Computer Held Hostage: Should You Pay the Ransom?

FBI agent says 'just pay the ransom'

By Aliah D. Wright November 9, 2015

When a special agent with the FBI told attendees at a conference in Boston recently that they should “just pay the ransom” if their computers are ever infected with ransomware, many people were surprised. After all, the bad guys are not supposed to win.

But, “the ransomware is that good,” FBI Assistant Special Agent Joseph Bonavolonta, who is in charge of the FBI’s Cyber and Counterintelligence Program in Boston, reportedly told attendees at the 2015 Cyber Security Summit.

“To be honest, we often advise people just to pay the ransom,” he said. Experts say the price typically averages about $500.

According to the Cyber Threat Alliance (CTA), a group of cybersecurity solution providers, ransomware is “malware that encrypts a victim’s files and subsequently demands payment in return for the key that can decrypt said files.” These files may contain various types of data, such as HR information, business records, personal files, financial data, photos and videos. In order to acquire the key to decrypt these files, “the victim must pay a ransom to the attackers, often in the form of electronic currency, such as bitcoin,” according to the CTA.

There are 15 different types of ransomware, experts say. The most damaging kind thus far is CryptoWall. The CTA reports that CryptoWall has affected hundreds of thousands of users, resulting in more than $325 million in damages worldwide. CryptoWall and its predecessor, Cryptolocker, were developed by Russian hacker Evgeniy Bogachev.

Bogachev is on the FBI’s most wanted list of cybercriminals. He also created GameOver Zeus, a form of malware that seizes banking credentials and then approves transfers from users’ accounts.

Ransomware can infect a device via a user’s e-mail account once they’ve clicked a link, a download from a dangerous website or a malicious web advertisement. This has resulted in an avalanche of FBI complaints.

Experts and the FBI say CryptoWall is impregnable. The only way to retrieve files that have been infected are if they have been backed up to an external drive or to the cloud—something a lot of companies neglect to do.

But Why Pay the Ransom?

“This is a simple question of cost,” Phil Hagen, an evangelist at Red Canary, a Lewes, Delaware-based threat detection company, told SHRM Online. “It may take tens or hundreds of thousands of dollars to attempt breaking the encryption used. If the ransom is a few hundred dollars, there is a clear cost incentive,” he said. “Some victims let their pride into the fold because they don’t want to pay the bad guys. If that’s more important than the data, you should just write off the data as gone forever. It’s not coming back.”

Oli Thordarson, CEO of Irvine, Calif.-based Alvaka Networks, an IT security firm, said he helped a client that paid the ransom after getting hit with Cryptolocker.

“The IT director was all gung ho to restore from [backup],” he said. But because IT couldn’t determine whether or not the company’s backups were recent, they decided to pay the ransom. “We got the CFO [chief financial officer] on the phone and chatted with him,” Thordarson said. “I asked the CFO, ‘If you lost all your data and it was unrecoverable, how would it impact your business?’ I knew the answer. He said ‘It would be devastating.’

“We paid the ransom on a Thursday afternoon,” Thordarson said. “It took from Thursday [night] to Sunday [night] for the decryption to complete.”

In a recent blog, Clearwater, Fla-based security awareness firm KnowBe4 LLC CEO Stu Sjouwerman wrote that “the real cost is not the ransom, it is the downtime caused by data not being accessible,” in addition to the amount of overtime IT has to put in to figure out whether or not it can solve the problem and the time lost by whole departments when data is inaccessible.

What Can HR Do?

“I would strongly recommend HR take an active role and work with IT to insist that the organization start an effective security awareness training program,” Sjouwerman told SHRM Online in a phone interview. Backing up files is essential.

“You would assume everyone makes backups—if you don’t have backups you are completely out of luck. Paying the ransom is a quick way to get your files back because they do give you your files back.”

Developing a security awareness training program should include the steps listed below.

Step 1: Conduct an initial baseline test. “You send an initial simulated phishing attack and you find out what the percentage of click-happy people in your organization is,” Sjouwerman said.

Step 2: Train everyone “from the boardroom down to the mailroom. Everyone gets trained because the bad guys don’t care who clicks on the link,” he added.

Step 3: Conduct frequent simulated phishing attacks. That’s how you turn your employees into human firewalls, he said. “That makes you a hard target and makes the bad guys very unhappy.”

Use Cloud Storage

Ransomware isn’t going away, unfortunately—especially since cybercriminals are exploiting the trust of those who click links on legitimate sites and are redirected to landing pages that launch the malware, said Kevin Watson, CEO of Netsurion, a data security firm based in Houston, which provides remotely-managed network and data security services.

“Until anti-virus systems catch up to the techniques used by these hackers, this will continue to be a growing trend in data cybercrime,” he said. “The good news is the best defense against this threat is not a new anti-virus software package or a new network security device; it is simple tried and true best practices for security.

“First and foremost, don’t click on links you get in e-mails. The most common way ransomware is triggered is by spoofing an e-mail and getting a user to click the link. Unlike old phishing attacks that used the same method to try and get consumers to then enter personal information or passwords to other systems, ransomware will trigger as soon as you click the link. Second, back up your data, regularly. Better yet, use cloud storage for as much you can. There are numerous cloud storage options from highly reputable companies, and cybercriminals can’t lock up your data if it isn’t on your machine.”

Aliah D. Wright is an online editor/manager for SHRM.


Job Finder

Find an HR Job Near You
Search Jobs


Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 10,000 companies

Search & Connect

HR Daily Newsletter

News, trends and analysis, as well as breaking news alerts, to help HR professionals do their jobs better each business day.