back to article Less than half of paying ransomware targets get their files back

Paying off a ransomware demand is a great way to end up losing both your money and your files. This according a study from security company CyberEdge, which found that for those hit by a ransomware infection the best bet is probably to just restore from a backup. The survey, based on a poll of information security …

  1. elDog

    I have bought backup packages for at least 10 of my relatives systems

    Anyone want to guess if they actually have backed up their files?

    Good guess.

    I've been a sysadmin long enough and realize the time/effort and to just get a compromised system back in working order.

    However, the people I've helped are not thankful for me not being able to restore a system to "this morning". You can't pay me enough to take those calls.

  2. mdubash

    That headline: Fewer... (please?)

    1. Doctor Syntax Silver badge

      "That headline: Fewer... (please?)"

      Is quarter of a pint fewer than half a pint or less than half a pint?

    2. Anonymous Coward
      Coat

      That headline: Fewer... (please?)

      I don't think so. "Fewer" implies an integer (i.e. you can do a one to one comparison between two sets and if one has a smaller number of the elements than the other, it has "fewer".

      A half is not an integer and cannot be integrally divided, so the word to use is "less".

      I am with Dr. Syntax here, even though in this case it's surely Dr. Number Theory.

      Mine is the one with the copy of North Whiehead and Russell in the pocket.

      1. Terry 6 Silver badge

        Re: That headline: Fewer... (please?)

        "Fewer" is usually for countable nouns. There fewer women in IT than Health.

        "Less" is for non-count nouns. There is less water in the Sahara than in Manchester.

        1. 's water music
          Coat

          Re: That headline: Fewer... (please?)

          every time you correct my grammar I love you a little fewer...

        2. Francis Boyle Silver badge

          Re: That headline: Fewer... (please?)

          "Less" is for non-count nouns.

          Less has always been used with both type of nouns. The idea that it's restricted to non count terms is a "zombie rule".

          Look at it this way. Mathematically integers are a special class of numbers so it's not surprising they get their own version of the inequality operator (in common speech, at least). But quantities are numbers, not numbers other than integers, so any operator that applies to them applies to integers as well.

          BTW, I'm with mdubash here. "Less than half" qualifies "targets", which is a count noun, so "fewer" is appropriate here.

        3. Geoff May (no relation)

          Re: That headline: Fewer... (please?)

          There is less water in the Sahara than in Manchester.

          Are you sure about that? Isn't most of the water in Manchester stored in beer?

  3. Anonymous Coward
    Anonymous Coward

    And you'd hope that IT companies would be smarter, yet...

    I worked at a company a few years ago where they managed other companies' systems. One of the clients got hit with ransomware. Although they had partial backups (for some critical systems), the client had done work on desktops which weren't backed up. That led to question 1 from me of why we were allowing clients to do important work on non-backed up machines. But then there came a ray of hope--the malware concerned was badly designed and known to use the same key on systems to which it spread, and we had a hard drive where it hadn't started the encryption process. I figured this out and was beginning to have some hope, but when I asked for that hard drive, I was informed that someone had taken it and booted it up. Then, to everyone's surprise, it promptly encrypted itself and shut down. These are people who know how to remove a hard drive and boot it, whose job it is to manage systems, and yet they managed to do that. I left the company about three months later. There's only so much trust I can have in my fellow humans not to be stupid.

    Anonymous just in case my former boss reads this (he doesn't, I'm pretty sure).

  4. Henry Wertz 1 Gold badge

    I actually am surprised

    I actually am surprised. Call me naive but I thought there was (as it's called) honor among thieves, that they would actually cop up thbe key once paid. I also assumed this just do to simple self-interest, that people will stop paying if they getg the word that they won't get the key anyway.

    1. doublelayer Silver badge

      Re: I actually am surprised

      Not really. Honor among low-end malware artists is pretty much absent. Not to mention that it can be easier to assemble ransomware without bothering to write that annoying decrypt-and-put-things-back-to-normal stage. Honor among high-end malware artists is even lower.

      1. rmason

        Re: I actually am surprised

        @doublelayer

        In my experience that's not actually true.

        It would quickly become well known that paying is pointless, so it would stop. In my experience you get your files back. Sort of breaks the "business model".

