Most industry experts, authorities and security vendors advise against paying the ransom when infected with ransomware, and there are several reasons for doing so. First, paying ransom encourages the ransomware phenomenon, and more and more cyber-criminals will attempt to profit in this way. It verifies the fact that money can be made out of this, easily. Then, money obtained from such activities usually finance far more dangerous underground markets and organizations, linked with drugs and weapons trafficking and terrorism.
The above reasons, however, may be considered weak, for a ransomware victim in acute need to access the lost data. It is a difficult decision to make: get your data back in exchange for payment, or do not get your data back, but align with the ethics. This is why many pay the ransom in spite of the general advice.
However, there is a better reason not to pay the ransom. Although cyber attackers claim that paying the ransom allows data recovery, it is not always the case. There are many situations when victims have not recovered the data after having paid the ransom demanded by the attackers. We are going to have a look at three such scenarios:
1. Paying the ransom when the infection is caused by a “wiper“
Researchers have found numerous strains of malware that although apparently behave like ransomware, have no technical means to allow victims to recover the data. In this case, the attackers never intended to give you any data back.
It is often difficult to tell the difference between “legitimate” ransomware and such “wipers” because of the actions it takes on the target computer:
- It may create files with weird extensions;
- It makes original files unavailable, usually by deleting them;
- It deploys ransom notes.
When analyzing the behavior in detail, the original files are never actually encrypted. There is no infrastructure and technical implementation in place to allow data recovery. Such malware only wipes out your data. Paying the ransom, in this case, is futile and the files may never be recovered. Such an example was discovered by security researchers at Cisco and the malware ws named Ranscam. It is a typical case of malware that simply destroys files. Similar malware attacks the file allocation table. More details here.
Another recent example is RedBoot. It attacks the master boot record and alters the partitions in a way that makes a recovery impossible, from the technical point of view.
2. Paying the ransom when the infection is caused by incomplete ransomware having “inadvertent” design flaws
Other cases involve well-known ransomware families, that, let’s say, have a “proven” history of recovering the data after the ransom is paid. In such cases, the behavior of the ransomware is very similar to the one of the well-known ransomware family:
- Files are encrypted on the hard drive;
- The encrypted content gets the same extension as the ransomware family this malware mimics;
- Alternately, if the well-known family attacks the boot sector, similar behavior is implemented;
- Apparently, there is functionality to allow the entire data recovery process to happen: the victim gets assigned an install id, there are detailed instructions on how to pay the ransom and recover the data, etc
However, there are cases where the researchers have found that the functionality for data recovery implemented by the attackers cannot technically deliver the desired results.
A good example is NotPetya, later called “Shamoon wiper”: it is very similar in behavior with Petya, a ransomware attacking the boot sector. Petya has a “proven” record of successful data recoveries. In fact, researchers first attributed such attacks to a “new variant of Petya.” However, later, the researchers have found that key aspects required for the data recovery process, such as the installation ID of the victim, are populated with random information. This means that the attackers cannot unlock the victims’ data. More information here.
3. Ransomware does have bugs, and no, attackers will not debug nor provide support
There are many cases where a ransomware family, known to allow data recovery after paying the ransom, has technical issues that manifest only under certain, specific circumstances. In such cases, those victims, who have particular environments causing the ransomware to fail in the data recovery process, also lose their files in spite of paying the ransom.
The ransomware developers focus on making the ransomware profitable. This means it has to be stealthy and bypass known security measures in place; it has to have an automated infrastructure to allow mass monetization of the ransom, etc. They do not focus on making sure that the data recovery process works in most cases, if at all.
There are several points where ransomware may fail in the data recovery process:
- Inability to gather the necessary data from the victim, to build the essential recovery items;
- Failure to communicate over the internet with the command sever – crucial in the data recovery process;
- Infrastructure issues that cause the control servers to generate faulty recovery keys that do not work.
Like any other software, there are situations where the technical implementation fails, and this ultimately leads to losing both the data and the ransom money.
To summarize, some attackers never intend to give any data back; others give up at some point and do not properly implement their data recovery functionality and there are some who do not test their ransomware well enough. In either case, both money and data are lost, and the chances of this happening are not negligible. Enterprise ransomware protection is key to preventing such attacks from happening.
Learn more about what to do when attacked by ransomware here.
For more information, follow us on social media and subscribe to our newsletter.