They Stole Your Files, You Don’t Have to Pay the Ransom
The F.B.I. should follow the example of European law enforcement and help victims of ransomware decrypt their data.
By Josephine Wolff
Dr. Wolff is a professor at Tufts University.
Aug. 14, 2019
No More Ransom initiative, announcing that the public-private partnership had helped more than 200,000 ransomware victims recover their files using its library of freely available online tools instead of giving in to hackers’ demands to pay a cryptocurrency ransom. All told, the recovered files saved victims some $108 million in ransom, according to Europol, the European Union’s police agency.
The No More Ransom tools are available to everyone, not just those in the European Union. People from 188 countries have visited the project’s website in three years, with nearly 10 percent of that traffic coming from the United States, according to data collected by the European Cybercrime Center. But here in the United States, where ransomware is on the rise and increasingly targeting both local governments and private companies, law enforcement has been strangely quiet about promoting alternatives to ransom payment.
Lack of public awareness may be one reason that victims of ransomware in the United States are often willing to pay their attackers in order to regain control of their files and computer systems. In June alone, two cities in Florida — Riviera Beach and Lake City — agreed to make Bitcoin ransom payments worth roughly $600,000 and $460,000, respectively. In both cities, most of the payments will be covered by their insurers.
But every time a victim pays hundreds of thousands of dollars to a cybercriminal, the payment reinforces the criminals’ faith in their business model. For this reason, it’s essential that victims stop paying these ransoms: Making ransomware unprofitable is effectively the only way, short of coordinated global regulation of cryptocurrencies, to stop these criminals.
The F.B.I. has struggled to send a clear message to ransomware victims ever since 2015, when an agent told the audience at a computer security conference in Boston, “We often advise people just to pay the ransom.” The F.B.I. later corrected its position: that victims should not pay ransoms.
“The F.B.I. doesn’t support paying a ransom in response to a ransomware attack,” the website states, adding that paying a ransom does not guarantee victims will get their files back and may serve to fund other criminal activity. But most of what the F.B.I. recommends are preventive measures, such as patching software or backing up data — which is good advice, but it won’t help victims whose computers have already been infected by ransomware.
But ransomware victims who don’t have offline backups of their data do have options. Many common strains of ransomware have, in fact, been reverse engineered by software engineers and security firms that provide decryption tools, including the ones aggregated in the No More Ransom project. These tools won’t work for every victim, but there are more than 100 decryption tools, each targeting a specific strain of ransomware, available free on the No More Ransom site. As a victim, of course, you may not be sure whether you’re infected with the Marlboro or the Pylocky or the Popcorn or the BigBobRoss strain, but if you upload any of the encrypted files created by the ransomware on your computer, or any email, website or Bitcoin address left behind by the attackers, No More Ransom will let you know if it has any tools that can help.
In order for these tools to be effective, victims have to know where to find them in the first place, and so far, American law enforcement has done much less than its European counterparts to publicize the existence of these options. For example, the strain of malware that infected the Lake City systems was called Ryuk, and Emsisoft, a security firm, says it is can decrypt Ryuk malware using its free tools in 3 percent to 5 percent of the cases. But it’s unclear whether Lake City knew about any of these tools and tried to decrypt its data before acquiescing to the ransom demands.
If the victims had sought advice exclusively from United States law enforcement agencies, like the F.B.I., the Department of Homeland Security’s Computer Emergency Readiness Team or the Secret Service, they certainly would not have found any mention of the No More Ransom project or other resources for decrypting infected files, such as the website ID Ransomware, which an Emsisoft employee created to help victims identify the ransomware they are facing. The most the federal government has done to support these efforts is give an F.B.I. Director’s Community Leadership Award to the creator of the ID Ransomware site.
Contrast that with Europol, which has partnered with private companies researching and building decryption tools to combat ransomware. It promotes the No More Ransom tools on its website and encourages their use by victims who might otherwise be reluctant to trust a strange website at a moment when they are feeling particularly gullible and vulnerable.
This silence on the part of the American government is baffling. The recommendations these agencies offer about creating regular backups and not clicking on suspicious email attachments are valid and useful prevention tips, but none of them help the thousands of people who are most likely to be looking at their websites — the people whose hard drives are already infected and encrypted.
The best way that the F.B.I. could celebrate three years of No More Ransom is to finally get involved and partner with its counterparts in Europe and around the world to create, and promote, trustworthy resources for ransomware victims who want to do their part to stop ransomware by cutting into cybercriminals’ profits.
Josephine Wolff is assistant professor of cybersecurity policy at the Tufts Fletcher School of Law and Diplomacy and the author of “You’ll See This Message When It Is Too Late: The Legal and Economic Aftermath of Cybersecurity Breaches.”
The New York Times