An FBI representative speaking at the 2015 Boston Cyber Security Summit gave a piece of advice on ransomware which the San Francisco Chronicle called “disquieting”: he said it’s recommended victims of certain strains of ransomware pay the extortionists.
In fact, Joseph Bonavolonta, an assistant special agent in charge of the FBI’s Cyber and Counterintelligence Program in the Boston office gave a keynote on ransomware in which he said certain strains, namely CryptoLocker and CryptoWall, are so difficult to crack that paying up to the extortionists “would almost certainly cost less” than hiring someone to attempt to fix the affected computers.
“To be honest, we often advise people just to pay the ransom”, Bonavolonta said.
Well, hearing things like this from a law enforcement agency representative is indeed disquieting, as it shows the FBI has little to do with ransomware itself. In the best-case scenario, the FBI or some other LEA(s) will one day apprehend the Crypto-whatever authors; by that time, the ransomware victims will have either already made those miscreants reach or abandoned their compromised files.
Paying up or not? #Ransomware situation isn’t getting easierTweet
Meanwhile, little can be done with encrypting ransomware that uses strong asymmetric encryption, if the private keys are unavailable for any reason: mathematically, it would take a tremendous amount of computational power in order to crack an RSA 2048 bit key which is used by CryptoWall 3, for instance. (according to some estimates, it would take a little over 6.4 quadrillion years for a standard modern desktop to break it; that’s longer than scientists say the universe itself has even existed).
So the FBI officer has simply acknowledged a bitter fact: unless precautions are taken, victims may not be able to recover their data in any other way than by paying the demanded ransom.
“To be honest, we often advise people just to pay the ransom” – FBI #ransomwareTweet
Although, again, it is really discouraging to hear anything like that from a representative of a profile department of the FBI.
In June, the FBI said CryptoWall victims have lost more than $18 million since the beginning of 2014. According to other estimates, the CryptoWall malware family has been used to extort a total of $325 million from tens of thousands of victims worldwide.
Did you say precautions?
Yes, there is a way – and the only certain one – to prevent losses to malware activities. It is a regular backup of files within a “cold” (i.e. offline, unpowered storage without any computational capabilities). If these backups are in place, extortionists get the cold shoulder.
Encrypting files takes time and needs processing power. There is none of the latter in an offline backup storage, so encryption doesn’t occur, and that means there is the possibility of recovering data. Even if the malicious files do slip in, they can be easily identified and removed in a timely matter.
Crypto-threats may be extremely destructive, but fortunately, not all of them are unbeatable.
Kaspersky Lab, together with Dutch police, have just added an additional 14,031 decryption keys to the repository noransom.kaspersky.com, enabling all users who have fallen victim to CoinVault and Bitcryptor ransomware to retrieve their encrypted data. Without having to pay a single bitcoin in ransom to criminals, of course. Bitcryptor is the next version of malware from the same authors with essentially the same code.
CoinVault was effectively eliminated earlier this Fall, so by making these keys available, the case is effectively closed. Two men were arrested on suspicion of involvement in the ransomware attacks; we ran a story about it in late September.
The outcome of the CoinVault situation is fortunate, but it is not always so. There are numbers of more covert and thoughtful ransomware campaigns, which are not cracked so easily.
Kaspersky Lab’s recommendations here are probably familiar to many, but they are still very true:
- Keep your antimalware/security solutions up to date;
- Security solutions should have behavioral analysis capabilities for the sake of 0-day vulnerabilities and totally new malware strains;
- Keep all of the especially vulnerable software (Java, Flash, Office, etc.) up to date and under the heaviest of scrutiny;
- Educate employees (the main target) on phishing, on launching suspicious files, and on other threats associated (and not necessarily associated) with encrypting ransomware.
- Always back up your data.
P.S. Kindly take a look at our little poll on Twitter.