AJ was just coming back from a long 4th July weekend when it happened. Based in Colchester, Vermont, USA, AJ manages IT for a company that produces pumps and motors for the energy industry. He had never contended with a ransomware infection before.
At around 8:30 that morning, AJ started a cloud transfer from head office in the UK, a routine practice, one which AJ did not expect to raise any red flags.
“Shortly after I kicked off that process, our helpdesk started to light up”: Error messages flashed up from Microsoft Outlook and Word. It wasn't long before people started to see that old Cryptolocker ransom message pop up.
The infection had started from the top of the company's directory “and just started to work its way down”, encrypting tranches of critical data as it went.
It was by no means a small operation either, with around 500 employees and US$ 31 million (£23 million) in annual revenue, a shutdown could mean lost earnings, a paralysed business and big trouble.
The people on the other end of that email wanted US$ 3000 (£2,315) in bitcoin, and wouldn't wrest their vice grip on AJ's workplace until they got it.
A decision had to be made: Pay the ransom, fund a criminal gang and hopefully return to full operation, or wait for a technical solution and lose hours of time, revenue and data.
“I just thought about all those horror stories I'd heard”, says AJ, whose wife was pregnant, and due, at the time. The infection threatened not only the business but hours of work that should have been spent in the company of his expectant wife.
AJ never had to make that decision. Using a back-up solution from Barracuda, the business was back up and running within the hour.
AJ might have been prepared but many aren't. Any number of businesses have had to face that very decision. Many, not wanting to face the potential consequences, are just paying up.
Recent research by Trustlook showed that 38 percent of consumer victims end up paying the ransoms when confronted with an infection.
An IBM study in late 2016 showed that in the US 70 percent of businesses paid to get their data back. 50 percent of those paid more than US$ 10,000 (£8000), and a further 20 percent paid more than US$ 40,000 (£32,000).
It includes those who should know better. A recent Bromium study showed that 10 percent of security professionals, when confronted with the mass encryption of their files, paid up.
One infrastructure architect, who chose to remain anonymous, spoke to SC about his experience, and submission to, a ransomware infection. In the summer of 2013 one of his firm's users infected the company, as do many, by clicking on an email attachment. It wasn't too long before the company was being strangled by Cryptolocker.
“We didn't really know what was going on,” he told SC Media UK. “First it just seemed like a couple of corrupted files,” but it soon became clear that Cryptolocker was making its way through a lot more.
The IT team managed to stop the rampage by killing the affected computers, but were still confronted with an unknown mass of their files being encrypted: “We couldn't tell what was encrypted and what wasn't, so basically we were looking at the time it would take to restore the 1.5TB of data on that server.”
Weighing up the cost of the ransom against the potential loss of productivity was not easy: “there was hesitation paying it because at that time we didn't know if it was going to work. It was less about the dollar amount, and more about the uncertainty of if it was actually going to give us our files back.”
After a couple of hours the IT team, along with the the director, decided to pay up. US$ 300 (£231) is not much money to a business, especially when compared with the money that could be lost by hours of downed operation.
It's not a hard choice to understand John Unsworth, chief executive of the London digital security centre told SC: “The advice is always not to pay it because it's the same as blackmail in the real world isn't it?”
“That's a very difficult conversation to have with someone whose computer is saying to them, there and then, you've lost everything unless you pay.”
It might be an understandable choice, but that doesn't make it a good one. “Where the choice is paying the ransom or going out of business - then giving in to the criminals might be your only option,” Vince Warrington, founder of Protective Intelligence Limited and a veteran of the infosecurity industry told SC. “This route is fraught with risk, though, as there is no guarantee that the criminals will subsequently provide you with the decryption keys you need”. There's no assurance you'll be given your data back, you may even be asked to pay more or be targeted further once you've been labelled as a compliant victim.
Indeed, those kinds of choices are making a lot of money for some. The popularity of this type of malware rocketed upwards in 2016, which was dubbed by many to be ‘the year of ransomware'. A report from Check Point software released in February showed that the use of ransomware doubled as a share of all malware, up from 5.5 percent to 10.5 percent in the last half of 2016. Another report from Beazley, an insurance company, showed that ransomware attacks quadrupled in 2016, and are likely to double again in 2017.
