You have to send money to a particular Bitcoin address. You can confirm that whatever’s giving you that Bitcoin address belongs to the legitimate ransomware company (e.g., that it’s the same domain name used by past victims who got their files back).
And again, it’s just not that much more work to write real vs. fake ransomware. It costs time and money to get your malware deployed, and the current situation seems to imply that the ROI is better when the ransomware is real than fake.
Their incentives are (a) that it’s good for their reputation, and (b) that if they don’t, a skilled IT person can remove it anyways, and/or the usual anti-malware companies will write a tool to do it automatically; the only thing you really need them for is the key.
I guess if the ransomware looks and acts just like a well-known ransomware (e.g. CryptoLocker), and puts you in touch with operators who respond to your queries, you have some confidence that it’s a “real” encrypting ransomware and not a data-destroying worm. Enough that <value of lost data> x <probability of recovery> is larger than the asking price.
Whatever the reason, I agree with those who say there seem to be more accounts of successfully getting your data back than not.
Also consider that in countries where actual kidnapping of people for ransom is widespread (e.g. Nigeria), the hostage is almost always returned safely after payment. (This Planet Money story is a fascinating coverage of this, by the way.) So your “tragedy of commons” theory doesn’t seem to hold up when the cost of delivering what was promised is very low (i.e. releasing a hostage is almost as easy as killing him/her, and decrypting the data is almost as easy as not).
Agreed, though I think that takers of human hostages have a major incentive that’s not present here: murder is almost always investigated with greater resources than kidnapping, and punished more severely, but that’s probably not true for destroying files vs. faithfully ransoming them. Other incentives seem to be sufficient to keep the ransomware operators mostly faithful, though.
I got hit by Ransomware some months ago. All my picture and document files were locked.
Luckily I had made a full back up on a removable disk the day before so lost hardly anything.
As already stated the ransomware affects all drives connected to the computer so the only way to avoid a total infection is by only connecting your back up drive when you are actually backing up, keep it well away from the computer at all other times.
Malwarebytes have a free beta Anti-Malware program that is supposed to stop ransomware installing on your computer. I’ve been running it for some weeks, don’t know if it actually works but guess it can’t do any harm.
If kidnapping resulted in the death of the hostage 95% of the time, nobody would pay the ransom.
For a business of any scale, paying $300-$500 to get the files back is not a big deal, heck my self employment taxes every month push that. Fixed expenses for my business run around $3K/month Just having to spend hundreds of man hours rebuilding records from paper is more expensive, I just paid that to have my business taxes filed.
I understand the logic that you are trying to apply here, however as it plays out in the real world, you are wrong. I as a small business IT guy will advise people every time to pay the ransom if you dont have good backups.
Bitdefender has an option to prevent encryption in the first place, but you have to tell it what folders to protect, and it can’t help after the data is encrypted.
Just because the thieves are acting against their incentives now, does not mean that they will continue to do so indefinitely. I see no reason to trust that they won’t wake up to the reality of those incentives.
What incentive do you think they have to scam? I’ve already explained how you can figure out which brand of ransomware has your files, so there’s no tragedy of the commons. The operators will sometimes even decrypt a few files as samples, to prove that they have the key. I’ve explained that the ransomware can be removed like any other malware, so that past victims are at no special risk of reinfection, as long as their new IT staff is competent. What am I missing?
And beyond that, for existing ransomware, all the cost of encrypting (vs. just trashing the files, and claiming that you encrypted) is sunk. So the marginal cost for them to faithfully release your files when they get the ransom really is almost zero, at most a few minutes of a low-level employee’s time. If they’ve automated their Bitcoin payments (which I think some of them have?), then it’s even less, a few milliseconds of CPU time on their server. So what possible incentive could they have not to give you the key?