        {Personally i'd be interested to know how many of those who "didn't get the data back" actually meant:

        "we couldn't figure out how to follow the instructions the crims sent over"

        They don't upload (or allow you to download) your data back wholesale. They normally send a key to de-crypt what's there locally along with extremely poorly worded instructions.

        I'd bet a chunk of those surveyed were home users or small businesses who simply couldn't fathom what to do after paying up.

    2. Yet Another Anonymous coward Silver badge

      Re: I actually am surprised

      The "study" was by an anti-virus software vendor.

      Treat it like a study by the police showing that $anything$ leads to violence

    3. veti Silver badge

      Re: I actually am surprised

      I would guess that most of the scum doing this sort of thing are not particularly concerned with the reputation, and hence long-term viability, of the business. They just want money now. Tomorrow is a whole other problem.

    4. Doctor Syntax Silver badge

      Re: I actually am surprised

      "I also assumed this just do to simple self-interest, that people will stop paying if they getg the word that they won't get the key anyway."

      The initial wave of ransom-ware operators did indeed seem to operate in this way. They clearly looked on it as a business and had to be handled in a business-like fashion in order to keep the money flowing. If they didn't put the work in the ransoms wouldn't be paid and the income would disappear.

      However, like all areas of business new operators came in looking for the quick buck and so we have a race to the bottom. Add to that a few nation-state operations where the sole intent seems to have been to cause harm.

      The guys who started this must be fuming.

    5. Milton

      Re: I actually am surprised

      Really, I have no idea why you are surprised. Perhaps you're just an exceptionally honest person who finds it hard to imagine that some others, when you come right down to it, have the souls of rodents.

      Bear in mind that those inflicting ransomware are (allegedly) members of our species who knowingly and deliberately destroy the contents of innocent civilians' computing devices. They know perfectly well that your baby photos and rare video clips of the kids growing up and vital documentation—perhaps lifetimes' worth of treasured stuff—wil be lost. That they are causing distress, worry, wasted time, lost work and even heartbreak. Victims will include singles and couples, parents and grandparents, teenagers and kids.

      They do this to steal money. Not even for some twisted ideology of politics, or culture, or even nationalism. Not because of a personal belief. Just for money. Like pigs jostling at a trough, heedless and animal. Just. For. Money.

      El Reg frequently uses the phrase "ransomware scum", which seems mild, really, for the witless, greedy cruelty of such people. They are morally equivalent to the kind of soulless filth who lurk in dark alleyways to club a granny for her pension money. It amazes me that such people can bear to see themselves in a mirror. Let's be honest: if they do not feel crushing shame for what they do, they are mentally broken vermin.

      I suspect "honour among thieves" is just an empty phrase. A bit like the Sicilian Mafia calling themselves "men of honour" for their ability to conduct murderous feuds against other men's children. When someone claims "honour" it's time to count the spoons.

      And as is often noted in politics, which often attracts troublingly similar characters: rats aren't always easily identified. Some rats talk nicely. Many rats wear nice suits. Some can write code. They're all still rats, though. Best not to expect anything except rat behaviour.

      1. find users who cut cat tail

        Re: I actually am surprised

        > Not even for some twisted ideology of politics, or culture, or even nationalism. Not because of a personal belief. Just for money.

        Is that really worse?

        If they do it for money, they are scum and want easy money. But they can move on to another -- hopefully less actively malicious -- occupation which matches their risk/reward/labour prefs, or retire, ...

        But when they hack you because of twisted ideology, they probably just not have figured out yet an efficient way to get bombs on your trains or poison to your drinking water.

    6. Swiss Anton

      Re: I actually am surprised

      I am also surprised.

      If someone has had their files locked, then their PC must have been infected by malware. That malware will still be there after the PC is unlocked. I see no reason why it couldn't lock the files again, say in 6 months time. If the mark is dumb enough to pay once, they may well pay up a second time. Farming is much easier than hunting.

  5. Blofeld's Cat
    Facepalm

    Backups ...

    A colleague of mine used to do data recovery, and has many tales of backups that were completely useless when needed.

    She once had to assist a company that at first glance had done all the right things - They kept daily backups for a three month period, sent tapes on a weekly basis to an off-site storage facility, and actually verified that the tapes contained data.

