back to article Two in five Brits cough up for CryptoLocker ransomware's demands

Around two in five people who fall victim to CryptoLocker have agreed to pay a ransom of around £300 to recover their files, according to a survey of victims. Researchers from the University of Kent quizzed a total of 48 people who had been affected by CryptoLocker. Of the sample, 17 said they paid the ransom and 31 said they …

COMMENTS

This topic is closed for new posts.
  1. MJI Silver badge

    Cheapest option sometimes

    This happened at a customer and it buggered the database big time.

    It was a few days before the idiot responsible mentioned it, by then hardware checks had been carried out the database server writers involved, no faults found,

    In this case they took the strategic decision to restore what was restorable and to suffer data loss for what was not.

    I hope they sacked the moron responsible.

    1. Amorous Cowherder
      Pint

      Re: Cheapest option sometimes

      OK what about education? If the company doesn't educate and ensure security is maintained, how can you blame the users?

      For example. User is trading data with third-party, and the thrid-party send user in a USB stick with some data on it. Stick is carrying shitware which then gets into the network.

      The user's had never been told to not just accept devices from third-parties on spec. The desktops should not have open USB ports. Was the AV software up to date? Was a standalone PC available for testing portable devices for shitware when they come into the building?

      Obviously I don't know the background but even though I've worked in IT for nigh on 30 years I still keep an open mind 'cos I know we're not holier-than-thou in IT just 'cos computers are our business. No story is ever pure black and white, and once management get involved you know it's going to get a lot more colourful!

      1. Captain Scarlet Silver badge
        Facepalm

        Re: Cheapest option sometimes

        Sometimes users don't want to be educated, for instances showing a user one to one how to backup their files. One user decided to deny ever being told anything when their HD died (Thankfully recovered via a specialist service) and everyone else who was shown one to one and signed a form also started denying it.

        Very annoying as its simply SyncToy, open click all and click run all -_-

        1. Lost in Cyberspace

          Re: Cheapest option sometimes

          Probably wouldn't prevent cryptolocker, but I frequently set up scheduled, auto backups for customers (over network, to HDDs etc) in addition to manual icons. Even if the customer doesn't seem bothered about it.

          Don't trust the customer to do it.

        2. Anonymous Coward
          Anonymous Coward

          Re: Cheapest option sometimes

          Wouldn't a better solution be to tell the users not to use the local drive in the computer for storage of company documents? Then add the stipulation that if the user decides not to take this advice, the user is responsible for what transpires from that decision. if they HD crashes and they have to spend 120 hours a week catching up on their work weeks on end because of that decision, then that is what they will be required to do. If deadlines are missed because of it, then when review times comes around, it won't be pretty.

          1. Captain Scarlet Silver badge

            Re: Cheapest option sometimes

            @AC "the user is responsible for what transpires from that decision"

            Yeah we have that but try getting people to accept it, toys out of the pram crying to their boss, then the boss starts crying when they find out we are going to cross charge said department for data recovery.

      2. Lord Lien

        @ Amorous Cowherder

        I've been doing it 20 years & people still store work in the recycle bin. I had an "incident" last week which went to HR. So if you can't educate against people STILL doing this how can you educate them into very basic security?

      3. Charles Manning

        Any system that expect people to be perfect is broken

        When you design a system of any sort, you design in all the environment in which that system operates.

        In many cases, particularly computer systems, the environment includes people. The person is designed into the system.

        If your computer system depends on power - which it probably does - you don't depend on it being perfect. You expect it to fail occasionally and therefore install UPSs etc.

        Same deal with the people: you're designing people into the system. People fail. Design for that.

    2. Anonymous Coward
      Anonymous Coward

      Re: Cheapest option sometimes

      So, the database server got hit? So either the database was on a share or the server was used for other purposes.

  2. Paul Renault

    Bad Headline Writer! Bad! Down boy!

    "Around two in five people who fall victim to CryptoLocker" <> "Two in five Brits"

    1. Ian Yates

      Re: Bad Headline Writer! Bad! Down boy!

      "Around two in five from a sample of 48 people who fell victim to CryptoLocker"

      FTFY

      Unless, of course, only 48 people have fallen victim to it.

      1. Frankee Llonnygog

        Re: Bad Headline Writer! Bad! Down boy!

        Are they even sure the 48 were all Brits?

