Ransomware? Some cybersecurity firms now just pay up

How would you feel about footing a ransomware bill where your money ended up in Iran?
21 May 2019

Is it ever worth just paying up? Source: Unsplash

Anyone unlucky enough to have been the victim of a ransomware attack will be familiar with the scenario. Your computer locks up and presents you with a screen that says something like: “Your files have been encrypted. You have seven days to pay us Bitcoin, otherwise, we will remove your private keys, and your data will be irretrievable.”

In many businesses, IT support and cybersecurity functions are outsourced, so a panicked call to the MSP or cybersecurity consultant would be the logical next step.

The contractor would then, with luck, manage to get the machine back online, using their specialist skills, expensive virtual toolkits and intimate knowledge of cryptography, key-based encryption techniques and an encyclopedic knowledge of the very latest in hacking techniques and malware. For this highly-specialized service, most organizations would expect a hefty bill, but— because of the nature of the files under threat— would consider the price a small one to pay.

But in two cases that have been featured in ProPublica, and covered by The Guardian, the security company in question extricated their clients’ data by coughing up the ransom money. Once the shady figures behind the ransomware had received their ill-gotten gains, the infected machines were restored to their working state.

While that’s not necessarily poor practice — although the efficacy of paying up is debatable in many cases — what does count as morally reprehensible is the security companies in question charging their clients well over the odds for their “expert services”, which we surmise, consist of owning a Bitcoin wallet and the ability to type.

According to the FBI, one of the companies purported to use what it termed “latest technology” in such situations, according to emails from the company. Similarly, a second company based in Florida just pays ransoms and does so “sometimes without informing victims,” according to ProPublica.

The moral quandaries behind paying ransoms are as old as kidnapping, which is probably as old as greed itself. Indeed, the “History” section of the Wikipedia entry on the subject “needs expansion” from its current state (at the time of this article writing), that of being completely empty. Does paying off the kidnappers encourage further kidnapping? Is the potential loss of the victim (human or silicon) worth the moral stance against the crime?

In the digital realm, the path through that moral maze is even more convoluted, especially so in this case. It has been revealed that the bad actors in these affairs were thought to hail from countries unfriendly towards the US, and the victims were public servants, like law enforcement agencies. That raises the specter of the American taxpayer indirectly funding illegal activities by Iranian and Russian organizations. A previous employee of Proven Data Recovery expressed his opinion that “every time that we get hit by SamSam, and every time we facilitate a payment — and here’s where it gets really dicey — does that mean we are technically funding terrorism?”

Why overseas criminals might be spending money on AK47 shipments to anti-Western terror cells in Syria and Libya, rather than on new Ferraris remains unclear. Is it that aspect of the affair that causes the most outrage, or the significant markup passed on by the security companies to their public sector clients?