FBI to Ransomware victims: ‘Just pay’

Victims of ransomware, a complex form of malicious software that lets hackers encrypt the contents of a victim’s hard drive or server and demand payment for the decrypt key, should not expect the FBI to save them, according to a senior bureau official.

“The ransomware is that good,” said Joseph Bonavolonta, the assistant special agent in charge of the FBI’s Cyber and Counterintelligence Program, at the 2015 Cyber Security Summit in Boston last week.

“To be honest, we often advise people just to pay,” he said, according to a report on the Security Ledger blog. The FBI didn’t deny the report, although a spokeswoman said Bonavolonta was not expressing official policy.

Programs like Cryptolocker, Cryptowall and Reveton, which use “ultra secure” encryption algorithms to imprison victims’ data, infected nearly 1,000 computer networks in the U.S. between April 2014 and June 2015, according to an FBI public service announcement. Victims were forced to pay a total of $18 million to retrieve their stolen data.

According to the PSA, the malware is typically downloaded by inadvertent clicking on infected advertisements, emails or attachments. Once downloaded, the program begins encrypting all user data. In bids that are “usually very successful,” and “have a significant impact on victims,” the hackers then demand a price to restore access — often in BitCoin, the digital currency favored for its ease of use and anonymity. The ransom can range from $200 to $10,000.

Because so many victims pay, hackers do not typically charge large sums of money, creating a steady stream of lower-yielding — but successful — hacks. Most hackers, according to Bonavolonta, do keep their side of the bargain once paid.

“You do get your access back,” he said.

Although he advised the audience, consisting mostly of tech and industry leaders, that he did want victims to contact the FBI to alert of any scams, he cautioned that often the only option for successful data retrieval is to pay up, since the FBI has no way of recovering data.

“The easiest thing may be to just pay the ransom,” Bonavolonta said. “The amount of money made by these criminals is enormous and that’s because the overwhelming majority of institutions just pay the ransom.”

Officially, the FBI’s policy takes no definitive stance on whether to pay the ransom, advising companies to take steps like installing firewalls, training staff and backing up data to prevent ransomware infection in the first place and assist recovery afterwards.

For victims who are infected, the Bureau deals with them on a case-by-case basis, said FBI Boston Media Coordinator Kristen Setera.

“That’s not exactly what the policy is,” she said when asked by FedScoop about Bonavolonta’s statement.

“The FBI doesn’t make recommendations to companies;” Setera added later in an email, “Instead, the bureau explains what the options are for businesses that are affected and how it’s up to individual companies to decide for themselves the best way to proceed. That is, either revert to back up systems, contact a security professional, or pay.”