
FBI’s Advice on Ransomware? Just Pay the Ransom - rubikscube
https://securityledger.com/2015/10/fbis-advice-on-cryptolocker-just-pay-the-ransom/
======
pdkl95

        And that is called paying the Dane-geld;
          But we've proved it again and  again,
        That if once you have paid him the Dane-geld
          You never get rid of the Dane.
    

[http://www.poetryloverspage.com/poets/kipling/dane_geld.html](http://www.poetryloverspage.com/poets/kipling/dane_geld.html)

Paying ransom merely teaches the criminal that you're an easy mark that they
should demand more ransom from in the future.

~~~
icebraining
But are the criminals in this case targeting specific individuals? You can't
teach them you're a good target if they're just firing at random anyway.

~~~
mannykannot
The 'you' in this case is all of us, collectively. Unfortunately, for the
individual victim, paying is usually the best of a set of bad options, even
though it is not the best one for us, collectively.

~~~
iamsohungry
> Unfortunately, for the individual victim, paying is usually the best of a
> set of bad options

Is it?

From the perspective of the hacker, the hacker's best move is to take the
money and simply demand more. There's zero incentive for the hacker to return
the victim's data.

This becomes a probablistic situation: the approach I'd take if I were a
victim would be to borrow an analogy from poker for the problem of deciding
whether to call in order to possibly win a pot. First, I'd determine how much
the data is worth to me, and use that to determine my "pot odds":

    
    
        pot_odds = ransom / value_of_data
    

I'd then try to figure out how often hackers actually return the data on a
ransom:

    
    
        odds_of_data_being_returned ~= times_data_has_been_returned_after_ransom_paid / times_ransom_has_been_paid
    

At this point, we can decide whether it's a rational choice to pay the ransom:

    
    
        if pot_odds < odds_of_data_being_returned:
            pay_the_ransom()
    

Areas for research: this is a pretty unsophisticated way of determining the
odds of the data being returned. I don't have data on how often hackers return
data upon being paid the ransom, but I suspect if we gathered data we could
get a better probability. For example, one could use linguistic patterns in
the hacker's communication to fingerprint different ransomware hackers, and
use that to get a probability for each individual hacker. It's likely that
some hackers never return the data, and some hackers always return the data,
and each of these probabilities has drastically different effects on the
outcome of our decision algorithm.

~~~
llamataboot
Not in the long-term, because then they gain a reputation as someone not to be
"trusted". Many of these outfits have their own support forums, make it easy
to pay, etc and happily hand your data back over because they make money in
volume, not from one particular mark. You gain a reputation as being easy to
work with and unlocking data and offering the support to do so, many more
people will pay just to get rid of the headache when their computers are
locked down.

~~~
iamsohungry
While I'm sure this is true and some hackers behave based on this idea, there
are two issues:

1\. "Many of these outfits" is not all: we still need a way to determine
whether we should pay a ransom.

2\. I'm sure I could manufacture a support forum which shows me to be
trustworthy in an afternoon.

~~~
lkowalcz
For (1), this is the reason the ransom is small. Since "many" are actually
trustworthy, it's a small risk to pay the relatively small ransom. (Also, you
can verify via bitcoin address if you're dealing with a hacker who is known to
give data back.)

For (2), could you also find a way to get the FBI to release a statement
saying you are trustworthy?

~~~
icebraining
_Also, you can verify via bitcoin address if you 're dealing with a hacker who
is known to give data back._

How so? Presumably they use a different one for each payment, no? Otherwise,
how could they tell who paid?

~~~
lkowalcz
Apparently they reuse the primary wallet quite frequently:

[http://www.coindesk.com/cryptowall-325-million-bitcoin-
ranso...](http://www.coindesk.com/cryptowall-325-million-bitcoin-ransom/)

------
devit
Looks like free enterprise has introduced a tax on people who fail to secure
their systems against untargeted attacks and fail to make backups.

