Ransomware is one of the most frightening scourges to hit the Internet. Ransomware is a form of malware (malicious code) that encrypts a person’s files and demands a ransom payment to decrypt them. If the money isn’t paid, the encryption keys are destroyed, and the data is lost forever.
Ransomware began to emerge in 2009, and it has been rapidly on the rise. Recently, it was ranked as the number one threat involving mobile malware. According to one estimate, “at least $5 million is extorted from ransomware victims each year.”
Ransomware became a household name in 2013, when CryptoLocker infected about 500,000 victims in just 6 months.
CryptoLocker was eventually defeated. But new variants of ransomware started popping up more frequently.
Ranssomware pays off quite well to the cyber criminals. According to an estimate by Symantec, ransomware extorts at least $5 million each year.
One form of ransomware was even based on a software-as-a-service model, where users could download ransomware, customize it, then dispatch it to victims. The service took a 10% commission on the ransom.
In another recent instance, a version of ransomware known as Power Worm was badly coded and failed to create a valid decryption key. The files would thus remain encrypted, and nothing could be done to decrypt them.
To Pay Or Not to Pay?
Ransomware forces victims to make a Hobson’s choice: Should they pay the ransom? Or not?
The advice out there on this issue is conflicting. Some say that the ransom should never be paid. According to Kevin Haley on Symantec’s blog: “The scammers will sell you the key, but “hurry!” If you don’t pay $500 before the countdown timer expires you’ll pay double. The reality is that, no matter how many times, or how much you pay them, it’s unlikely you’ll ever get that key. Once they have your money, they couldn’t care less about giving you your files back.”
And in one case involving an email service provider in Switzerland, criminals demanded a ransom in exchange for stopping DDoS attacks, but the criminals kept on attacking after the ransom was paid.
Others say that the ransom is worth paying because it is often not a high amount and is cheaper than losing the data. In one instance, a Sheriff’s Department’s network was infected with ransomware and the Department paid the $500 ransom because the data involved key evidence in cases. Some argue that the criminals have incentives to restore the files because if they didn’t, people wouldn’t pay the ransoms, and the criminals are after the money. Indeed, one FBI agent reportedly said that in some cases, people should just pay the ransom.
I have yet to find a definitive answer. I don’t think there are absolute answers here — it all depends upon the situation.
Prevention Is the Best Medicine
The best medicine against a ransomware attack is prevention. Backup data frequently. Keep anit-virus software up-to-date. But at an organization, all it takes is for one employee to fall for a phishing scheme, and . . . BAM! . . . ransomware hits. Humans are the greatest vulnerability, and the best defense is training. That’s why I made a short training vignette about malware that focuses on ransomware.
There is a silver lining in all this. More than many types of security risks, ransomware really brings home to employees the dangers out there. For many employees, malware might seem like a rather abstract risk that doesn’t concern them too much. But because ransomware has extensively targeted regular individuals and because it operates with such dramatic effect, ransomware is a great subject for training. A key to getting employees to pay attention and follow advice is to show how it might affect them in their personal lives. Threats need to be made visceral and scary. And ransomware is one of those kinds of threats. In the long run, it might raise great awareness about data security concerns and motivate people to be more careful.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. This post was originally posted on his blog at LinkedIn, where Solove is a “LinkedIn Influencer.” His blog has more than 900,000 followers.
Professor Solove is the organizer, along with Paul Schwartz of the Privacy + Security Forum (Oct. 24-26, 2016 in Washington, DC), an annual event that aims to bridge the silos between privacy and security.