This article from CBS News is titled, “‘WannaCry’ ransomware attack losses could reach $4 billion”. But if you read even the third paragraph, you’ll see that that figure “includes lost productivity and the cost of conducting forensic investigations and restoration of data.”
The actual figure being paid to the ransomers is much less. Further down, that article says:
At $300 per attack, that means only about 300 victims have paid. Really? So few? How are people dealing with this? Are they really able to “rebuild and recover from their backups or other sources”? And are they doing it for cheaper than $300? If I got attacked, I’d probably pay up. Not because I want to surrender to the bad guys, but because, frankly, my backups are not so recent. Yell at me all you want about that, but it is a fact that the vast majority of users don’t do backups etc.
With reports of this ransomware disabling hundreds of thousands of PSs worldwide, am I to believe that almost all of them are connected to an IT Dept that got them back up and running?
Even if your backups aren’t all that recent, there’s still no incentive to paying up, because there’s no reason to believe the scum will keep up their end of the deal even if you do pay. Sure, they might unlock your files for you, but what’s to stop them from immediately locking them again and asking for more money as soon as the check clears? People say that they have a reputation to keep up, but even that depends on them being honest about who they claim to be.
Most of those ‘thousands’ are on the desks of minions in big organisations. While private individuals might be prepared to pay up, most of us will have upgraded beyond WXP and kept the updates going.
Many large organisations run bespoke software that was built around XP and, on the principle of ‘if it aint broke…’ they have not updated their systems. Those organisations will usually have decent backups and will also be very reluctant to pay a ransom. If you have a thousand PCs running from your central server, and they get infected, it will take time to sort them all out.
Have there been any news reports or interviews with people who have paid?
It seems to me a good place for a journalist to look for a good story in the next few days.
And we would find out if the hackers are actually unlocking the files.
Another question:- how does the hacker send you the key after you pay? That’s also a newsworthy story.
And wouldn’t sending the payment be a good way for the police to start investigating? When the hacker sends you the key, the police might be able to learn something about where the hacker is. Or maybe having the key would help the computer experts crack the encryption? That would be worth paying for, too.
When the Cryptolocker ransomware attack happened a couple of years ago, the news was reporting that the perps were going to significant lengths to ensure that those who paid the ransom actually did recover their files; they even went so far as to have a help desk, possibly even an 800 number. This seems surprising at first, but they were in it for the money, so they needed to preserve their reputation: if people doubted they’d get their files back after paying, then word would soon spread, and new victims would stop paying.
In the present attack, AIUI, people are not reliably able to recover their files, so paying is a less attractive option. This suggests that the perps this time around aren’t necessarily in it for the money, or are simply more inept than the Cryptolocker perps.
The current ransomware reportedly is able to move itself from machine to machine within a network. Imagine you run a company with 100 computers on a network, and overnight they all become infected: now you’re looking at $30,000 in ransom to free everything up. Restoring from a clean backup may be a cheaper option in such a case.
The people behind the attack are indeed bad at it.
E.g., the left the backdoor kill switch open so the first version got mostly killed off. The 2nd version has that patched but it still has other problems. E.g. it uses only 3 Bitcoin ids instead of 1 per infection which allows countermeasures.
Fun fact: Some of the added code* is from North Korean malware. Not proof it’s North Korea (in fact, they usually do a better job), but “provoking” in various ways.
(For some older OSes, MS has patches available. The newer ones have patches in their recent security updates. I think the “Windows 8” patches are for RT.)
And if multiple machines were encrypting the same shared storage area at the same time, some files might be encrypted with one key, some another, and others a third, so sorting out the decryption could be equally interesting.
I would think as soon as you got the files unlocked you would immediately make a backup copy. Then you would have a more recent copy, and would not be as concerned.
A bunch of them are in IT departments, at work it’s not rare for a user to get infected with ransomware, but when it happens we just send them a fresh hard drive, restore any network files from backup, and remind them that they’re not supposed to store files locally. A bunch of others just don’t have valuable data. If I keep around an old laptop to get on the net once in a while and it gets infected, I don’t have anything that’s worth saving and the ransom fee is more than it would cost to just buy a new device.
Except that, in that line of work, it’s inherently impossible to build up a reputation. What happens when some other, less “reputable” group of attackers pulls the same thing, and claims to be Cryptolocker? “Oh, you can trust us, just look up the news stories on Cryptolocker attacks”. There are ways to verify someone’s identity using encryption, but the kind of people who are going to trust those verifications are exactly the kind who aren’t going to get snared in the first place. And there are ways to verify someone’s identity that are trusted by non-tech-savvy people, but those ways all include ways to track down the person, which criminals absolutely can’t afford.
I don’t think they need their reputation for future attacks, as you say. They need it for the current attack. If during the current attack people were paying and not getting their files unencrypted, then the effectiveness of this attack would be severely hampered.
Here is a RadioLab podcast from a couple of years ago about a private citizen who paid the ransom. (40 minutes of streaming audio) It addresses many of your questions.
I understand that in this current attack, you have to pay via bitcoins.
To do that, I’d have to search online to figure out how to do it, how to buy bitcoins, etc. – but I can’t do any of that because my computer is infected.
So I’d just start with my newest backup, and rebuild any files since then.
Eh, if they’re demanding payment in bitcoins, it shouldn’t be too long before they’re tracked down. Bitcoins are the least anonymous and most trackable currency in all of history, and I’m half-convinced that they were actually developed by some governmental three-letter agency for exactly that reason.
Ransomeware typically leaves computers completely functional except for the encryption of a selection of document types - the malware usually quite carefully avoids interfering with executables and other essential bits of the computer - the attackers want you to have a functioning computer, so you can use it to find a way to pay them.
Yes, the ransomware that encrypted all of your important files can be removed - but if your personal files (pictures, Word docs, spreadsheets, emails, etc.) have already been encrypted by the ransomware, then they will still be encrypted after you’ve removed the ransomware.
With the Cryptolocker ransomware attack a few years ago, experts said the encryption was so strong that it was unbreakable by practical means, and if you wanted your files back, your best course of action was to pay the ransom.
With the current “wannacry” infection, I have not heard what the strength of the encryption is, and there are reports that paying the ransom does not reliably allow you to restore your files.