back to article FBI softens stance on ransomware: it's (sort of) okay to pay off crims to get your data back

The FBI is easing up a bit on its hardline stance against paying ransomware demands. The Bureau has posted an updated version of the guidance it offers for companies on how to handle ransomware demands with a section discussing the option of paying the hackers to get data decrypted. In short, the FBI still says that companies …

  1. Danny 2

    "via a consultant or security professional who is able to verify that the decryption keys will work and the malware infection can be thoroughly purged after"

    Please someone explain to me, how can any security professional know this without access to to the decryption key in advance? Is this the equivalent of an independent hostage negotiator trusted by both the police and the mafia? Such people do exist, apparently.

    1. doublelayer Silver badge

      I think they can do two things, though only the first one is guaranteed to be available:

      1. Check what ransomware strain was used and see if it's on a list of ransomware known not to decrypt. If it is, don't allow the company to pay. This can catch some old ransomware, but most strains that don't decrypt and are used nowadays are relatively new.

      2. Try to negotiate with the people demanding the ransom for proof they can decrypt. This can be done by giving them an encrypted file and asking them to decrypt it. Anyone with the decryption key can decode that file and then the decryption key can be purchased with more confidence. Of course, only the nicest of ransomware criminals are likely to put that amount of effort in to gain the confidence of a victim.

      In general, even with competent technical assistance, a ransomware attack can only be partially rewound by paying the ransom. Instead, get competent technical assistance now, create a backup system that works, and you won't need to pay the ransom at all.

      1. Mark 85

        The last paragraph is key. If you have good backups and good people (contracted or in company) then all will be good (or should be).

        I suspect the FBI advice about paying really applies to companies that don't have a good backup system or even one at all. I know of one office that has 10 computers and no backups. They claim all the computers back each other up. The owner thinks he's knows it all and any ransomwear will only stay on one PC. <sigh>

        1. Pascal Monett Silver badge

          Indeed. If this ransomware craze can be found to have a single silver lining, it will be to educate the morons that backup IS the only solution.

          1. GnuTzu

            Clarification, "offline backup" is the term that needs to be drilled into peoples' heads. Otherwise, you know what will come of just saying "backup IS the only solution."

      2. Fading
        Thumb Up

        The digital equivalent..

        Of proof of life.

  2. sanmigueelbeer Silver badge

    it's not advisable to pay ransomware demands, but you won't get in any trouble with your insurance if you do

    There, FTFY.

  3. doublelayer Silver badge

    Just for the record

    It's still a very, very bad idea to pay. The reasons are many, strong, and extensively detailed here and in many other places.

    1. GnuTzu

      Re: Just for the record

      Yeah, if a business is seriously hurting from ransomware than frikin' declare bankruptcy. Oh wait, we live in the age of too-big-to-fail; so somehow it's just O.K. to do whatever irresponsible thing you need to stay afloat--with the other floaters (i.e. crap).

  4. Anonymous Coward
    Anonymous Coward

    Tragedy of the commons

    You pay because it is less painful for you at the time, but it hurts others in the future. You, in turn, were hurt by those who decided to pay in the past.

    1. Danny 2

      Re: Tragedy of the commons

      They muck you up, your mum and dad,

      They might not mean to but they do.

      They fill you up with the faults they had,

      And add some extra, just for you

      1. Dangermouse 1

        Re: Tragedy of the commons

        Larkin actually wrote 'They fuck you up, your mum and dad'. If you're going to quote what many would regard as great literature, don't fucking well censor it :)

        1. Danny 2

          Re: Tragedy of the commons

          Mair point.

  5. MiguelC Silver badge

    The FBI says it's OK(ish) to pay ransom

    But isn't there some risk for the ransom payers that they could be prosecuted for aiding and abetting?

    1. joeW

      Re: The FBI says it's OK(ish) to pay ransom

      No. Its no more aiding and abetting than someone handing over their phone and wallet to a mugger.

  6. alain williams Silver badge

    Backups are faster & cheaper ...

    so why are you not doing good backups ?

    Also: if your office catches fire you will not be able to pay the arsonist to get a copy of your data.

    1. Jimmy2Cows Silver badge

      Re: Backups are faster & cheaper ...

      Take your pick:

      • Too tight to pay;
      • Too incompentent to realise;
      • Hoodwinked by their IT staff/contactor;
      • Misguided belief it'll never happen to them, their defences are infallible.

      1. GnuTzu

        Re: Backups are faster & cheaper ...

        Call it: "budget induced ignorance."

      2. Orv Silver badge

        Re: Backups are faster & cheaper ...

        Also the usefulness of backups depends on how far back they go and how stealthy the encryption process was.

        Watching the size of your incrementals might be a good idea.

