin

    I got a tour of a cash centre for one of the major banks a few years ago. Quite a secure place to get into, but surprisingly ordinary once there.

    In one corner was a cage containing a pallet of notes.

    "What's that?"

    "That's the ransom money in case we're ever asked to provide a cash sum in a ransom situation"

    Just shows you should always be prepared.

    1. Dal90

      I wonder how often they rotate it?

      I can fully see them keeping it $100,000 increments with a sheet listing all the serial numbers for that bundle. Quick and easy to grab the amount needed without delay.

      Then the kidnappers look at their unmarked, non-sequential cash and realize all the notes were printed in 1974.

      1. MachDiamond Silver badge

        "Then the kidnappers look at their unmarked, non-sequential cash and realize all the notes were printed in 1974.'

        It would be easy enough to just bundle up currency taken from the stream currently in circulation that have been scanned into a database. If it sits for a year or so, start swapping bundles and updating the database. Having all of a stack of notes from one year would be pretty unusual.

    2. Doctor Syntax Silver badge

      All used but with the numbers recorded? Or all marked with fluorescent marker on the edges (yes, I've had that job) or probably something trickier these days?

  11. Anonymous Coward
    Anonymous Coward

    Hmmm

    I seem to remember that the largest ransomware hitter, WannaCry, actually didn't have a mechanism for tying payments to infected machines and as such it was impossible to decrypt?

    Don't always assume that the bad guys even have a mechanism to give your data back to you, just a way to trick you into sending bitcoin...

    1. MachDiamond Silver badge

      Re: Hmmm

      Are all of the ransom demands the same? It could make sense to plant a few small canaries if the ransom was based on the size of the system to pay a smaller sum as a check on whether the scammers can/will provide decryption keys.

  12. technewsjunkie
    Facepalm

    Even police departments have been reported paying the ransom

    https://www.bostonglobe.com/business/2015/04/06/tewksbury-police-pay-bitcoin-ransom-hackers/PkcE1GBTOfU52p31F9FM5L/story.html

  13. Claptrap314 Silver badge

    Ethics != Ego

    This is a straight-up Prisoners' Paradox type situation. Paying the ransom == defecting.

    The repeated use of the word "ego" in the article is a tell. If a "security" company ever gave me that advise, especially if they used the word "ego" to damn not funding criminals, I would mark them as compromised.

    Just like the machine that's been infected.

    1. JohnFen

      Re: Ethics != Ego

      "If a "security" company ever gave me that advise, especially if they used the word "ego" to damn not funding criminals, I would mark them as compromised."

      A million times this. Not paying the ransom isn't even remotely a matter of ego. To frame it that way appears to be engaging in intentional emotional manipulation, and you really have to question the motives for doing that.

  14. Anonymous Coward
    Anonymous Coward

    What if they were hunted down like real criminals...

    If this extortion was taken a little more seriously, given the sums that are involved are increasing, and steps were take for more cross border cooperation then this could stop. The funds can be tracked, but there is no political will to do anything about it.

    1. doublelayer Silver badge

      Re: What if they were hunted down like real criminals...

      The anonymity of cryptocurrencies makes this difficult. While the currency of choice remains bitcoin, which is public, there is a little chance, but the criminals can switch to closed cryptocurrencies (zcash and monero come to mind) to make this difficult or impossible. In addition, a lot of these strains are being written in countries whose attitude toward international cooperation is not so positive. WannaCry and NotPetya, for example, were government projects of North Korea and Russia respectively.

      1. katrinab Silver badge

        Re: What if they were hunted down like real criminals...

        Bitcoin is not anonymous, and at some point you have to go to an exchange to convert it to real money.

        1. doublelayer Silver badge

          Re: What if they were hunted down like real criminals...

          But zcash and monero are anonymous, hence my saying that bitcoin might get switched out for those. Bitcoin is not anonymous, that is correct, but it is pseudonymous and can be difficult to track until it is exchanged. If it is paid to someone else before they exchange it, it may well be that they don't know who originally obtained it, making tracing the payment very difficult. In addition, there are plenty of ransomware stories where crypto was deposited into a wallet and it's still there. Why the authors chose to do that is anyone's guess, but tracking them down, even if the various law enforcement bodies were to try, will be hard if that's the only evidence available.

  15. BackupVault

    I run a UK cloud backup company and the vast majority of customers are happy to pay anything from £20-1000 per month to backup all their data.

    The worst companies who see no value in backing up and protecting their data are for some reason: architects and solicitors, specifically solicitors. They will think we are mad if we quote them £50pm to backup a server to protect them against ransomware. Instead they opt for non-GDPR, cheap consumer grade USA backup solutions with no encryption. Scary stuff...

    1. dnicholas

      Add financial advisors / wealth managers to the list. I had a couple of them as clients some years ago. Cheapest solution possible, no alternatives. Dropped them in the end as it was too much hassle for too little reward. I do wonder if my batch xcopy is still running though

      1. Anonymous Coward
        Anonymous Coward

        No, at the request/demand of the manager we upgraded the batch file to use robocopy so that it had a summary report "in case they get audited" and added a vbs script to rotate and prune the folders on the external hard drive used as the backup destination so that they didn't have to change it every day anymore.

  16. Jason Bloomberg Silver badge
    Joke

    Worried ransomware will screw your network?

    What is this "worried ransomware" of which you speak?

  17. bjr

    It should be illegal to pay a ransom

    The social costs are too high to allow anyone to pay a ransom because paying the ransom ensures that the criminals will continue to victimize other companies. The interests of the victims and the interests of society as a whole are not aligned, the victim's primary goal is to save their company even at the expense of future victims, societies interest is to stop it from happening at all. The only way to stop it is to make it illegal to pay the ransom, if nobody pays then it won't happen.

    1. JohnFen

      Re: It should be illegal to pay a ransom

      Agreed.

      Paying the ransom is, in my view, participating in the crime and makes you an accessory.

  18. JohnFen

    Don't do it

    Actually paying the ransom is socially irresponsible and only makes the whole situation worse for everyone. I know that it can be very hard or impossible for a company who's been affected to take this into account. But, speaking personally, I would absolutely view people and companies that to this in a very negative light.

  19. Anonymous Coward
    Anonymous Coward

    Is ransomware still a thing?

    Working at an IT services company, I can't recall the last time any of our clients were hit by ransomware. It was almost a daily event a couple of years ago, but not much recently.

    We have always been able to recover our clients data and with the mitigations we have put in place can generally prevent attacks in the first place, but the crims seem to have moved on to other things. The biggest spate of malicious activity we have seen recently are O365 accounts with no MFA being phished, then either used to spew malware or pretend to be the user and request bank transfers from the finance people. They usually also add rules so that the mark doesn't get bounces or replies.

    Although we try and persuade people to use MFA on cloud services, many don't listen.

  20. Aussie Doc
    Mushroom

    I'm definitely no expert on Ran$omeware but there is no way I could ethically tell a business to pay said ransom.

    There is simply no guarantee that a) the data will be 'released' (for want of a term) or b) said 'released' data doesn't have little 'timebombs' to be set off when the next payment is due.

    I think all we IT folk can really do is press the point home re: security and the need for backup, as intimated in the article.

    Just my 2c but YMMV.

  21. Claverhouse

    My personal motto is: There Are No Prescriptions.

    I would decide what is the most logical thing to do when it happens.

  22. JimC

    Dane geld

    Dane-geld

    A.D. 980-1016

    IT IS always a temptation to an armed and agile nation

    To call upon a neighbour and to say: –

    "We invaded you last night –

    we are quite prepared to fight,

    Unless you pay us cash to go away."

    And that is called asking for Dane-geld,

    And the people who ask it explain

    That you've only to pay 'em the Dane-geld

    And then you'll get rid of the Dane!

    It is always a temptation for a rich and lazy nation,

    To puff and look important and to say: –

    "Though we know we should defeat you,

    we have not the time to meet you.

    We will therefore pay you cash to go away."

    And that is called paying the Dane-geld;

    But we've proved it again and again,

    That if once you have paid him the Dane-geld

    You never get rid of the Dane.

    It is wrong to put temptation in the path of any nation,

    For fear they should succumb and go astray;

    So when you are requested

    to pay up or be molested,

    You will find it better policy to say: --

    "We never pay any-one Dane-geld,

    No matter how trifling the cost;

    For the end of that game

    is oppression and shame,

    And the nation that plays it is lost!"

    1. Doctor Syntax Silver badge

      Re: Dane geld

      Actually history says that you might get rid of the Dane but you don't get rid of the geld.

      Death and taxes.

  23. Anonymous Coward
    Anonymous Coward

    Cracking up at y'alls reactions

    It's so humorous when people feel a business should go out of business... just don't pay the ransom.

    Everyone agrees the business made really poor decisions in relation to IT security, DR planning, business continuity, etc. That being said, they shouldn't kick their employees to the welfare office just so your sense of "ethics" don't get bruised.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like