When your business is under fire and a ransom is on the table, it's tempting to pay and make the criminals go away. But how do you know they'll fulfill their part of the bargain? Even if they do, you've made yourself complicit in a growing criminal enterprise.
Demands to pay up or endure the consequences come in many varieties. It may be a promise not to out the victim for using a questionable service, or not to dump data files stolen from corporate servers. More often, though, the threat is delivered via ransomware, a type of malware that encrypts user files and makes the encrypted data useless until ransom is paid -- in amounts generally ranging from $200 to $10,000.
Some experts argue that paying ransom makes the situation worse because it rewards criminal behavior. The groups behind ransomware know victims will pay, which has resulted in more ransomware variants and new attack vectors. It's basic game theory: One victim pays the ransom, so the game will be repeated for the next victim, who will look at what the first victim did.
"Paying the ransom simply encourages the attackers to continue following the same playbook," said Andrew Hay, senior research manager at OpenDNS, which was acquired by Cisco earlier this year.
Criminals care about reputation, too
The bad actor holds most of the power in this ransom game, but must also act accordingly to maintain that power. Ransomware criminals keep their word and unlock the data after payment because they want future victims to believe they, too, can get their files back.
If that faith is impaired, the game is over for the attacker, since victims will be less likely to pay if they hear reports of data not being returned.
"This is a repeated game that is visible to possible future victims via people discussing it on social media and Internet forums," said Angela Knox, senior director of engineering at Cloudmark, an email security company.
Reputation is the key factor in determining whether or not to pay ransom, said Chester Wisniewski, senior security adviser at Sophos, an endpoint security company. Whoever is behind the CryptoWall ransomware, for example, has "a sense of responsibility" about consistently decrypting files upon payment. The group has even been known to give victims time beyond the deadline to get ransom together. Sticking to one's word is good business practice, and the CryptoWall gang clearly treats what it does as a business enterprise.
It's gotten to the point that if Wisniewski hears a victim has been infected with CryptoWall, he's fairly confident the files will be decrypted once the ransom is paid. But that trust doesn't extend to other ransomware families.
Other, less scrupulous ransomware groups frequently piggyback on CryptoWall's reputation by pretending to be a CryptoWall variant. TeslaCrypt is one such impostor, and victims have paid the ransom thinking they were infected by CryptoWall. There's no way for victims to know whether they have been infected with the real version of CryptoWall or a fake one. If it's a clone, they find out the hard way after paying the ransom when the files don't get decrypted.
It's hard to determine the reputation of attackers, especially when so much of the supporting evidence is anecdotal, Wisniewski said.
DDoS is a different beast
The calculus changes if the threat is a DDoS attack rather than locking up valuable data forever. Many organizations have worked with upstream providers to fight back and try to outlast the attack rather than paying ransom. But some organizations recently have paid the criminals to stop.
When prankster group Lizard Squad targeted Xbox Live and PlayStation Network last Christmas, Kim Dotcom offered the group 3,000 free vouchers for encrypted cloud storage service Mega. RSS feed service Feedly was hit by a DDoS attack last year when it refused to pay a ransom to avoid the attack. And recently, encrypted email service ProtonMail paid $6,000 in ransom, but failed to stop the DDoS attacks.
ProtonMail is a good example of why paying to stop a DDoS attack doesn't work. Unlike with ransomware, the attackers typically aren't concerned about securing future income. Launching a DDoS attack is low effort for someone who already has a capable botnet, and with enough potential targets, there's no incentive to keep promises. Yes, there have been cases where paying ransom worked to stop DDoS attacks, but the underlying message is that the organization is vulnerable and can't defend itself. This encourages repeat attacks.
"The actors have already proven that the organization will pay ... so why not see if they'll pay a little more?" Hay said. "It's an extortion racket, plain and simple."
Then there's the question of whether the one demanding the ransom is the actual attacking party or "a random opportunistic guy," Wisniewski said. When it comes to ransomware, researchers have studied different malware families and can identify the malware sample with a degree of certainty. DDoS isn't like that because it's a flood of packets coming from many different locations.
DDoS attacks have been growing in volume and intensity recently as attackers assemble ever larger and more powerful botnets. Throw in the potential financial windfall in the form of a ransom, and more attackers enter the game to see how much they can get the victim to pay. It's a competition as botnet owners try to one-up each other on the strength of the attacks and how much they collect in ransom.
As a general rule, it's better to not negotiate with criminals and not pay the ransom. Work with law enforcement to catch the perpetrators so that criminals are stopped. Act pre-emptively to shore up defenses, such as putting in defenses for mitigating DDoS attacks or ensuring backups so that you don't need to pay the ransom.
Unfortunately, that can't be a hard and fast rule, particularly if irreplaceable data is at stake. But make sure paying ransom is the last resort, not the first choice.