Monday, October 5, 2015

Ransomware: To pay or not to pay

There is no need to tell victims of digital extortion how successful it is. What is needed is a way to help victims respond to the ransom demands.

"Never before in the history of humankind have people across the world been subjected to extortion on a massive scale as they are today."

That introduction to Symantec's August 2015 report The evolution of ransomware (PDF) certainly grabs one's attention. I have been writing articles about ransomware since 2010, and looking back at my 2010 notes I noticed a comment of mine: "Ransom on the internet may not garner much money per incident but patient extortionists can cast a wide net and haul in many innocent victims who have no recourse other than to pay."

I wish I had been wrong; however, evidence offered in the following reports suggest otherwise.

In 2012, close to 3% of victims paid ransom demands. Symantec reported one small-time operator managed to infect 68,000 computers in one month, resulting in potentially $400,000 USD being extorted.

In March 2014, Dell SecureWorks reported CryptoWall earned $34,000 USD in its first month of operation. By August 2014, CryptoWall had earned more than $1.1 million USD.
In June 2015, the FBI's Internet Crime Complaint Center published that 992 CryptoWall-related complaints were filed, and the resulting losses from these cases amounted to more than $18 million USD.

Currently, the going ransom is $300 USD. The two favored payment methods are payment vouchers and bitcoins.

Price sweet spot

Like any business, those running a cyber extortion ring understand the importance of finding the price sweet spot, which is probably why pricing per incident has not changed much since 1989 when ransomware first reared its ugly head.

"Taking inflation into account, 189 US dollars in 1989 is now worth 368 US dollars in 2015," explain the report's authors Kevin Savage, Peter Coogan, and Hon Lau. "Looking at the initial ransomware from various malware families from the start of 2014 to June 2015, we can see the ransom demand has ranged from 21 US dollars up to 700 US dollars, with the average being just over 300 US dollars."

Location affects pricing

Victims' locations are another consideration. The amount of money that can be excised from victims in one country may be way too much to charge victims in a different area of the world. The report mentions, "To tackle the issue of international purchasing power, we can see that the idea of dynamic geographical pricing is employed by some ransomware."

CryptoWall is one such example. The ransomware, using an automated process, alters prices depending on geographical location. When a computer compromised with CryptoWall reports back to the command and control server, the server checks a database, determines what country the IP address is from, alters pricing based on location, and returns the ransom note with an adjusted price to the compromised computer.

Hit the jackpot

Cyber extortionists that focus on businesses cast a smaller and more sophisticated net, but if successful, the dividends are huge. The Symantec report discusses a Forbes article by Thomas Fox-Brewster. In the article, Brewster refers to one particular cyber extortion, mentioning, "Employees at the financial services firm were sent emails from a Gmail account, demanding the firm pay 50,000 US dollars to get their website back. They threatened to increase the price by 10 percent with every passing week."

The tough question

There are myriad articles describing what ransomware is and how to avoid it. All of which means nothing when you are staring at a digital ransom note. Now it's up close and personal.

Do you take the high road and not pay? Supposedly, paying reinforces that digital extortion does indeed work. Authors Savage, Coogan, and Lau have this to say about not paying: "While law enforcement officials will advise victims not to pay the ransom, there are several documented cases where they have paid the extortion demand to get their files back."

The authors mention that both the victims and the extortionists are walking a trust tightrope. Why should the victim trust that access to the data will be returned? The Symantec report suggests one reason: "They (extortionists) realize that without their reputation of being trusted to decrypt the files after the ransom demand is paid, no new victims will pay the ransom demands, which is bad for business."

There is no right or wrong answer

I asked numerous experts what they would do. Dismissing those who say it will never happen to them, responses vacillated evenly between pay and not pay. The sincere answer seems to be, "I will not truly know what to do until it happens to me."

I count myself in that group.

No comments:

Post a Comment