A ransomware attack is potentially more damaging than a data breach, especially to a business. No organization wants its data stolen, but it can continue to function after it discovers a breach. If all of its data are encrypted and it doesn’t have a backup, it can’t function.
Third, as a white paper by ICIT (Institute for Critical Infrastructure Technology) noted, the ransom demanded is generally not a crippling amount. For individuals, it tends to be a few hundred dollars in Bitcoin. “From law enforcement’s perspective, a home burglary results in greater loss than a singular ransomware attack,” the report said, which means law enforcement will rarely devote “significant resources” to investigating it.
According to ICIT, Joseph Bonavolonta, the Boston-based head of the FBI's CYBER and Counterintelligence Program, got into trouble with Sen. Ron Wyden (D-Ore.) in October 2015 when he said, "To be honest, we often advise people just to pay the ransom."
After Wyden complained, the FBI “clarified” that its position was, “only to pay the ransom if mitigation steps failed and the only other option was to lose the files.”
Those factors, which all contribute to the success rate of ransomware attacks, are some of the same reasons victims are motivated to pay – they are desperate to recover their files, and they can afford the price more easily than they can afford to lose their files.
Of course, there is plenty of logic behind the FBI’s arguments as well. The primary one is that paying simply makes the problem greater – the more criminals make, the more they will attack.
The bureau and others also note that there is no guarantee that criminals will produce an encryption key once the ransom is paid, or get rid of the malware on the device, meaning a victim could get victimized again.
Krebs said victims do have options, even if they don’t have a current backup. He recommended contacting two websites – No More Ransom and Bleeping Computer – which provide free solutions to at least some ransomware variants.
Krebs said No More Ransom, which is backed by security firms and cybersecurity organizations in 22 countries, had saved 6,000 victims of ransomware more than $2 million by December 2016.
But that statistic, say other experts, shows that while it is a laudable initiative, it is unlikely to slow the explosive growth of ransomware – $2 million is barely a rounding error in the total being collected by cyber criminals.
“Resources like No More Ransom are great, but unfortunately they are a drop in the ocean,” said Ilia Kolochenko, CEO of High-Tech Bridge.
He is just one of many experts who say the only really effective way to deal with ransomware is to prevent it. He called it, “somewhat similar to AIDS – it’s relatively easy to prevent it, but only when it’s not too late.”
Sign up for CIO Asia eNewsletters.