back to article Destroying ransomware business models is not your job, so just pay up

It's not your job to defend the world against criminals, so the decision to pay a ransomware demand is all about business. The likes of FBI Cyber Division deputy chief James C. Trainor disagree. The Bureau recently advised organisations not to pay lest they "embolden" criminals and encourage others to take start using …

Page:

  1. Paul Crawford Silver badge
    Unhappy

    Price of an education...

    ...for those without working, protected backup copies I guess.

    1. Voland's right hand Silver badge

      Re: Price of an education...

      A backup containing encrypted files is not particularly useful you know.

      You have to have layered "defence in depth" backup going back weeks if not months to deal with this. That is generally not available for an end-user PC in _ANY_ company. It is done only for servers.

      1. Roo
        Windows

        Re: Price of an education...

        "A backup containing encrypted files is not particularly useful you know."

        Sure, but an earlier backup where the file isn't corrupted is still useful.

        1. Halfmad

          Re: Price of an education...

          More reliable and in the case of the ICO they wouldn't have a problem with accepting some data loss in order to ensure the data you do hold is accurate.

          By all means archive off the encrypted stuff to try to decrypt it later once the malware has been cracked.

        2. Flocke Kroes Silver badge

          Re: Backing up encrypted files

          A backup is not a backup until you have tested a restore.

          1. BebopWeBop
            Facepalm

            Re: Backing up encrypted files

            Too true, and it is remarkable how many people only find that out when they want to do one. Not just friend and family, but 'professional' organisations as well.

            1. nerdbert
              IT Angle

              Re: Backing up encrypted files

              And how much do you trust that you won't get hit again with ransomware? Any time I run across a PC with a nasty it I assume that no matter what I do there's a chance some back door or other nasty will be left on the machine and I wind up wiping it anyway. Yes, it may take a while to get the data back, and yes, the luser will be stuck reinstalling all their programs, but if I reimage the system at least I don't have to worry about missing a back doors. And I keep months of images around, so an unencrypted version of the data should be available.

              1. Helldesk Dogsbody
                Mushroom

                Re: Backing up encrypted files

                @nerdbert: Nuke and pave. Format, scram disk, reinstall.

                If you're especially paranoid put in a fresh HDD/SSD, take the old one out and put a 1/4" drill bit through it a few times, douse it in petrol and set light to it, once out and cool beat repeatedly with a hammer then encase the remains in concrete and bury in an old mine shaft.

                You could always run it through a degausser instead but it's not nearly as much fun...

                1. Ralph 4

                  Re: Backing up encrypted files

                  Don't forget to dynamite the entrance to the mine and put up a few biohazard and nuclear waste signs.

          2. Jay 2
            Thumb Up

            Re: Backing up encrypted files

            Preach! Can't give you enough upvotes for that one.

            My own personal variant being along the the lines of having a backup strategy is fine, but what about the restore strategy...?

      2. Halfmad

        Re: Price of an education...

        Absolute nonsense, if my documents, desktop are redirected on desktop PCs, laptops have their documents sync'd then the server backup will capture user data too. Server backups in every place I've worked are done daily, sometimes hourly with every two weeks or monthly backup run off on tape and stored in fire safe. I was doing this in the 90s for a small company of 5 people, our CAD drawings were our business.

        It's not a case of it can't be done, if you run a business which relies upon accurate data which you can restore upon equipment failure or malware then it's simply common sense and surprisingly cheap to do. Hell at home I use Crashplan, google drive etc to ensure I have multiple copies going back YEARS.

        Yes it's best to prevent infection but any competent professional will plan for when they can't.

        1. Terry 6 Silver badge

          Re: Price of an education...

          Not even just the pros. That folder of family photos needs to be kept backed up, safe.

          Yet we still hear of distraught people who have lost all their precious piccies because they lost their mobile phone, let alone a HDD. This is 2016 and too many of us, individuals and businesses, still trust to luck that our data will still be available where we left it.

      3. Roo
        Windows

        Re: Price of an education...

        "You have to have layered "defence in depth" backup going back weeks if not months to deal with this. That is generally not available for an end-user PC in _ANY_ company. It is done only for servers."

        I don't recall seeing that bit in your original post...

        OS vendors could nip a lot of this in the bud and avoid having to educate people about backups by shipping their OSes with a default filesystem that supports snapshots. This isn't bleeding edge technology anymore, it has been around for several decades.

        1. Ben Liddicott

          Re: Price of an education...

          Snapshots - a feature provided out of the box on Windows Vista and beyond - can be programmatically deleted, because the ability to delete data is a fundamental security requirement.

        2. Anonymous Coward
          Anonymous Coward

          Re: Price of an education...

          You mean like OS X and Time Machine? The feature that has been baked into the OS since October 2007.

