How common is it that paying the ransom doesn't work? Seems bad for the business model of ransomware, though I guess competing malware writers don't necessarily feel compelled to keep the market intact if they can squeeze out a bit more for themselves without the effort of writing a functional decryption routine.
I believe the common rule is that paying works, as per the business reasons you mention.
The issue is the victims on aggregate would rather not support the viability of that business. If no one has to pay, the business dies out. Perhaps a pipe dream, but less money at least means fewer actors in the space.
This is why the phrase "We do not negotiate terrorists" makes sense as a general policy to advocate. It's weakened when we ignore it in individual cases.
Like the prisoner's dilemma, it's a superrational strategy—it yields the best outcomes if you genuinely believe that everyone else is being superrational too. If you don't believe that, the rational thing to do is defect and protect your own interests as best as you can.
In the case of superpowers and terrorists, there are usually few superpowers, and (usually) they believe each other to be smart and to have stability of the status quo in mind. In the case of individual ransomware victims, you have no such expectations.
The good friday agreement was essentially brokered by ignoring it. That seemed preferable to me to the decades of sustained bombings.
It seems to me that no government can make a fully plausible promise that they won't yield under pressure and, in any case, terrorism is extremely ill defined.
I believe the phrase is rational for and applied to ransom situations - just generally pursuing peace with opposing parties is not encapsulated in that phrase, to my understanding.
NotPetya/Petya/Netya are also known as 'wipers' because after reverse engineering it turned out the boot sector gets deleted rather than encrypted, so nobody can write a recovery routine.
"Affected users are advised to refrain from paying the ransom as that would by no means help them decrypt their data. This advice is particularly true for the NotPetya incident, as the attackers have no means to restore victims’ data." http://www.securityweek.com/notpetya-destructive-wiper-disgu...
I just want to know one thing: is Dropbox a sufficient backup strategy to prevent this problem? Obviously it's enough to prevent a naive ransomeware. Can they get around Dropbox's automatic 30 day version history by some means? They can presumably have total control over my account.
The only protection I would trust, is a separate system makes inbound connections to my computer to pull a backup. Or push a backup to another computer, through a login ID that lets me write a backup but not delete / alter previous ones.
Yes, that sounds like what I'd like. But where can I find something like that accessible to consumers? Are there roll-your-own methods using AWS or similar that have reasonable costs?
What I do is a little complex, but works fairly well. I store my data in CephFS, mount that read-only (CephX permission also allow only read access) on a Linux box with a ZFS array which uses borg to copy from the mount to the array. The backup box also runs crashplan to back up from the mount.
The ransom is usually quite small (i.e. <1k), so it might be considered a 'cheap' lesson to learn that you should keep your software up-to-date and secure your network. (With the exception of 0-days, but you can't blame anyone falling victim to that)
My point is, the ransomware is just 'prove' that your computer is insecure. If criminals can encrypt your files, they can also steal it (i.e. upload it somewhere). So in some sense, the ransomware creators expose vulnerabilities that would have otherwise gone unnoticed.
I'm not sure if you're trying to say that the ("cheap lesson to learn") should be paid or not; ≈$1,000 is a lot of money for most people. I think the shock of having to pay it is enough to have the same effect — those affected can then hopefully use the decryption tool without having to directly fund criminals.
The target market of ransomware is supposedly businesses, not individual people—partly because businesses can afford the ransom
and have clear incentives to get their data back reliably.
I guess I have no idea who it targets in practice. Are there lots of individual home users who fall victim to ransomware?
Randsomware is pretty common to home users in the past, at least. Back then it was quite easy to convince someone to click on “Warning! Your computer maybe infected! Try our software” pop-up. Then if your computer gets locked up, the screen will say “call tech support!”
There was a claim against Kaspersky [1]. I don’t know if it is really true, but I personally believe that the AV industry does shady things out there, pay some blackhat to spread virus/malware, so consumers can rely on AV.
What? That's like saying robbers are doing you a favor because if they could come in and take your belongings they could also burn your house down or murder you.
What if there was a rapidly spreading ransomware that would not decrypt the user's files after ransom is paid? Ransomwares paradoxically require a certain level of trust in the attacker, that's why they often have their own tech support people and actively answer victims' questions. If there was a deceitful ransomware in the wild, it could help reduce trust in future attackers, reducing the chance of future victims paying up, and helping to make ransomware a thing of the past.
Consider 419 scams. They have nearly zero credibility, and also lack the kind of leverage you can get out of threatening that someone will never see their kid's baby photos again. Yet even they are still profitable enough that many people think they're a worthwhile operation to run.
Ransomware might have a higher bottom line, owing to the greater technical skill involved in operating such a racket, but still, in a world where 419 scams persist, it's hard for me to believe that you can damage ransomware's credibility to the point where it's no longer profitable.
More likely, such an endeavor would end up destroying more people's data than it saves.
The reason 419 scams have near zero credibility (with grammar errors, terrible English, etc) is to increase the signal to noise ratio for the scammers. The less intelligent people who fall for it and are scammable won't be put off since the red flags and bells are ringing. So if they reply, the scammer knows he's got bait. Bots make clever use of this M.O. as well; they tend to behave a bit clumsy, fitting the character of a replier, and get away with it.
Incentives matter, as the saying goes. Why would you refuse to decrypt and risk the news spreading that XYZ-Ransomeware doesn't follow through on its promise to decrypt? What is there to be gained?
I'm not sure that would work, though. "Credible" randomware could pretty easily demonstrate that they do decrypt after payment, because someone will always try paying.
Heh.. weird coincedence. I'm currently busy restoring customer backup files, because a funny little program decided to transform everything in to ...johntrudl.com].java files.
I would just dispose of my computer if were hacked. All my valuables are backed up anyway. If my machine becomes compromised, why on earth would I want to continue using that machine?
Because you're clever enough to restore from a clean backup, and double check you're patched up and not running untrusted code. You're on HN, after all.
