Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

To pay or not pay the ransom demands


  • Please log in to reply
11 replies to this topic

#1 Hidemik

Hidemik

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:09 AM

Posted 29 January 2018 - 05:23 PM

Hello everybody.

First of all excuse me for my english, maybe I will use some wrong sentence. I write from Italy.

It's several months I read posts of help requests.

I think a blog is functional when it gives answers, but I also think that if the questions are always of the same type, the blog looses its rule.

For this, after having helped thousand of customers hit by a ransomware variant in the last 3 years, I would like to spend some words on how the cryptolocker works and on when you can solve, or not, your problem.

1) A cryptolocker can hit your computer basically in two ways. The first is an infected attachment/link in a spam email or a virus inhoculated in an infected website. The second is a direct RDP attack to you server/computer. The second one is the most dangerous, because when a pirate logs in he can do all (he removes antivirus, clears the shadow copies, erases backups and more....).

2) Target of the Crypto attack are your important files: DOC, PDF, XLS, JPG the most common, but also database and several other file extensions.

3) Recovery data software are useless when hit by a Cryptolocker. A recovery software works when you accidentally erase one or more files and you need to recover them (and it works only if you are fast and you don't have written new files in the drive where the deleted files are - if you overwrite the sectors of the erased file you will not recover it). Cryptolocker doesn't erase files. It overwrites them. No erased file, NO RECOVERED FILES! 

4) Some cryptolocker variants have been deciphered in the last years. But a lot are still unrecoverable.

5) The latest cryptolocker variants have no possibility of decryption. If you search, you can see that the last known decrypters are some months old....

 

You need to have back your files? Don't ask for magic! Magic is not possible.

 

When my customer ask me what to do, and when I understand that they could close their offices without the encrypted files, I make those considerations:

1) Server reinstallation (after a backup of encrypted data has been done) and applications reinstallation and configuration: € 1.000/2.000

2) Data restoration. If they have a backup, how old is it (usually months...)? How many days, weeks, months will they loose after a crypto attack? How much will it cost to the customer rebuild all the lost data? How many persons for how many days will work for it? Imagine 3 persons for 1 week (I want be optimistic): € 1.500/2.000

3) Which is the damage of your image in the eyes of your customers? They will not be happy, and maybe some will leave you. Imagine you are a lawyer and a customer knows that your server is not failsafe and secure. He knows that his private problems are inside your server and they are not safe. For each customer that leaves the lawyer, the cashflow decreases. Let's say that a lawyers customer brings € 1.000/2.000 per year.

4) Final step: maths! Let's sum 1.000+1.500+ 1.000 and we reach € 3.500 if we consider the lowest values. € 6.000 if we consider the highest.

 

Now, consider that the money request for a Cryptolocker usually starts from 1 Bitcoin, but that you can find an agreement for 0.5 or less if you are skilled (I have personally reached 96 agreements). Consider that 0.5 Bitcoin in this moment is equal to € 4532,50

Consider that if you pay you can solve the problem in no more than 48 hours.

 

A lot of customers tell me they are afraid that after payment they will not receive decrypter. 96 times it didn't happen. 96 times we received decrypter and eventually full support if something didn't correctly work (yes, it has happened that we received a wrong decrypter: email with description of the problem and new, correct, decrypter in few hours).

 

Please, keep in mind that I am not saying that you should pay the ransom. It's always a RANSOM. It's ILLEGAL. Who uses ransomware for making money is not an honest person. I AM NOT DEFENDING THE HACKERS.

 

I simply say that, if you analyze the problem, and you search the best solution for you or for your customer, you must consider that time is money. And some firms don't have time to loose.

 

FINAL CONSIDERATION: If a crypto virus hits your computer and makes damage, the first responsible is not the hacker. It's the IT Manager that didn't configure properly the computer. Robust backups, strong antivirus, firewalls hardware, Staff training, renovation and control of the IT infrastructure has a cost. You can spend it to keep your systems updated. Or you will probably spend it later, making hackers rich and remaining with old infrastructure.

 

Make your choices.

 

Best Regards

 

Hidemik



BC AdBot (Login to Remove)

 


#2 manestevez

manestevez

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:03:09 AM

Posted 29 January 2018 - 05:30 PM


god god god
 
Customer dont pay IT ... customer will pay hacker :D

#3 robbie303

robbie303

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:09 AM

Posted 29 January 2018 - 05:35 PM

A lot of customers tell me they are afraid that after payment they will not receive decrypter. 96 times it didn't happen. 96 times we received decrypter and eventually full support

Make your choices.

 

Admin: better remove this crazy Italian his message. He is advertising that in his experience hackers were always keeping their promises after paying the ransom. 


Edited by robbie303, 29 January 2018 - 05:49 PM.


#4 robbie303

robbie303

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:09 AM

Posted 29 January 2018 - 05:37 PM

 


Edited by robbie303, 29 January 2018 - 05:39 PM.