      2. Gav

        Re: Bad Headline Writer! Bad! Down boy!

        "Around two in five who were willing to admit it, from a sample of 48 people who fell victim, have coughed up to CryptoLocker ransomware's demands"

        1. Anonymous Coward
          Anonymous Coward

          Re: Bad Headline Writer! Bad! Down boy!

          "Around two in five who were willing to admit it, from a sample of 48 people who fell victim, have coughed up to CryptoLocker ransomware's demands"

          If they were daft enough to both not back up, and to catch it, then how do we know which proportion had a genuine problem of encrypted data, and who were paying up in response to the fake Cryptolocker web pages that flash up (eg, when browsing porn, so I hear, *cough*).

  3. Anonymous Coward
    Anonymous Coward

    Changing passwords

    > better security practices, such as regularly changing their passwords

    Huh? Why?

    1. Mark #255
      1. Anonymous Coward
        Anonymous Coward

        Re: Changing passwords

        "Indeed. Bruce Schneier disagrees with you, El Reg"

        Most corporate security bods don't though. They do have rules for 90 day changes. They do insist on one capital, one numeric, one special character, but then do nothing to block Password1! and similar rubbish.

        They insist on multiple passwords and authentications for systems that aren't really critical - so I've got an encryption password on my works laptop, system user name and password to do anything business critical, but then they've got 2FA on top, but that 2FA is only if I want to book a holiday or claim a few quid in expenses (approved by the relevant manager anyway). Then there's the mobiles, which have three separate 6 character PINs, one for encryption, one for the device splash screen, and a third for the email client. Guess what security twits? Everybody sets all three PINs to the same number. I recently asked our IT guys if we could securely record who accesses what, when, and from what IP for some rather sensitive documents. I might as well have spoken to a brick wall, because they simply don't understand.

        Until the corporate security IT people live in the real world, the whole password thing is going to remain a big bucket of fail.

        1. JohnG

          Re: Changing passwords

          "Most corporate security bods don't though. They do have rules for...."

          ....what the user base and management will agree to. In the end, senior management want to be able to tick the box about security but they don't want to spend serious time or money on it.

          If you do impose something really strict, the users will just write everything down and stick it to the back of their phone, near their monitor and/or put it in a file on their desktop named "passwords.txt".

          I don't know why anyone would be surprised by the survey results - if everyone cared about preventative measures, STDs would be largely eradicated.

        2. Jamie Jones Silver badge
          Facepalm

          Re: Changing passwords

          " Most corporate security bods don't though. They do have rules for 90 day changes. They do insist on one capital, one numeric, one special character, but then do nothing to block Password1! and similar rubbish."

          I once worked somewhere where that happened - although it was management who came up with the policy.

          To appease them, a colleague wrote a program that generated pronounceable passwords that weren't actually words. Management made him rewrite it, saying "you have to have zeros and ones instead of 'o' and 'i'" - showing cluelessness regarding dictionary attacks, and the futility of changing all 'o's and 'i's every time. (Management had obviously heard something relating to dictionary attacks, but only remembered a few 'buzzwords' without actually understanding the situation)

          In the end, we had about 100 machines with unmemorable (but only 8 characters long) 'random' passwords. 10 passwords were changed daily, meaning each password only lasted 10 days.

          So, each day, a new 'password sheet' was distributed to support staff. If I ever needed to access something out of hours, it was easy - I'd just go to the support office and there would always be a copy of the password sheet in sight...

          1. Grease Monkey Silver badge

            Re: Changing passwords

            One reason for corporate rules on changing passwords regularly is not to defeat serious hacking attempts. It's to defeat the casual sharing of passwords among staff.

            I'm currently involved with an organisation where password sharing is the norm and password changes aren't enforced. Trying to ram information security principals and DPA compliance down their throats is hard work, because personal convenience seems to overrule everything as far as the staff (from management level down) are concerned.

            It came as a surprise to them to learn that Emily could log onto Richard's computer with her own credentials. So there was no reason for Emily and Richard to know each other's passwords, or as I found out to my dismay for them to USE THE SAME PASSWORD.

            They don't like the idea of locking their PC when they walk away from it or having a time out that does it for them even when that timeout is set to 15 minutes. Why? Because it's so damned hard to type in their password when they need to use the PC again.