Earlier in the year the US Federal Bureau of Investigation said that ransomware was soon to become a billion dollar business. Moreover, its success has pushed ransoms and profits skywards. Symantec recently disclosed that though the average demand for a ransomware payment was US$ 294 (£226) in 2016, it looks likely to become US $1,077 (£831) this year.
Like much of cyber-crime, the ransomware business has transformed from a series of back room scams to a button down, professional enterprise. Cerber ransomware, currently the dominant variant in the ransomware market, has made a name for itself partly by offering great customer service to its victims including support in 12 languages, FAQs, a support messaging forum and even a free trial decryption. Essentially, ransomers want to make it as easy as possible to pay up.
And increasingly, many are ‘happy' to oblige them. Last year, SentinelOne drew the ire of many within the security industry when it offered to cover the ransoms of those who payed up. A release from the company read “SentinelOne does not advise ransomware victims on whether or not to pay the ransom, but understands that there are times when it is necessary to recover data quickly.” If the company's technology failed to protect its customers from an attack, SentinelOne offered to guarantee endpoints up to US$ 1,000 (£771) dollars and companies up to US$ 1 million (£771,000).
Increasingly it appears as though the enterprise sees this less as a matter of criminal law, and more as one of business continuity. It's not hard to understand why someone might pay up, especially those that are increasingly becoming targets: hospitals and public utilities. Still others within the security and law enforcement community resist that ignorant reading of the situation.
“They do not see the harm that goes on behind the crime. Its seen as a business transaction”, said Christopher Greany, former national coordinator of economic crime at the City of London Police, telling SC how profits from cyber-crime are often reinvested back into larger criminal operations. “They spend it on child trafficking, they spend it on abuse, they spend it on drugs,” added Greany, ”If you give criminals money, they will invest that in crime and they will hurt more people”. That situation is entirely avoidable, added Greany, if you merely follow the basic and near ubiquitous advice of backing up.
Another individual, who did not want to be named, did not have that luxury. When our next anonymous source got back to the office on Monday, he told SC, he found that all of his company's servers, laptops, desktops and IT equipment were encrypted: “At first we could not believe what was happening - I thought it might be a joke, but then we realised that no-one else in the office could work either.” It would cost 50 bitcoins, around £25,000 at the time, paid within 72 hours, to unlock the systems of his small construction firm.
The company's CFO had received a spear-phishing email the Friday before, claiming to be from a supplier sending over new pricing data. Their systems did not detect the malware, as they later found out, because the IT provider had not properly updated the antivirus, anti-malware software or even the OS.
The company's backups had been encrypted too, as that same IT provider had kept backups on the same servers that live data was stored on. The only backups they could use were on tape, and eight months out of date. Repeated failures on behalf of a third party had made it impossible to avoid a confrontation with the extortionists.
The office shut down for a few days while the company considered its options: “It was quite calm until we found the problem with the backups, and that was when it went a little crazy.” Amid raised voices and pointed fingers, time ran out: “As the deadline came up the CEO had a meeting and told the IT person and finance to buy enough Bitcoins for the ransom.”
The company, having little other option, chose to pay up: “No-one said it was a bad idea, although there was a level of feeling uncomfortable to 'giving in' to the thieves but by that stage we were out of ideas and it seemed to be the only decision we could make.”
It took most of the night to complete the decryption, even after which roughly 10 percent of the files were unrecoverable. The saga cost the business three days of work, at least £25,000 pounds and a tenth of their data. Their IT provider was soon replaced, and new security policies and staff training put in. The company was targeted with ransomware several times in the months after “Apparently there was an upsurge in ransomware aimed at us in the months following the attack, we think this is because we were put on a 'Suckers List' by the criminals and others were trying to cash in by seeing if we'd fixed our problems.”
All in all, the attack engendered a big culture change in the company and our informant thinks they're in a better shape now than they were before. That said, “we have kept the Bitcoin wallet though, just in case”