Sometimes you read an article about what to do in the event of a ransomware attack, and you come across “think about paying the ransom”. At such a moment I take a couple of deep breaths and close the article – out of harm’s way. Because the extortionists do not need to pay, and not only because they do not really earn by honest labor. Apparently, it’s time for me to speak out why.
First, you sponsor the development of malware
Cyber villains, intruders, extortionists, a gang of cybercriminals – can you feel the shade of all words? When you pay these guys a ransom, you are giving them money to keep doing what they do — ruining the lives of innocent people. It turns out a closed loop: they encrypted you, you paid them, they encrypted even more people.
In essence, there are two ways to disaccustom them to do this: you can overcap them all, and we periodically help with this, or you can make this activity unprofitable – then, you see, they will finally find a normal job for themselves. Apparently, they just haven’t heard that programmers are actually paid pretty well.
And this activity will become unprofitable if the victims stop paying. So much for your argument. Well, you can argue: “This is all good, and in general I am for world peace, but I have encrypted the data here, and I would have to deal with my problems.” And you don’t have to pay cyber villains anyway! Listen further.
Secondly, the data may not be returned.
Agreements with intruders are always written with a pitchfork on the water – that’s why he is an intruder that violates laws and agreements. So the fact that you paid him does not necessarily lead to the fact that he will allow you to decrypt the files.
Remember the same ExPetr / NotPetya: since the unique user identifier was generated there completely randomly, it was simply impossible to decrypt the files. Even the attackers themselves did not have this opportunity. No matter how much you pay, nothing will come of it. And ExPetr / NotPetya is not the only such case. Attackers often make mistakes in their code. And if sometimes these errors allow us to create a decoder, then in other cases, on the contrary, they do not allow even the attackers themselves to make it.
Recently, there was a case where a cybersecurity expert publicly requested a group of cybercriminals should fix the error in their ransomware Trojan, otherwise the files would be corrupted irrevocably. And laughter and sin. In general, when you decide to pay the ransom, there is no guarantee that you will be able to get your files back. To put it mildly.
Third, you can be blackmailed more than once.
There has already been such a case: cyber-rogues ciphered a certain organization, it paid as much as $ 6.5 million in ransom, and then two weeks later the same attackers encrypted it again and forced to pay the ransom again.
Well, the point here was that in two weeks the organization had not had time to patch the hole through which the criminals climbed the first time. But it also happens that scammers who encrypt and steal data simply decide to demand the ransom again – just like that, without reason. Because they can – because they stole your data, didn’t delete it when you paid for the first time (and you won’t know about it in any way), and they can blackmail you as many times as they want.
Or they may just sell your data to competitors, despite the fact that you paid – and even more than once. And it turns out that either the organization must pay again, or it just threw a tidy sum to the wind, because it again found itself in the same situation in which it was.
The only way out is not to pay even the first time. And if you pay in the second, there is no guarantee that they will not come to demand the ransom the third, since you have such a stable source of income.
And then what to do then?
If the villains are not paid, then what should they do? The files are encrypted, stolen, the cyber-men threaten to publish everything. The horror of what’s going on. Here’s what to do:
Search for a decoder. It either already exists here or here, or it is not yet there, but it may appear later. We try to release and update them regularly as we study malware and catch intruders.
Talk to the vendor who bought the protection. First, find out how it happened, what encrypted you, and secondly, ask for help with decryption. It may work out, and the vendor is interested in helping, you are not strangers to him.
And ideally: it’s better to defend yourself and catch the infection before she does things. And don’t pay. If no one pays them, you look, they will finally be raised – and the whole world will breathe a little easier.