Opinion: Why we shouldn't reward cybercriminals
Paying ransoms to cybercriminals who hijack computers only encourages the scourge of ransomware, which organizations and individuals can prevent by simply backing up their data.
Mark Blinch/Reuters/File
Anyone who watches TV crime dramas knows you shouldn’t really pay ransom when somebody gets kidnapped. Instead, you use the lure of the payoff to trap bad guys.
But why are so many people, businesses, hospitals – and even police departments – willing to pay cybercriminals? It seems ludicrous.
So, when I was going through my Twitter feed recently and caught a snippet of Kaspersky Lab researcher Ryan Naraine talking about this recent Passcode opinion piece on ransomware, I was astonished.
It turns out that some network administrators will pay ransoms even when their companies have perfectly serviceable data backups. Mind blown.
Yes, ransomware is a big deal. The malware that encrypts data until victims pay up is on the rise. And it turns out lots of people give in to the criminals' demands. For instance, a hospital in California reportedly paid $17,000 to unlock its data.
To be sure, it's a tough decision whether to pay or risk losing data. But paying should never, ever be the first, second, or even third option.
There's something wrong if the working assumption is that businesses, organizations, or individuals just pay without working on a solution to recover the data on their own – or just decide they are going to live without those pictures, files, and documents.
And anyone with viable backups should greet cybercriminal's ransom demands with a smug scoff, and then quickly restore affected files.
Here's the thing: Data is lost all the time. It's an unfortunate consequence of relying on computers for everything we do. For instance, we all known someone who was 99 pages into a 100-page dissertation, when his or her hard drive took a dirt nap. It’s a horrible, tragic story that gets played out time and again at home and in businesses around the world.
And yet, catastrophic failure doesn’t really figure into our mental threat models. Things are just supposed to work. Forever.
But data loss and corruption happens. Ransomware is one type of corruption. So, there's no excuse for not preparing for it. Even system administrators who live under rocks have heard of ransomware by now, and they should know that having a good backup is an easy way of protecting against this threat.
I realize that even the FBI has suggested that paying ransoms may be the only way for some individuals and businesses to retrieve their locked data. But, officially, here's what FBI Cyber Division Assistant Director James Trainor says: "Paying a ransom not only emboldens current cybercriminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity. And finally, by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals."
I couldn't agree more.
Imagine if some random person came up and shot you in the leg and the offered to remove the bullet for a small fee. Would you pay them? What are the odds that they would safely and successfully remove the bullet and any other shrapnel the first time around? What's more, you'd be rewarding a criminal and proving that you're easy target for repeat attacks.
If you are reading this article and you haven't backed up your data, stop what you're doing and find a way to protect your most valuable information. Backups are critical not just because of ransomware, but because software, computers, and people aren't perfect. Our mistakes result in lost data all the time.
And paying crooks to fix damage that they caused should never be the default option.
Lysa Myers is a security researcher at ESET. Follow her@LysaMyers.