          Oh, I forgot, Register types only consider windows and linux to be acceptable "grown up" OSes, and so they are crying over their overwritten backups as we speak.

          1. John F***ing Stepp

            Re: Price of an education...

            Just wondering, are you trying for down votes?

            Because that type of comment probably gets down voted by Apple users as well.

      4. Alan Brown Silver badge

        Re: Price of an education...

        "A backup containing encrypted files is not particularly useful you know."

        Nor is one where the backups are gibberish.

        This is why backups MUST be tested periodically.

  2. Anonymous Coward
    Anonymous Coward

    Just as well this is only for people...

    Your child has been kidnapped? Listen, it's not YOUR job to break their business model, so pony up the 10 million... hopefully you'll get your kid back in one piece... if not, just "format" and "start again"...

    1. Adam 52 Silver badge

      Re: Just as well this is only for people...

      The combination of military force and a refusal of insurance companies to pay out has pretty much eliminated Somali piracy.

      (with apologies to the historic victims who are still being held)

      1. herman

        Re: Just as well this is only for people...

        No, the Somali pirates were eliminated by private security companies who simply shoot and sink any small boats that come close to the big ones - a.k.a. Shoot, Sink and Shut-up.

    2. Anonymous Coward
      Anonymous Coward

      Re: Just as well this is only for people...

      In Italy, to put a stop to kidnappings (very frequent in the '70s-'80s - remember John Paul Getty III?), a law was passed to hinder families to pay ransoms. a very hard strategy, true, but it paid off. There are no more kidnappings. Being the State itself hindering payments (up to blocking money), that made threats to families useless.

      (The the State itself pays of terrorists hostages abroad for electoral reasons - and the result is they are a valuable pray for those looking for cash)

      It is true that kidnappers will not most of the times risk a homicide if they can't get a ransom (if they are "professional", to avoid an harsher incrimination) , while ransomware criminals have no reason to give back your data if they can't get money.

    3. Warm Braw

      Re: Just as well this is only for people...

      To be fair, there is an economic argument for paying a ransom to get your data back.The moral argument is secondary.

      There's no economic argument for paying a kidnapper's ransom: even if you don't want the minor inconvenience of having to recreate your genetic progeny there are plenty of second-hand kids available and you may even be paid to take them. There may be a moral argument - guess it depends on the child...

    4. Anonymous Coward
      Anonymous Coward

      Re: Just as well this is only for people...

      How about format that child and DON'T start again.

  3. Anonymous Coward
    Anonymous Coward

    > nor the family tech geek responsible for storing that sad lone copy of family photos

    You may as well treat a ransomware infection as if it were a catastrophic hard drive failure. You have a 2-3% probability per year of that happening in the early life of the hard drive anyway. If you're not prepared for such a failure, well, clearly you were happy to accept the consequences.

    1. Adam 1

      in a way, but

      ... Ransomware can also permeate into backup media. Some of these things sit there for weeks or months silently encrypting and decrypting on the fly. This may be enough on some cases for all backups to be equally rooted.

      1. Frumious Bandersnatch

        Re: in a way, but

        Ransomware can also permeate into backup media

        True, but keeping an eye on the backup process can help detect large deltas.

        The way I do backups has been the same for many years:

        • Use Linux and ext* file system
        • increments start by making a hard-linked (cp -l) copy of previous snapshot
        • Use rsync or similar tool that only overwrites/transfers changed files
        • Similar arrangement for 2nd, 3rd generation backups

        If something were to start encrypting files en masse, I would see it pretty soon, either in the rsync summary (being longer/larger than usual) or in the size of the increment as stored on the disk---after the backup, I calculate the delta size by counting files that only have a single hard link; these must be the changed files. Because hard-linking takes up relatively little space, I maintain these "snapshots" going back for quite a long time and only delete them manually, so that gives me a second chance to notice any damage and to roll back when it does happen.

        I also use a hand-rolled file integrity system based on the same idea as the "shatag" tool. I will periodically update SHA256 hashes for all files and store them in the file system as extended attributes. I also collate these hashes across all machines and use the metadata to enforce a replication policy across multiple machines (or at least to verify that it's working). I've also got a separate scheme (using erasure codes to give a high level of redundancy with modest overheads) for cold/archival data.

        One other thing I've toyed with is using the LVM snapshot facility. It could replace the hard-linking scheme I use to some degree. In this case, larger-than-expected deltas would overflow the copy-on-write buffer, alerting me to something strange/unusual via a message about a failed backup. I prefer the hard-linking scheme, though, since it's more permanent and gives better historical integrity. LVM's snapshot facility is perfect for backing up volumes with databases on them, though, since you get an atomic backup without needing to lock the database first.