#5 Hidemik

Hidemik
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:09 AM

Posted 29 January 2018 - 05:39 PM

Admin: better remove this crazy Italian his message. He is advertising that in his experience hackers were always keeping their promises after paying the ransom.

I have only written my post based on my personal experience. And if I say that 96 times on 96 where succesfull, I am not crazy. Crazy is who talks about problems he doesn't know.

#6 robbie303

robbie303

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:09 AM

Posted 29 January 2018 - 05:45 PM

I have only written my post based on my personal experience. And if I say that 96 times on 96 where succesfull, I am not crazy. Crazy is who talks about problems he doesn't know.

You do not understand the consequences of your action and your moral is of low standing.



#7 Hidemik

Hidemik
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:09 AM

Posted 29 January 2018 - 05:56 PM

I am an IT Manager, and my customers ask me solutions.

The first thing I say to my customers is: PAYING IS WRONG. But if no way is possible to recover files?

I will write an example (still escuse me for my english).

You drive your new car. You follow the speed limit indications. You have fastened your seatbelts and you didn't drink.

But the driver of another car was not as safe as you. He is drunk and he crashes his car over your car.

You are lucky and you are safe, but your car is heavily damaged. Unfortunately, the drunk driver has not insurance.

Now the question is: will you repair your car? Will you spend 5.000 € for having it repaired? Yes? But the damage has been made by a bed person.

Every thing depends from how this thing is important for you.I hope now you better understand my thoughts...



#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,936 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:09 PM

Posted 29 January 2018 - 06:09 PM

@ Hidemik

Most security experts will advise against paying the ransom demands of the malware writers because doing so only helps to finance their criminal enterprise and keep them in business. One of the reasons that folks get infected is because someone before them paid the bad guys to decrypt their data. The more people that pay the ransom, the more cyber-criminals are encouraged to keep creating ransomware for financial gain. Further, there is never a guarantee that paying the ransom will actually result in the restoration (decryption) of your files.

With that said...We understand some victims and their IT Managers may feel they have no other alternative but to take a chance and pay the ransom in hopes of recovering irreplaceable personal, business or other important data. That is a choice and a decision each affected victim will have to make for themselves. We will not make any judgments for doing so.However, you have posted in a support topic for a specific ransomware so I am going to split this discussion into it's own topic.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 robbie303

robbie303

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:09 AM

Posted 29 January 2018 - 06:15 PM

I am an IT Manager, and my customers ask me solutions.

The first thing I say to my customers is: PAYING IS WRONG. But if no way is possible to recover files?

I will write an example (still escuse me for my english).

You drive your new car. You follow the speed limit indications. You have fastened your seatbelts and you didn't drink.

But the driver of another car was not as safe as you. He is drunk and he crashes his car over your car.

You are lucky and you are safe, but your car is heavily damaged. Unfortunately, the drunk driver has not insurance.

Now the question is: will you repair your car? Will you spend 5.000 € for having it repaired? Yes? But the damage has been made by a bed person.

Every thing depends from how this thing is important for you.I hope now you better understand my thoughts...

I also have an example for you:
Some guy advertises to always drive without an insurance, because in his experience this is cheaper..After some time, in Italy everybody drives without insurance..



 


Edited by robbie303, 29 January 2018 - 06:35 PM.


#10 Hidemik

Hidemik
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:09 AM

Posted 29 January 2018 - 06:25 PM

I dont agree with you. I repeat: I am not a ransom supporter! I have never told that driving without insurance is cheaper and/or better.
I talk about complicated situations. If an hospital is hit by a ransomware, all clinic data is lost. And this includes also surgery rooms reservations. The risk is loosing human lives. What do to in similar situations, genius?
Admin, please, remove all my posts, I have no time to loose reading geniuss posts. Thanks.
I will not reply anymore in this forum. Tou can also disable my account.

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,936 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:09 PM

Posted 29 January 2018 - 06:41 PM

All sides need to stay calm and tone down the rhetoric. The question as to whether to pay or not to pay the ransom is a valid one and folks are free to share their experiences and opinions. There has been much debate on this issue and just like with all debates it does not require agreement by everyone.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,461 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:09 PM

Posted 29 January 2018 - 08:18 PM

As already said, while the general rule is never pay the ransom as it only feeds the development of more ransomware, it is understood that sometimes people may not have a choice.

I do not judge, I only try to help.

Some of the suggestions, though, given by Hidemik are worth noting.

If you are at the last resort and decide to pay...always negotiate! You have nothing to lose and in my experience the ransomware developers typically will budge on the price.

As for weighing the costs of fixing/restoring yourself vs paying, I always suggest you do it yourself. Could it be potentially more expensive than paying? Yes, but at least you did not encourage the developers to generate more ransomware.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users