Would You Pay a Ransom for Your Laptop?

Imagine turning on your computer one day and being greeted with this message:

This is ransomware, and in 2016 over 4,000 ransomware attacks occurred daily, raking in nearly $1 billion in profits for attackers.

While there are many types of ransomware, they all result in users being unable to access their files or even fully boot up their PCs.  Ransomware is malware that locks and/or encrypts a user’s files or computer and demands a ransom be paid within the allotted time for the computer to be unlocked.  All sorts of computers are vulnerable to ransomware including home computers, endpoints on a corporate network, or servers used by a government agency.  To make matters worse, upon paying the ransom, there’s no guarantee your files will be unlocked, and your willingness to pay could make you an even bigger target for more malware or extortion attempts.  Additionally, ransomware is hard for security software to detect and once your data is made a hostage, there’s no stopping your sensitive data from being copied over to the attacker.  The ransomware is also likely to search for other accessible computers on the same network, which is devastating in a corporate environment.

In the U.S. alone, victims lost $209 million due to ransomware in the first three months of 2016, compared to a total of $24 million all throughout 2015.  With this rapid new onslaught of attacks, ransomware has become big business for some hacking groups.  This new cybersecurity battle has lead to a digital arms race with both attackers’ increased investment in advanced attack delivery automation methods and private firms’ increased funding in corporate protection measures.

These attackers continue to make money at an alarming rate and most often employ spear-phishing tactics.  Phishing is the fraudulent act of claiming to be a legitimate party in an effort to coax users into revealing sensitive information like usernames and passwords.  Spear-phishing ups the ante by targeting a specific group of people, like employees at a company an attacker wants to infiltrate.  (There’s even a term called whaling used to describe phishing attempts made specifically at high-level executives like CEOs.)  So an unsuspecting employee at a company can accidentally click on a link in an email that looks like it’s coming from their boss, but instead, ransomware is being downloaded onto the computer, and even if that computer that has traditional anti-virus software installed, chances are the ransomware will be able to evade the security measures in place.  The ransomware can now move laterally across the network, infecting countless computers in its wake, requesting additional ransom money from each machine it claims.

A company that finds itself the victim of ransomware has little recourse, and the attackers know it.  Not only is the problem new enough that most corporations either are not protected or have no policy to address such an issue, but the clock is ticking and law enforcement is very limited in the aid it can offer.  Since most attackers are either foreign actors or state-sponsored hacking groups, the chances of local authorities being able to track own those responsible are very slim.  And with 4,000+ daily ransomware attacks, it would be unreasonable to assume that law enforcement would have the bandwidth or necessary technology forensics skills to be of help.  Companies can then turn to private incident responders to help, but without access to the machines on the network, finding clues about how the attacker got in or to what extent they have control is nearly impossible.  As a result, most companies are forced to consider the paying the ransom, knowing full well that their data might not get unlocked, might have already been resold, and the attacker might try to leave a backdoor to regain access in the future.

So the good news for the average person is that attackers are much more interested in corporate environments than they are the average person’s laptop.  Attackers know that the real money is in compromising company networks where ransomware can cause major disruptions in business operations which really increases their chances of getting paid.  Business networks are also complex and with so many eager clickers employed, their attack surface is spacious and vulnerable.  Those in charge of network security at a company need to be vigilant and stop every attack, but the attackers only need to succeed once.  Since ransomware can affect not only personal laptops but other endpoints like POS systems and servers, it can really hit the core of an affected business.  Most small- to medium-sized businesses don’t have the capital to invest in prevention measures and won’t have a plan to deal a ransomware situation if it occurred.

Ultimately, only two things can keep you safe from ransomware: back-ups and a basic knowledge of security.  Although a ransomware attack still leaves your data vulnerable, at least a back up would restore your access to it.  Most victims of a ransomware attack find it difficult to even assess what they’ve lost since without a back-up there is now no record of what did exist and could now be in the hands of an attacker.  Security also needs to be everyone’s business; a properly-trained employee should be able to spot a phishing email or at least be able to follow a protocol for emails he or she is unsure about.  While there’s no silver bullet for security, proper etiquette and education are half the battle.