    Unfortunately they never attempted to restore anything, and when disaster struck it turned out that all of their backups were incremental ones, with no original version to base the deltas on...

    1. leexgx

      Re: Backups ...

      That was bit of a mistake, so I guess what happened there was that the incremental backup software assumed it had the original file (it did not actually verify it had a copy of the file)

      1. Voland's right hand Silver badge

        Re: Backups ...

        all of their backups were incremental ones

        This is exactly why I use amanda till this day - it does not have the concept of a "full backup set". The full backups are spread across the set and are done multiple times in a cycle as tapes allow. On top of that full backup of one volume is usually on one tape, while other volumes are on another (ditto for incremental).

        The end result is that you still have a probability in the very high 90-es to do full recovery even if one or more of the tapes are unreadable. The downside is that in the absence of a tape library you have to become one and keep loading tapes like an idiot until it has finished working. That is a downside I am willing to accept :)

    2. Doctor Syntax Silver badge

      Re: Backups ...

      "She once had to assist a company that at first glance had done all the right things"

      It must have been a very cursory glance. If first glance at your tape store doesn't reveal a tape labelled "Full backup $DATE" or "Level 0" or such you should know it's time to do something about it. In fact, if they were running tapes on a 3 month basis then it should have been obvious that at the end of the 3 month cycle it was time for a new full backup.

      1. Daniel 18

        Re: Backups ...

        "if they were running tapes on a 3 month basis then it should have been obvious that at the end of the 3 month cycle it was time for a new full backup"

        More likely, it would be time for a full backup once a month, and those should be archived, every other one off site, and not re-used.

  6. ThatOne Silver badge
    Alert

    Who stopped what?

    > "Perhaps this is more evidence that IT security has finally stopped the bleeding of rising cyberattacks,"

    Or just the fact most criminals have turned to the much easier and quicker rogue bitcoin mining by now?... Not sure, but I think it's been a while since we've last seen a new ransomware strain, isn't it.

  7. Richard 12 Silver badge

    They've always gone in waves

    Ransomware is no longer "cool".

    Now it's stealing CPU/GPU cycles for cryptocurrency. Next month, who knows?

  8. David Pearce

    Ransomware created demand for Bitcoins and then Bitcoin mining malware appeared. I suspect the two stages were planned

    1. veti Silver badge

      You are mistaking opportunism for planning. They look superficially alike, but opportunism works better.

  9. Anonymous Coward
    Anonymous Coward

    To my shame, I have to admit I don't do offline backups. I have MacBooks with a Synology for the time machine, and I pray Apple will remain too unpopular to be targeted seriously.

    And I save the most important documents to Google Drive, because I trust them more than me not to lose the data.

    1. localgeek

      A really cheap and easy way to do offsite backups is to buy yourself a large-capacity external drive, and rent a small safety deposit box. It's surprisingly inexpensive. I update mine every few months, which is a bit of a nuisance, but worth the peace of mind as a last ditch option to recover the lion's share of my data in the event that my other backups should fail.

      Alternatively, you might try keeping a drive at the home of a friend of family member. This worked out pretty well for me until the in-laws lost my previous drive (encrypted, naturally).

      1. Terry 6 Silver badge

        localgeek

        Yes.

        Or indeed I tend to salvage the old HDDs from defunct laptops and stick em in a cheap enclosure. Every so often I copy my backups to one of them. Since they're reformatted and contain no software or OS there's bags of room for data.

      2. veti Silver badge

        I've bought four high capacity external hard drives in the past 10 years, for backups - and all four of them have broken down. Right now I have no offline backup.

        This is when Google Drive looks attractive.

        1. DropBear
          Devil

          No offense, but with that kind of failure record I'd start looking for the common element in those backups. And once you find it... well, I did say "no offense"...

  10. mark l 2 Silver badge

    Well what a shock, the scumbags who write the malware are also thieves as well.

    I guess it make sense to them to help them stay anonymous, as to decrypt the files unless you use the same key each time you need C&C servers which could be taken down by law enforcement and possibly leave traces back to the malware authors. Where as just encrypt with a randomly generated key and display a bitcoin wallet address and no back-end servers required, you only need a small percent of infected users to pay up to make it worth while.

  11. Terry 6 Silver badge

    It always was sensible, hopefully

    "probably to just restore from a backup."

    This should be first port of call. No need to try to buy back your data. When big corps. lose data this way, having the resources to keep secure back-ups there's simply no excuse.

    And for smaller users that should include swapping an external drive round on a regular basis. i.e. Almost all your data should (also) be in a cupboard somewhere, ideally off-site. And fairly recent. You wouldn't leave your wallet in the office with the window open, so why would you do that with your valuable data.

    1. Anonymous Coward
      Anonymous Coward

      Re: It always was sensible, hopefully

      "You wouldn't leave your wallet in the office with the window open, so why would you do that with your valuable data."

      Because it's the ONLY place left to put it, as everything else is occupied and we can't afford to go offsite (the costs alone would break us). And no, I have no pockets and can't keep a lanyard (not allowed due to proximity to machinery).

      1. Terry 6 Silver badge

        Re: It always was sensible, hopefully

        The thing is, for an awful lot of organisations the cost is a couple of external HDDs and five minutes a week swapping them round. Ideally if it's not confidential data (or is sensibly encrypted) take one home or lock it in a car boot even. (In case your office burns down or is broken in to).

  12. IGnatius T Foobar
    Holmes

    They deserve it.

    I have ZERO sympathy for people who don't take backups. If your files were locked by ransomware and you didn't back them up, you deserve to lose them.

    1. doublelayer Silver badge

      Re: They deserve it.

      No, they most definitely do not. I can somewhat understand what I think you're saying when the victims are companies. They should have the knowledge and capability to do back ups, and when the data is lost the victims are more their customers as the company can often account for the loss. But when the victims are people, average citizens, you can't blame them for not having done proper backups. We would all prefer that they did, but for those who are technically unaware, especially those who are elderly or children, expecting that they will be able to do complete backups without help is wishful thinking, and saying that "they deserve it" for not having done so is close to victim blaming. Sometimes, they can get hit with ransomware without even having done anything suspicious. Even for most companies, it is probably the company that will be taking the loss. I think we all have a tendency to sympathize less with companies than we do with individuals, but someone loses either way. Now for companies that don't bother with security and leak our information out and respond with a from-the-heart "who cares", they deserve it.

  13. adam payne

    Of those who caved to the demand and paid the ransom, 49.4 per cent said they could recover their data, while 50.6 ended up losing it anyway. The not-so-shocking conclusion is that criminals don't always stay true to their word.

    I can't say i'm that surprised. As soon as you pay the criminals they have what they want.

    and the number of companies that were frequently attacked, more than six times in a year, was also down.

    If you have been attacked six times in a year then something is seriously wrong.

  14. Anonymous Coward
    Facepalm

    Crikey I'm ransomed by Corporate America

    I'm trying to get Windows 8.1 to boot, Linux's not good either, one of my drives (with Linux on it) has become invisible to the BIOS and hardware at boot time (either as a USB or Internal drive). {explain that I weep !}

    My bare metal restorer, PBR and all others backups have failed (not fit for purpose).

    Therefor I am ransomed, as I must upgrade to Windows 10 or loose my access to my paid for programs and applications. unfortunately the versions I have do not run well on Windows 10, I would have to purchase new ones built for Win 10.

    But rather than get an anytime upgrade as my version is kaput I must purchase one, so FU MS.

    So, like many others, I'm paying through the nose.

    1. Tim Seventh

      Re: Crikey I'm ransomed by Corporate America

      I'm trying to get Windows 8.1 to boot, Linux's not good either, one of my drives (with Linux on it) has become invisible to the BIOS and hardware at boot time (either as a USB or Internal drive). {explain that I weep !}

      I presume you mean your current Windows 8.1 isn't booting, and you're trying to get it to boot. In addition, your linux drive isn't booting either. Since you've said that it is invisible to the BIOS, it means that you have access to the bios but the drive are not shown. From this, it means either your usb port / internal SATA connectors are dead, your hard drives had failed, or both boot partitions (windows and linux) have be corrupted.

      If you want to double check the drives to for extent of the issue, you'll want to try something else to boot up your PC. You can try using a live linux usb, boot it up, and then plug in the hard drive with a usb. If you see a few partitions shown, then you've got good news. Your drive isn't really dead and you might be able to recover your data.