        1. Adam 1

          Re: in a way, but

          Your process is admirable, but not in the realm of technical capability of Aunt Kath. Remember the comment thread you are replying to basically says that about 3% of disks will fail without any malicious ransomware, so it is hard to have sympathy for those without backups. That's why I think of who the victims are. The average El Reg commentard is too super DevOps skilled to fall for the phishing schemes that deploy this ransomware. But our Aunt Kath will go right ahead. So the people most at risk of infection would have no clue what rsync or hard links mean and the concept of incremental backups isn't even on their radar.

          1. Anonymous Coward
            Anonymous Coward

            Re: in a way, but

            There is so much CRAP backup software out there, that Aunt Kath will be very lucky to avoid paying.

            Lets assume that she uses windows. Virtually none offer a bare metal system backup. So we also assume she is backing up only her treasured photos.

            Most simply synchronize a copy of whatever is current in the cloud, there are not a lot that provide previous versions, if they are indeed actually working ( not at all helpful cause the photos are now encrypted! )

            So even if Aunt Kath tried to do the right thing, the market will mean that she has probably failed.

  4. Seajay#

    It is our job to uphold the law

    The law and the police aren't something outside of society (or at least they shouldn't be). They are just some specialists that we as a country are employing to help us in achieving our ideal of how society should work. The job of creating that society in the image that we want is ours.

    You wouldn't, I hope, ignore a shoplifter or walk past some teenagers mugging an old lady. How is this different?

    1. Ben Liddicott

      Re: It is our job to uphold the law

      I've upvoted you for the sentiment, but you asked "how is this different"?

      If I saw someone breaking into a car and stealing a hard-drive or a camera, I wouldn't ignore that, of course. As you say it is our duty to intervene.

      But if someone stole a hard-drive containing my family photographs, or the only copy of (encrypted) customer data, or unencrypted sensitive information, or a camera whose card contains the only copy of someone's wedding photographs, I would pay the thief to get it back.

      What's the difference? One is a crime in progress, the other is mitigating the damage from a crime which has already occurred. They are different.

      1. Seajay#

        Re: It is our job to uphold the law

        You're right it is different and I've probably been a bit lazy with my analogy. But there are two crimes; one is encrypting your hard drive and the other is extortion. The latter is still in progress at the point you're deciding to pay the ransom.

        Fun fact. If you suspect that the ransomware group may be funding terrorists and you pay them anyway then you are a criminal too.

        https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/382438/CTS_Bill_-_Factsheet_9_-_Kidnap_and_Ransom.pdf

        1. Ben Liddicott

          Re: It is our job to uphold the law

          If I'm mugged at gunpoint, that's a crime in progress, but I'll be handing over my wallet all the same. If a child is kidnapped in practice you find that often people do what the criminals want first, then go to the police only afterwards.

          Comparing on the one hand, paying an extortionist to retrieve irreplaceable property, and on the other, being too idle to shout "Oi!" at a casual thief, is just silly. They are different.

        2. Vic

          Re: It is our job to uphold the law

          If you suspect that the ransomware group may be funding terrorists and you pay them anyway then you are a criminal too.

          ...then you might be suspected of being a criminal too.

          For you to become a crimnal would require a jury to find you guilty.

          Vic.

          1. Seajay#

            Re: It is our job to uphold the law

            For you to become a crimnal would require a jury to find you guilty.

            I would say that if you commit a crime, you're a criminal. If you haven't been found guilty then (quite rightly) the criminal justice system will treat you as innocent, no newspaper would be allowed to call you a criminal, etc, etc. But without wanting to get in to too much of a philosophical discussion of Objectivism, there is such a thing as reality. It may be the case that what matters for the question of whether you should be treated as a criminal is whether you have been found guilty. But for the question of whether you are a criminal, all that matters is whether you committed the crime.

      2. Just Enough

        Re: It is our job to uphold the law

        "What's the difference? One is a crime in progress, the other is mitigating the damage from a crime which has already occurred. They are different."

        No. The second is actually adding another crime to one that has already occurred. First you have the crime of theft, and then you have the crime of extortion that is still underway at the point you hand the money over. So they are both ongoing, and not as different as you suggest.

      3. Anonymous Coward
        Facepalm

        Re: It is our job to uphold the law

        Why pay the person holding your belongings to ransom?

        Why trust them twice over? The first time with what they now have, the second time with what you are now giving them?

        If you start paying shoplifters to take items from your store and return them... is it not a rod for your own back?

  5. Anonymous Coward
    Anonymous Coward

    Dont be so harsh

    Most of the victims are not IT savvy, you cant blame people for that.

    The ransomeware plauge has made me change my back up plans, especially as malware now deals with networked drives etc.

    So i now have 3 back ups, the cost of a 3tb drive is small enough to justify the cost and my songs, pics and docs which i have collected since i was using my Amiga are more precious to me than a 90 quid hard drive.