            They don't understand that each user should have their own login for each system. Audit log? Controlling different users access? Removing access when it is no longer needed? None of that is as important as the ease of having credentials of OFFICE and Passw0rd. (Hey look it's got upper and lower case and a number, so it must be secure.)

            In another organisation I came across a user who had been logging on to his PC with another user's credentials for weeks. Why? Because he'd locked his account and the service desk was engaged when he phoned.

            This is how users behave. Of course they would deny it until pressed hard enough, but are you surprised that malware is so successful when users put ease and convenience ahead of all else?

            Oh and don't look down on them. There's nobody reading this who's security practices are perfect.

            Oh BTW the linked article above may mention that password cracking software can generate 8 million passwords per second. So what? How long does it take the system trying to be cracked to process each password attempt? Most take a noticable time to respond, even if that's only a tenth of a second that would be about ten days to try those 8 million passwords. And that's before you take into account that most systems get suspicious long before 8 million password attempts. A lock after five attempts of only 15 minutes would extend that ten days out to something like 45 years.

            Oh and the number of combinations for an 8 digit password is 200,000 billion if you only include letters and numbers. Include easilly typed punctuation that's 5 million billion. How long would it take to get through that lot even at 8 million a second? Properly chosen passwords are not easy to crack.

            Scaremongering is fun but only when it's vaguely realistic.

  4. gavpowell

    Not Very Helpful

    There's hardly any substance to this article at all - couldn't you have filled a little more space with a set of bulletpoints suggesting how best to prevent the attack?

  5. alain williams Silver badge

    Backups

    Is it really that hard ?

  6. teebie

    25.3 million brits have paid for ransomware? Bloody hell

    Maybe your headline writer shouldn't get a raise this year.

    Also a sample size of 48 people doesn't tell us much.

    1. NogginTheNog
      FAIL

      Re: 25.3 million brits have paid for ransomware? Bloody hell

      It does: it tell us any conclusions drawn from this study are bullcock!

  7. Forget It
    FAIL

    Doesn't say if did the ones that paid go their data back or not.

  8. Zacherynuk

    "Around two in five people who fall victim to CryptoLocker have agreed to pay a ransom of around £300 to recover their files, according to a survey of victims."

    "Cowed victims hand over thousands rather than install basic security measures"

    Pray tell, once these people have fallen victim, which security measure gets their data back ?

    1. Grease Monkey Silver badge

      Interesting choice of quotes there anyway. How does £300 equate to thousands?

  9. Lamont Cranston
    Joke

    More than 1 quarter of users have no antivirus running?

    Who says Linux hasn't acheived critical mass yet?

    1. Anonymous Coward
      Anonymous Coward

      Re: More than 1 quarter of users have no antivirus running?

      Well actually, "more than a quarter (28.2 per cent) of respondents in the survey claim not to engage in any security practices online, such as using antivirus software, firewalls, or password management tools".

      But of course many people are have a firewall in their ADSL router/cable modem and don't realise it. So I imagine this 28.2% figure is a lot higher than the reality.

    2. Anonymous Coward
      Anonymous Coward

      Re: More than 1 quarter of users have no antivirus running?

      Yes - what should ALWAYS be mentioned in these reports is that ALL USERS AFFECTED RUN MICROSOFT SOFTWARE in big red letters. And of course, people that do _are_ stupid enough to pay their money to get out of the fix.

      I bet the next version of this will do nothing to fix the encryption even after payment - it is too easy to dupe fools.

  10. Anonymous Coward
    Anonymous Coward

    Of the ones who paid up, how many got their data back?

    If none, then it's worth making that very public so people don't pay in future.

    Actually why not put out the line that the data is never restored either way - then people won't pay, they might start making backups and the scammers may move on to something else when the money stops rolling in.

  11. Frankee Llonnygog

    On the bright side

    You won't have access to your files but neither will the NSA

  12. Miss Config
    Holmes

    But was the ransom payment 'succesful' ?

    Did they actually get access to their data again ?

    Even if they did, not all such 'cryptoransomers' may be so 'honest'.

    1. Anonymous Coward
      Anonymous Coward

      Re: But was the ransom payment 'succesful' ?

      "Did they actually get access to their data again ?"

      According to web reports, as a general rule yes. This might be criminal damage from your point of view, from the point of view of those behind Cryptolocker, this is a business looking to recoup its investment, maximise those returns, and to find new routes to market and growth opportunities. Consider: if they encrypted your data, you paid, and they didn't cough the key for you, you'd spread the word, and people would know not to pay. Suddenly the business hasn't got any revenues despite the spread of the malware - that's no good for the people behind this, is it?

  13. Chris 69

    If the NSA, GHCHQ and their ilk are so damn clever..

    How come they cant use all that expertise to nuke all the ransomeware peddlers, spammers, phishers and trolls...

    1. This post has been deleted by its author

    2. RobHib
      Thumb Up

      @Chris 69 -- Re: If the NSA, GHCHQ and their ilk are so damn clever..

      Where's the NSA and GCHQ when we actually need them?

      Right—they're missing in action.

      However, if you read the fine print, they conveniently say it's not their responsibility (i.e.: that it's a normal law enforcement problem).

    3. bitmap animal
      Stop

      Re: If the NSA, GHCHQ and their ilk are so damn clever..

      How do you know they aren't doing it. You can't always get everyone when playing Whack-A-Mole and people only shout about the ones that affect them, they have no idea if they have been 'saved'.

      1. Not That Andrew
        FAIL

        Re: How do you know they aren't doing it

        You're seriously deluded if you think the intelligence agencies give a damn about your data security

  14. Anonymous Coward
    Anonymous Coward

    100 Per Cent

    "The first survey, released in August 2013, revealed almost one in five people (18.4 per cent) in the UK had their online accounts hacked, with some people (2.3%) losing more than £10,000 due to criminal activity"

    Well, that is 18.4% REALIZED they were hacked, or THOUGHT they were hacked.... the rest were hacked and just didn't notice!

    1. Grease Monkey Silver badge

      Re: 100 Per Cent

      THOUGHT they were hacked indeed.

      I've lost count of the number of users who have contacted me complaining of a malware infection only to find that in most cases it was just a perfectly ordinary IT problem. Or sometimes it was pure user stupidity. One user's "virus" was a file resting on the control key.

      The frequency of such incidents always goes through the roof after any media scaremongering about malware.

  15. Anonymous Coward
    Anonymous Coward

    Great - we'll have these idiots to blame then when these viruses become more and more common.

  16. psychonaut

    how to prevent the attack

    1. Have a backup, obviously. Carbonite for instance have a dedicated team who can tell when the infection hit and will roll those encrypted files back for you. Not bad for 80p aweek.

    2. Use crypto prevent from foolishit (yes realy). Its free. Sets group policies on any machine to prevent cryptolocker and many other malwares. Basically it prevents exes from running from temp locations and downloads and double file extentions like .xls.exe etc. You just push apply and it does it. Easy. Not bad for free. Of the 2k users I support we've had 4 crypto incidents. Carbonite saved every one of them. Since I found out about cryptoprevent I don't expect to see any more.

    Not difficult. Off you go.

  17. psychonaut

    Anyways Its really not to do with passwords. If the user has the admin pasword allbets are off. This is true for most home users or small businesses. even if you set them up with an admin account and a restricted user account and teach them to be carefull when the "put admin password in" box appears. They dont care. They just want to use it and get rid of annoying boxes. In a corporate environment pretty unforgivable though. Apparently you do get your data back if you pay the ransom...kinda nice of the hackers...well I guess it means that people are more likely to pay if they know that.

    Av software is also not that good at picking it up. I use trend micro wfbs which is usually excellent but it has let it through in 2 of those 4 cases. The other 2 had declined to buy it. Luckily they all had carbonite. Not bad from 2000 pcs though.

  18. ecofeco Silver badge

    Back of the envelope says...

    Estimate at least 10,000 people hit. 2000 pay up.

    Damn. That's not a shabby payday.

  19. Grease Monkey Silver badge

    Educating users to back up files is one thing. Educating them to backup files properly is another. One of my neighbours told me that she religiously backs up her files every night. Turns out that she was indeed backing up every night, but to a USB stick that never left the USB port of her laptop. Better than no backup at all, but not by much.

    BTW is 48 a statistically significant sample?

  20. HandyBaggins

    People need to install CryptoPrevent by FoolishIT. After reading about it that's the first thing I did, installed it on all computers I use regularly.

This topic is closed for new posts.

Other stories you might like