Why the FBI is wrong: you should never pay ransomware
Paying up can be pointless, especially when you can safeguard your data


ProtonMail, a Swiss-based encrypted email service provider, knows all too well about the futility of paying a ransom.
It did precisely that this month in order to stop a DDoS attack that was crippling its networks and those of some upstream providers. However, despite coughing up the 15 bitcoins (about 3,750) ransom the DDoS continued. I mention this as it is a great reminder that the bad guys are called 'bad' for a reason: expecting them to be reasonable and do what you perceive as the right thing following the payment of a ransom is, frankly, naive in the extreme.
Yet just last month, FBI agent Joseph Bonavolonta told delegates at a security conference that "we often advise people just to pay the ransom" when it comes to ransomware.
While this seems like a crock of the first order, some have suggested there is sense in the advice. The argument being, from a purely business perspective, one has to ask whether the time and money spent trying to free your data from the encrypted clutches of well written ransomware will be more or less than just paying the ransom and moving on.
The truth of the matter, as the ProtonMail example highlights, is that you can't actually trust the bad guys, so paying any ransom is always going to be a gamble. The FBI advice is about as useful as a one-legged man at an arse-kicking party.
When it comes to paying a ransom to decrypt your data, the odds are stacked against you in my experience. How so? Well, quite apart from the trust issue (and yes I am banging on about that, for a very good reason) there's the coding issue.
Take the Power Worm ransomware that was spotted doing the rounds recently - it was so badly coded that the attackers couldn't decrypt your locked up data even if you paid the release fee and they wanted to. Why so? Well, this variant was so full of bugs that it effectively destroyed the keys required to decrypt data.
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
Not that all ransomware code is a pile of crap. The latest iteration of Cryptowall, for example, appears to be pretty well written, and has tweaked the encryption process and the way it evades detection in the first place. This is probably why the folk behind Cryptowall have raked in ransoms in the order of hundreds of millions of pounds, according to the Cyber Threat Alliance.
So, going back to our FBI man and his advice, should you pay the ransom? And is paying up the only way to deal with this type of ransomware? My answer is always going to be no. A big fat no, in fact. The most effective way to deal with ransomware is with a pre-emptive twin-pronged strategy that involves not getting infected and having suitable data backups just in case you do.
In terms of prevention, ensure you are using endpoint protection that's up to date so as not to get hit with old threats. Ditto as far as system OS patches and application updating are concerned: the smaller your insecurity footprint, the less opportunity for the bad guys to strike.
This is why staff training and awareness also plays into this, with phishing/social engineering techniques being another common route to infection. In fact, when it comes to ransomware infection mitigation we are talking the same old, same old. Don't open files attached to unsolicited emails, don't click on untrusted links, yada yada yada.
The target of these attacks is your data, but rather than attempts at exfiltration, the attackers want to lock it down and stop you accessing it, so you need to focus on that as well. The solution is simple enough: back it up. More to the point, have a backup strategy that involves multiple backups (local and cloud) which include 'air-gapped' ones so as not to all be hooked into the same computers and networks that might get infected.
Minding the gap means that if the worse did happen you can simply wipe things clean and start again where you left off. Hopefully. Erm, I should mention that there are some ransomware variants which stealthily encrypt or decrypt data on-the-fly, in the background, for weeks or months on end, so that your backups are actually also encrypted and worthless.
However, not going into panic mode post-infection is a good move. You might be surprised just how much information is out there to help you remove a ransomware threat and decrypt your data.
Some ransomware malware has already been reverse-engineered, and decrypting tools are available to unlock your data without any ransom being paid. Google is your friend, as are open-source threat intelligence depositories like VirusTotal, so do your research and find out what has attacked you and whether anyone has already dealt with it.
If all else fails though, rather than pay the ransom, instead consider paying a security consultant to help you. It means you stand more chance of recovering your data, and at least your money is going to the good guys...
Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.
Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.
You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.
-
AI coding tools are booming – and developers in this one country are by far the most frequent users
News AI coding tools are soaring in popularity worldwide, but developers in one particular country are among the most frequent users.
-
Cisco warns of critical flaw in Unified Communications Manager – so you better patch now
News While the bug doesn't appear to have been exploited in the wild, Cisco customers are advised to move fast to apply a patch
-
A prolific ransomware group says it’s shutting down and giving out free decryption keys to victims – but cyber experts warn it's not exactly a 'gesture of goodwill'
News The Hunters International ransomware group is rebranding and switching tactics
-
Swiss government data published following supply chain attack – here’s what we know about the culprits
News Radix, a non-profit organization in the health promotion sector, supplies a number of federal offices, whose data has apparently been accessed.
-
Ransomware victims are getting better at haggling with hackers
News While nearly half of companies paid a ransom to get their data back last year, victims are taking an increasingly hard line with hackers to strike fair deals.
-
LockBit data dump reveals a treasure trove of intel on the notorious hacker group
News An analysis of May's SQL database dump shows how much LockBit was really making
-
‘I take pleasure in thinking I can rid society of at least some of them’: A cyber vigilante is dumping information on notorious ransomware criminals – and security experts say police will be keeping close tabs
News An anonymous whistleblower has released large amounts of data allegedly linked to the ransomware gangs
-
It's been a bad week for ransomware operators
News A host of ransomware strains have been neutralized, servers seized, and key players indicted
-
Everything we know about the Peter Green Chilled cyber attack
News A ransomware attack on the chilled food distributor highlights the supply chain risks within the retail sector
-
Scattered Spider: Who are the alleged hackers behind the M&S cyber attack?
News The Scattered Spider group has been highly active in recent years