  7. Danny 2

    Effed up backups

    You get no credit for doing backups, it's taken as granted, yet it's much more work than just printing out a grandfather-father-son or whatever routine. You also have to verify the backups can be restored, without overwriting new data.

    I started as a sys admin in the Netherlands where the backups had been automated onto DAT cassettes by a popular local employee who'd wanted my job. I noticed at least two of the DAT's tape were all chewed up and hadn't worked for ages but it wasn't a priority. I was more bothered by the fact the sacked previous sys admin had changed all the comms equipment passwords and hadn't left a copy, so he basically owned our network.

    Trying to fix compromised systems is hellish. I seriously proposed throwing out all their kit and giving me £50k to replace it, but naturally I was told it was my job to fix it. My advice is not to hire disgruntled employees in the first place, only ever hire gruntled employees.

    I should put that on my CV - "I may look miserable but I have always been gruntled"

    1. Alister

      Re: Effed up backups

      I'm gusted to hear that you are gruntled, and I would hope that you are always sheveled whilst at work and never dress in a peccable fashion.

    2. Orv Silver badge

      Re: Effed up backups

      Man, DAT cassettes were just a dumpster fire. Seemed like those drives needed cleaning roughly every four or five hours of use.

  8. Phil Standen

    AML implications

    I'm pretty sure that paying criminals without verifying their status on a sanctions list is probably illegal, even if they FBI say they don't care.

    1. Anonymous Coward
      Anonymous Coward

      Re: AML implications

      Yep - and the reputable cyber ransom negotiations company that your cyber insurer will insist you go through will verify whether the threat agents are on a do not deal list or not.

  9. JohnFen

    It's an old dilemma

    Do you take a hit in order to further the greater good (or at least in order to avoid increasing the harm to society), or do you take the dog-eat-dog approach and cover your own ass even when doing so increases the harm to everybody else?

    While my personal ethics fall strongly on the "take the hit" side, I do also recognize that others may think otherwise.

  10. Rol

    The good ship HMRC Privateer. There she sails me hearties

    "So tell me again Mortimer. Why can't we have the exact same tax set up as the likes of Amazon and Starbucks?"

    "It's complicated Mr Smith. The set up costs would almost wipe out any gains, and HMRC would be constantly clawing at our accounts for the slightest error. It just isn't worth the bother"

    "£100,000 in tax is worth the bother Mortimer. I'm not giving up until a solution is worked out"

    The months pass...

    "I've got some bad news boss. Our systems have been compromised by hackers and they're demanding £500,000 to unlock them"

    "Oh! That's not good news. We best pay them immediately"

    "Are you sure?"

    "Yes. It makes sense"

    "It's a lot of money boss"

    "Yes, but is it tax deductible Mortimer?"

    "Well it is a cost to the company"

    "And this horrible crime could potentially happen every year?"

    "Am I hearing you correctly?"

    "Yes you are. I appear to have minimised our taxes with a tactic not too dissimilar to paying off a brand owner in the Caymans, and without giving HMRC cause to blink."

    1. katrinab Silver badge
      Stop

      Re: The good ship HMRC Privateer. There she sails me hearties

      Sorry, not tax deductible

      https://www.gov.uk/hmrc-internal-manuals/business-income-manual/bim43180

      1. Ian 55

        Re: The good ship HMRC Privateer. There she sails me hearties

        You're not allowed to claim bribes either.

        I suppose that leaves having the company libel you, a la Twiggy Ratbone.

  11. david 12 Silver badge

    Report to the FBI anyway

    At least the FBI actually has an easy, logical, public way to report cybercrime. Their cyber-crime reporting web page.

    Not like my country or state (vic.aus), which just has a variety of searchable pages telling you that the vic and aus police and other agencies have no capacity to prosecute criminals located overseas, and are not interested.

  12. Anonymous Coward
    Anonymous Coward

    Crazy

    This nonsense will continue as long as it's profitable. Which is all this pushes.

    You also have no way of knowing whether data was modified whilst encrypted.. so GDPR / Data Protection legislation should kick in as you cannot validate your data as you had no control over it.

  13. JoMe

    Typical statement

    "Doing so provides investigators with the critical information they need to track ransomware attackers, hold them accountable under US law, and prevent future attacks."

    So this is my issue... US law doesn't hold sway in many countries. Pretty much just the USA, really. This is a good thing, unless the US wants to be held accountable under Sharia Law, or Israel Law, or Chinese Law...?

  14. Zangetsu

    i can understand a company wanting their data back, but there is no reason to believe that after paying the ransom, will actually get any data back at all.

    the bad guys once paid, have no reason to unlock the encryption.

    so i have to agree that paying these bad guys will just lead to them doing business as usual.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like