One also wonders what's the point of all NSA's "SIGINT" efforts if they can't
or won't use it to catch such usually foreign actors, so maybe they also
introduced an argument against mass surveillance.

~~~
pdkl95
The NSA isn't interested in _defensive_ work these days. As Dan Geer
explained[1]:

    
    
        I suggest that the cybersecurity tool-set favors offense these days.
        Chris Inglis, recently retired NSA Deputy Director, remarked that
        if we were to score cyber the way we score soccer, the tally would
        be 462-456 twenty minutes into the game, i.e., all offense.  I will
        take his comment as confirming at the highest level not only the
        dual use nature of cybersecurity but also confirming that offense
        is where the innovations that only States can afford is going on.
    

This is a serious problem, not only from the problems intelligence angies with
many powers and poor oversight; ignoring defense is going to bite a lot of
people in bad ways. We are already seeing the beginnings of this with the
escalating impact computer-based attacks are having on their victims.

I also recommend considering Jacob Appelbaum's response to this question[2]
from the audience - from someone currently working for the NSA. The summary is
that we _need_ people doing NSA-style work, but on the defense side, and we
need it now. If the NSA isn't doing that, then maybe people that want to
actually protect their country should find somewhere else to work that is
actually working on defense.

[1] [https://www.youtube.com/watch?v=nT-
TGvYOBpI#t=478](https://www.youtube.com/watch?v=nT-TGvYOBpI#t=478)

[2]
[https://www.youtube.com/watch?v=n9Xw3z-8oP4#t=4027](https://www.youtube.com/watch?v=n9Xw3z-8oP4#t=4027)

~~~
purpled_haze
> The NSA isn't interested in defensive work these days.

Hasn't "a great offense is always the best defense" always been the name of
the game? We've gone from fists, to stick and rocks, to spears, to swords, to
Greek Fire, to gunpowder, to nuclear weapons. Why not now be the ones to own
the power to take down any computer or network?

Great efforts in defense aren't necessarily successful or rewarded either,
e.g. Reagan's "Star Wars"/SDI
[https://en.wikipedia.org/wiki/Strategic_Defense_Initiative](https://en.wikipedia.org/wiki/Strategic_Defense_Initiative)
which was widely criticized and failed miserably.

While cyberdefense is not in the same unrealistic realm as SDI was in the 80s,
the ways that most people think about security- firewall on the perimeter
and/or securing each node, pen testing, patches, and locking down what can be
installed/used- don't really solve the problem of having a wide attack vector.
Imagine if you could shoot a single soldier out in the field and it would kill
his/her whole battalion, the base in which he/she was stationed, and perhaps
destroy or weaken the entire army or even armed forces to which he/she
belonged? That is the situation now.

Playing ultimate defense requires much more isolation. We shouldn't be on the
same network, we shouldn't always be connected, and we should really limit how
the outside world can affect each node. That isn't often the case with the
networks we have currently.

~~~
michaelt

      Hasn't "a great offense is always the best defense"
      always been the name of the game?
    

An air offence against an airfield can put a billion dollars worth of planes
out of operation permanently.

There's no cyberattack equivalent of that - it's not like bricking a few $1000
PCs would disable foreign cyberattack capabilities.

~~~
jblow
Only a billion? This is the USA in 2015 we are talking about. A single F-35C
costs a third of a billion dollars. So you are talking about 3 planes.

------
jvdh
Note that this is not an official statement, this is something that an agent
at a conference:

[https://nakedsecurity.sophos.com/2015/10/28/did-the-fbi-
real...](https://nakedsecurity.sophos.com/2015/10/28/did-the-fbi-really-say-
pay-up-for-ransomware-heres-what-to-do/) has the official statement:

    
    
      The FBI doesn't make recommendations to companies; instead, the Bureau explains
      what the options are for businesses that are affected and how it's up to
      individual companies to decide for themselves the best way to proceed.
      That is, either revert to back up systems, contact a security
      professional, or pay.

------
joosters
It's probably good advice for any individual person / company who gets
infected. Unfortunately, it's terrible advice for society in general, because
the blackmailers profit from their crime and will go on to target more people.

I'd guess that the malware users are being quite clever in keeping the ransom
demands (relatively) small, to make it easy to choose to pay. They then profit
in scale because targetting thousands of people is simple.

Since the ransom payments are in Bit-coin, it's possible to track the payments
and work out how much money the scammers are making. Some estimates put it as
high as $325 million: [http://www.coindesk.com/cryptowall-325-million-bitcoin-
ranso...](http://www.coindesk.com/cryptowall-325-million-bitcoin-ransom/)

~~~
icebraining
It's irrelevant advice for society in general, because just like with spam,
the costs of producing this are so low that even if the FBI had convinced 99%
of people not to pay, it'd still be worth it for the scammers.

------
blisterpeanuts
The FBI should always advise companies _never_ to pay ransoms. It's the only
way to stop it. The Bureau doesn't care if a company or individual loses data.
They do care about crime, and the only logical way to stop a class of crime is
to remove all financial incentive.

Whoever is advising people to "just pay the ransom" is a fool.

~~~
tptacek
No matter what the FBI says, ransomware is going to continue until vendors
ship systems that are secure enough to prevent ransomware by default.

Meanwhile, "don't pay the ransom" is not an honest answer to "what's the best
thing for me to do now that I'm infected".

~~~
vonklaus
is it possible for vendors to ship a system like this that would also allow
for users to encrypt their entire hard drives? Maybe it would be something
like OS X firmware lockdown, but that is less convenient and takes away a lot
of the options for the user.

Is this an either/or scenario?