    People need educating, not berating for not being IT savvy. Remember, some of these non IT people are surgeons, solicitors, scientists. Not understanding malware does not automatically mean they are not intelligent.

    1. Paul Crawford Silver badge
      Unhappy

      Re: Dont be so harsh

      Sadly most people, including some IT-literate sorts, simply have no plan for data loss. It could be a HDD failure, some "gross administrative error" formatting something, a laptop being stolen, or a cryptolocker attack. Sooner or later it happens (couple of % per year for HDD, no idea how common cryptolocker is in comparison) and only then do most folk do anything about it.

      When its too late.

    2. goldcd

      Relying on something you don't understand

      is stupid.

      I own a circular saw I bought for one job. I pretty much could guess how it worked, but after revving it up and realizing I could take my leg off with this thing, I did half an hour of safety research before embarking on the single 15 second job it ever did.

      Problem is that computers are sold as "being easy" with vendors of all ilk going out of their way to tell you all the wonderful things you can do (/expose/lose if it goes wrong).

      If somebody breaks into your house and steals your TV (does anybody do this any more..anyway..) - The police would be expected to come round, dust for prints, and make a vague attempt to recover your TV.

      Can you imagine walking into your Police station with an encrypted laptop and asking them for help?

      1. Anonymous Coward
        Anonymous Coward

        Re: walking into your Police station with an encrypted laptop

        Is that safe? What if they thought you seemed a bit suspicious and so demanded you supply the decryption keys for your laptop under RIP?

      2. Seajay#
        Holmes

        Re: Relying on something you don't understand

        I think you may be disappointed with the actual response you get from the police if someone steals your TV. It pretty much amounts to "Have they? Oh dear. Here's a crime number for your insurer."

      3. shin

        Re: Relying on something you don't understand

        Exactly. 2016. IT knowledge is necessary to live in today's society. LEARN IT! (Unless you'd rather go farm for a living, that's cool then.)

    3. Anonymous Coward
      Anonymous Coward

      Re: Dont be so harsh

      No, they need berating and shaming for being too LAZY to learn even the BASICS of IT. It's 2016 - time to stop catering to the intellectually lazy.

      If someone refused to learn anything else needed to live in today's world, people would call them crazy, etc. But if it's tech related--in today's COMPLETELY tech dependent world--OH NO, it's okay if you're intellectually lazy... someone will wipe your arse for you every time.

      Time for people to either put out the effort to learn technology, or STOP using it (and screwing it up for the rest of us) entirely!

  6. Adam 52 Silver badge

    How sad. You complain about ransomware and then recommend that people finance the criminals' business model.

    We need herd immunity, otherwise these scams will become (even) more sophisticated and more frequent.

  7. Halfmad

    It's not three choices for most businesses, only those run by idiots.

    Paying up means potentially getting items decrypted, it can also mean getting nothing back or getting partial data back - which is arguably far worse than accepting some data loss and restoring from a known good backup source.

    1. toughluck

      Re: It's not three choices for most businesses, only those run by idiots.

      And nobody ever considers data theft and tampering. So you get "your" "data" back, but never consider if the crooks tampered with your payroll records and updated the bank account numbers with their own? Come payday, you pay them a second time.

      What if the highly confidential documents you had were stolen? You wouldn't want your competition to go over them, would you? So you pay them again. Do you trust them enough that they never showed the documents to anyone?

      1. dajames

        Re: It's not three choices for most businesses, only those run by idiots.

        What if the highly confidential documents you had were stolen? You wouldn't want your competition to go over them, would you? So you pay them again. Do you trust them enough that they never showed the documents to anyone?

        The malware artists won't have taken your documents away -- just encrypted them in situ so that you can't access them. What you get (of you're lucky) when you pay the "ransom" is not a clear copy of the documents, it's a key you can use to decrypt the copies that are still on your PC.

        Methinks a hacker who wanted to alter your payroll data or steal your documents for blackmail purposes wouldn't draw attention to his visit by leaving ransomware as a calling card.

        1. Alan Brown Silver badge

          Re: It's not three choices for most businesses, only those run by idiots.

          "The malware artists won't have taken your documents away"

          The bandwidth of a copy is trivial. How do you know they haven't?

  8. Doctor Syntax Silver badge

    "To this end the FBI and others would be better saving their breath and offering advice about how victims can identify and then decrypt their ransomware infections, rather than delivering sermons from an ivory tower"

    However although "breaking criminal business models is not, however, the job of the system administrator" it is the FBI's job so the best thing they could do is get on with it.

  9. Ian K
    Stop

    Expectation?

    "There is considerable risk here and all payments should be made with the expectation that crims will take the money and run."

    Surely if the expectation is the scammers will take the money and run you shouldn't pay?

    If you don't think you'll get the data back in any event then write it off as lost, and don't give your money away for no benefit.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like