Follow me on Twitter

8 comments

  1. drewsimenson · ·

    Wow, I have to admit that this is powerful and I probably WOULD be willing to pay ransom to unlock my files if I had no other choice and needed them. Guess this is why a solid backup system is important to set up. Nice post that I will definitely reflect on next time I need to consult on cyber security!

  2. fayehubregsen · ·

    I second @drewsimenson ‘s Wow. Hijacking data is obviously a hot-topic right now, and there is a lot of potential for innovation in the space. I imagine there are several ways these ransom hackers get ahold of computers and POS systems, which leaves room for network security managers to rethink protection processes. I suspect the wave of the future will do away with the current form of passwords and codes we have, and replace it with a more secure and personalized mechanism whether it be a security question check-point on steroids, three-step verifications, or even mainstreaming iris recognition.

  3. erinfitzpatrick123 · ·

    Agreed with both comments above- great post. I had a cybersecurity professor come speak in a class of mine last year and had mentioned this type of attack. He said a lot of times people don’t know where to turn – police don’t really understand what is happening, and people are desperate to get their files back, so a lot of time they just pay. What is scary is that the hackers can keep copies of everything, especially for corporate environments where that information may be confidential. But agreed with above – I would probably pay the ransom (and I really should get better at backing up my files!)

  4. viquezj · ·

    Great post about the importance of creating awareness about cybersecurity. I would definitely pay ransom to recover my files, but I would be very skeptical about how much data the attacker was able to retain and how is he going to use it now. This is specially important in the corporate world, where companies have valuable information about their clients. Compromising that kind of sensible private information could even encourage clients to seek for another company with a better cybersecurity system. This is why companies should make it a priority to train their employees to spot a phishing scam or to follow protocol to have an expert deal with the threat. It is far cheaper for a corporation to invest in cybersecurity training than it is to pay the cost of this type of attacks.

  5. diiorion · ·

    For my personal computer, I honestly don’t think that I would end up paying a ransom for my files. I’m pretty good about backing up with DropBox and even then, most of my files right now are just old school assignments pretty much. Nothing that I would care about so much as to pay a ransom to get them back. However, as you described in the post, this kind of attack is terrifying to me in the corporate context. During my past couple internships, I would get a computer and have to go through cybersecurity training and company policies for computer use. I was scared to even go on Google for a few weeks because I didn’t want anything bad to happen! Now the thought of being the source of a virus that takes over my entire company’s network and results in the payment of large ransoms? This is going to give me nightmares…..

  6. I think what’s really scary about this is the way the cyber crime industry is evolving and the difficulty the security industry is having in keeping up with it. No longer do you just need to worry about e-mails from Nigerian princes in your personal e-mail account, but awareness of cyber security is imperative in all aspects of your life. This reminded me of an article I saw a while back about how medical records are now far more valuable for cyber criminals than credit card numbers or social security numbers: http://www.reuters.com/article/us-cybersecurity-hospitals-idUSKCN0HJ21I20140924. At this point, we not only have to worry about carefully managing our own data but we have to trust the countless other companies that may not be up to the task of protecting the data we entrust to them.

  7. Nice post on an under investigated topic. I agree that I am unlikely to be targeted, because virtually everything I have is backed up to Google Cloud. If Google gets compromised by ransomware, that’s an entirely different problem!

  8. terencenixdorf · ·

    Great post, Chris. This was definitely an interesting read and at first I thought it was going to be a post directed entirely at the individual and what to do in order to stop ransomware. As they always used to say in 24, “do not negotiate with terrorists.” I didn’t even think about the catastrophic effect that this type of cyber attack would have on an entire computer network at a company. With files so sensitive, it could absolutely cripple a company and they would have no choice but to pay the ransom. The fact that there’s no guarantee of getting the money back is scary but if they’re hacked like that, do they really have any other choice but to comply? I’m not sure but it’s clear that as hackers grow to be more innovative, the ethical hackers at tech companies have to continue to be on their toes and ready to stop any incoming attack. One of the things that really resonated me from your blog is the fact that hackers can try all the time to find a vulnerability in the network and you can stop them all of those times – but all they need is to succeed once and your entire system could be compromised. Really curious how businesses are going to combat this growing problem. Thanks for sharing!

%d bloggers like this: