No, no, you scramble the data once, get the payment, and unscramble it. Then you scramble it again and send a new ransom note (probably signed with a different name), and repeat that.
Except this isn’t actually something that happens. By and large, people do have their files decrypted and major ransomware rings even have a “support” line to get people through the process.
The thing that’s “stopping” ransomware authors from not holding up their end is the knowledge that people across the board will just stop paying if they think they won’t get their files back.
Indeed. If you are in it for the money (and not just making people’s lives miserable), it makes little economic sense not to give the data back. As soon as you’re known as untrustworthy, the whole house of cards falls down.
There is still the issue that there’s no honor among thieves.
Certainly it seems that the big, long term, ransomware folks do decrypt after payment. But no doubt there are jerks out there who think: “Let’s cut corners and just leave 'em high and dry. Don’t actually have to use any encryption at all. Just randomize the stuff and take the money and run.” Sure that will only work in the short run and hurt the business of the legitimate (???) ransomware folk, but money is money.
The best way to do this, of course is to do a rapid infection blast so that the word doesn’t get out before you’ve collected most of the expected money. This actually fits with the WannaCry type exploits. (Most ransomware seems to be slow spreading, trying out different types of spam and website vectors.)
The fact that past ransomware people have done their part is no assurance that future ones will.
Encryption is simple enough to accomplish that there’s no real reason to NOT use it versus just scrambling someone’s data. You can buy encryption software for under $20 (heck, under $5) from a number of different companies. If you have the technical wherewithal to make successfully spreading virus, you can almost certainly incorporate actual encryption for the same effort as it’d take to scramble the data. Furthermore, we already know that the major ransomware strains are encrypting because they’ve been examined by malware experts who say so.
Reading online at various security sites, the common wisdom seems to be that you’ll probably get your data back if you pay but they recommend against paying in a “don’t bargain with terrorists” sort of way. But the argument against isn’t really “It’s a scam and they won’t unlock it” (though most concede that’s at least a possibility) since that’s not usually what happens.
I’m not personally recommending paying. If I was hit with ransomware, I’d just clear the drives and start over. But, if I did pay, I’d most likely get my decryption key.
Yeah, that’s pretty much the only way that makes any sort of sense to me. While there is no money among thieves, money talks and, at least a rational thief who is doing this purely for the profit perspective, in most situations I would think holding up the thief’s end of the bargain is the most profitable, similar to real-life kidnapping-ransom rings. But, yes, this assumes pure profit motive and rationality.