~~~
tedunangst
Lots of vendors ship encrypted hard drives. Some of them are even almost
secure.

Or are you asking can a vendor prevent a compromised user account from
installing pgp and encrypting everything? Probably not very well.

------
speakeron
Surely more sensible advice would have been: make sure you have offline
backups; but if you don't, pay the ransom.

~~~
vezzy-fnord

       Still, the Boston head of cyber said that organizations
       that have procedures in place for regularly backing up 
       their data can avoid paying a ransom at all, by simply 
       restoring the infected system to a state prior to the 
       infection.

------
dogma1138
The sad part is that quite a few of the ransomware cases aren't actually
recoverable, as the malware could be just dumb AES implementation which
doesn't send the key to some C&C server some where, in some cases the key is
hardcoded into the malware or is just generated at random so even if you pay
the ransom you might not get your data back.

The other important thing to consider is that you data is already tainted so
the cost of the ransom are meaningless compared to the cost of re-evaluating
all the data once you manage to decrypt it, as well as the cost of the
decryption it self it's not like you'll get an easy tool do it.

But considering that recovering data from backups also costs a small fortune
it might be a reasonable gamble after all.

------
marze
Um, isn't the reason we have an FBI is to shut down operations such as these?
Can't they track payments and have the ransomware operators apprehended, with
cooperation from authorities in other countries?

Maybe we should defund the FBI if this is the best advice they can think of.

------
spdustin
For the record, it's the FBI's advice on cryptowall, cryptolocker and their
ilk that it's easier to pay the ransom because it's largely automated to the
point that no human is directly involved in processing your ransom and
returning the keys to your files - the web site you're directed to even gives
you one single file recovered for free. Isn't technology grand? Aren't the
disenfranchised youth of Eastern Europe (the primary agents responsible for
crypto-ransomware) generous? So unless you had backups from before you were
infected, pay the automated system its Bitcoin. It's a shame that so many
people have _this_ as their introduction to cryptocurrency.

------
xxdesmus
This is 100% BS.

The FBI has already confirmed this "just pay the ransom" was completely
misquoted and taken out of context.

Stop spreading this clickbait FUD.

------
tim333
I guess the ransomware will stop unless they throw a few of the crooks in to
jail. I presume the NSA or someone like that could probably figure who they
are but they are probably in Russia or similar where the courts won't do much.
Hence a fix might be to do a deal with Putin or some such? - We'll drop some
sanctions if you throw a couple of dozen cybercrooks in jail say.

~~~
vbezhenar
I presume they are probably in US. Hence a fix might be to do a deal with
Obama?

really?

If you have any evidence about authors, you can report to local police who
will contact with Interpol and then Russia's police. Russia has all necessary
laws to punish cyber criminals.

~~~
tim333
From some googling:

"..FBI’s most wanted list of cybercriminals: Russian hacker Evgeniy Bogachev.
Bogachev, the authorities believe, was responsible for operating both
viruses... GameOver Zeus and CryptoLocker"
[http://www.slate.com/articles/technology/technology/2014/06/...](http://www.slate.com/articles/technology/technology/2014/06/evgeniy_bogachev_gameover_zeus_cryptolocker_how_the_fbi_shut_down_two_viruses.html)

"still appears to be at large in Russia, where officials have shown little
interest in helping the FBI"..."What a talented guy," said Mikhail, 23, who
recognised Bogachev's FBI photo as the man he would see in the lobby with his
wife and nine-year-old daughter. "Sitting at his computer at home, he broke
into our enemies' camp, but did not harm his fellow Russians."
[http://www.telegraph.co.uk/news/worldnews/europe/russia/1088...](http://www.telegraph.co.uk/news/worldnews/europe/russia/10883333/Russian-
hacker-wanted-by-US-hailed-as-hero-at-home.html)

"His alleged bank heists topped $100 million"..."Bogachev, 30, who lives
luxuriously in Anapa, Russia, a beautiful seaside resort town of 60,000 on the
northern coast of the Black Sea, and often sails his yacht to various Black
Sea ports, remains a fugitive."
[http://www.usatoday.com/story/news/nation/2014/06/03/fbi-
bus...](http://www.usatoday.com/story/news/nation/2014/06/03/fbi-busts-
russian-hacked-created-zeus-cryptolocker/9919985/)

Guess the authorities can't find him because yachts are pretty tricky to spot.

------
Bjorkbat
So much for not negotiating with terrorists.

------
xdinomode
Has anyone heard of the ransomware that encrypts your whole hard drive and
makes you pay to unencrypt it? LOL.

