What would you do if your personal computer were to get infected with the recent Cryptolocker malware – would you pay the ransom to get back your data? What if your company or government agency system got infected and paying the Cryptolocker ransom was the only way to get back critical business data? Unfortunately, many individuals and IT administrators are finding themselves in this exact dilemma with the recent emergence of Cryptolocker ransomware.
The concept of ransomware and cyberextortion has been around for many years. In 1989, Dr. Joseph Popp distributed floppy disks with the AIDS Information Trojan; this early malware scrambled the hard disk after running 90 times and demanded a monetary payment be sent to an address in Panama in order to regain access to the data on the disk. Luckily, the authors of the AIDS Information Trojan and other prior versions of ransomware used simple techniques such as directory and filename scrambling and common encryption keys. These could be easily evaded, and the data could be recovered without actually providing any money to the crooks. Unfortunately, Cryptolocker is much more sophisticated and leverages a robust implementation of asymmetric cryptography that cannot be fully reverse-engineered. If your data is not backed up, it truly cannot be recovered unless you can retrieve the private key from the malware operators. To get the private key to decrypt your data, it will cost approximately $300 if you pay within 72 hours or even more if you decide not to pay initially but later change your mind.
With a “late payment penalty” of up to five times the initial ransom, crooks attempt to heighten fear in their victims and even present a countdown timer to let the victims know they mean business. Based on its published alert, the FBI recommends that the ransom not be paid, rather, infected hard drives should be scrubbed and files be restored from a backup. Similarly, the UK’s National Crime Agency states that they “would never endorse the payment of a ransom to criminals and there is no guarantee that they would honor the payments in any event.” This seems to make perfect sense, as paying the ransom would only encourage the criminals to continue their illegal activities and create similar malware. If no one paid the ransom, the crooks would eventually give up or look for alternative ways to extort money.
While it is easy to say you wouldn’t pay a ransom like this, you might find yourself reconsidering if you were actually in this situation with no other way to get back your critical data. One such example was a local police department in Massachusetts that paid the Cryptolocker ransom to decrypt files locked up by the malware on their police computer systems. Bitdefender Labs identified that approximately 12,000 hosts were infected with Cryptolocker between October 27 and November 1, 2013. Even if only 3% of users infected by Cryptolocker are estimated to pay, the same cyber crooks who targeted the Massachusetts police department made more than $100,000 in a single week. So, unfortunately, victims are paying the ransom and making this enterprise a very lucrative business. Even worse perhaps is the negative publicity and embarrassment that an infected corporation or Federal government agency would face if they actually paid a ransom to regain access to data.
In a US-CERT Alert, the US Department of Homeland Security recommends a number of security best practices, including the basics like maintaining up-to-date anti-virus software and patches and using caution when opening links or attachments via email. The most critical advice applicable to all personal and business systems is to perform regular backups of all important data. Keep in mind, Cryptolocker will encrypt all drives visible on an infected system, so you must be sure that your backups are stored remotely or in a location that is not simply another drive partition or mapping to another location. That way, if you have a recent backup and become infected with Cryptolocker, you can recover with essentially no consequences other than the time it takes to clean your system and restore your files. In fact, for corporations and government agencies, it makes much more sense to invest funds into backups and other precautions than to pay a ransom.
While Cryptolocker is indeed very sophisticated, it may evolve into something worse in the future if information system owners do not take appropriate steps now. As it stands, the Cryptolocker criminals do not actually take your data and use it for other malicious activities; rather, they simply encrypt and prevent you from getting your data until you pay for the key. While ransomware and other malware for financial gain have taken a backseat in recent years to cyber-activism and cyber-warfare, we could likely see the pendulum swing back with the success of Cryptolocker and possible new variants.