      My bare metal restorer, PBR and all others backups have failed (not fit for purpose).

      Therefor I am ransomed, as I must upgrade to Windows 10 or loose my access to my paid for programs and applications.

      That's not really ransomed if there's nothing asking for a ransom. That's just losing your backups and your data. Also if somehow you've regain access to your programs and applications, there's no need to upgrade to Windows 10. Just get a new hard drive, buy/get a Windows 8.1 license that is still available, install Windows 8.1 to the new hard drive, and re-install all your programs and applications to access them.

  15. c1ue

    But...

    At least some part of the problem is poor methodology.

    If you don't verify that the criminal can decrypt, then paying the ransom is stupid.

    A likely additional factor is RaaS: Ransomware As A Service.

    While there isn't honor among thieves necessarily, the reality is that a paid ransom that doesn't yield a return means people will stop paying the ransoms quite quickly.

    There is therefore a very clear incentive for a ransomware creator to maintain "brand".

    However, with RaaS, the attacker isn't the creator of the ransomware. They therefore don't care about the "brand" since it impacts them much less, especially if the commission structure is one where the attacker pays the commission to receive the decrypt key from the ransomware creator.

    Lastly, there were a series of high profile attacks last year where the ability to decrypt was either nonexistent to start with or was compromised by LE and/or poor ransomware design. NotPetya and Wannacry, for example.

    Lastly, the dynamic of survey respondents also certainly skewed results. Much as negative reactions are far more common in feedback, so too would unrewarded ransoms likely have far higher response rates.

    The study is interesting but far from definitive.

  16. Roland6 Silver badge

    "The clear lesson here is the critical importance of maintaining up-to-date offline backups."

    Err whilst this is a nice sounding soundbite, aren't people are forgetting about how ransomware (that has been dissected) works; namely, it quietly encrypts files behind the scenes before it reveals itself (although I have seen some ransomware that simply puts up a demand in the expectation that people will panic and simply pay up). It is not sufficient to simply have offline backups, it is necessary to have backups that either predate the ransomware infestation or have been able to backup files (from an infected system) before the ransomware has encrypted them.

    Restoring a system that has had ransomware back to both a clean state and ensuring all data files are unencrypted and clean, is non-trival.

    1. Terry 6 Silver badge

      Re: "The clear lesson here is the critical importance of maintaining up-to-date offline backups."

      Yes. I've come up against a place, many years ago, that had data corruption for some reason or other, ( I forget why). In those days they were quite advanced by having their data saved to a disc, every night. I think a simple batch file or something. Unfortunately the save went ahead after the corruption, and over-wrote the previous day's good save.

      It taught me to keep an old back up or two safe -and when I learnt about the grandfather-father-son system a few years later I periodically "retired" some copies. These days, as noted previously, I retire old HDDs instead.

      1. Charles 9

        Re: "The clear lesson here is the critical importance of maintaining up-to-date offline backups."

        And then you find out the ransom ware was an EXTREME sleeper on hopes of beating just that strategy and get into ALL the backups.

      2. 2Nick3

        Re: "The clear lesson here is the critical importance of maintaining up-to-date offline backups."

        It's called versioning the backups - having only one Level 0 backup is bad. Having it accessible to modify from the system being backed up, as using a batch file indicates, is bad.

        I've been in the backup space for over 20 years now, and the number of people who still treat it as a costly nuisance is amazing. Until they lose data, and then they're all over you because you didn't override their objections.

  17. Stephen Wilkinson

    According to the South West Regional Cyber Crime Unit who presented at a conference I attended a couple of weeks ago, if you pay you may or may not (same odds were given) get your files un-encrypted but you definitely will get your details passed around as someone who paid to other ransom ware controllers, who of course will then target you even more.

  18. jms222

    Snapshots

    For protection against ransomware and finger trouble as opposed to hardware failure snapshots as on ZFS are absolutely brilliant and relatively straightforward to set up.

    You can have @hour1..@hourn, @day1..@dayn and so on and they are all automatically mounted (at least under FreeBSD) and accessible without privilege.

    (Note FreeBSD automagically mounts ZFS snapshots, Linux might not.)

  19. montyburns56

    As seen on TV....

    They could always try and get their data back Carrie Mathison style....

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like