CryptoLocker: Should I Pay the Ransom?

There are many different types of ransomware, with the most commonly known being called CryptoLocker. Most ransomware set a time limit in which to send the payment. If the victim does not send the money, their files are lost to them forever (or the ‘kidnapper’ will make another demand for even more money).

So how does CryptoLocker work and, more importantly, what should you do if you become a victim? CryptoLocker and other ransomware generally use social engineering techniques to trick the user into running it. An example of an attack is that a potential victim will receive an email with a password-protected ZIP file pretending to be from a logistics company. When the user opens the ZIP file and attempts to open the PDF inside, the Trojan saves itself to a folder in the user’s profile, adds a key to the computer registry to make sure it runs every time the computer starts up and protects itself from being terminated. It then begins encrypting all the files on the computer. The latest ransomware variants also scan for network and USB drives, and even cloud data such as popular file-sharing utilities, putting not just the local files at risk, but also the potential of all accessible company files. When the ransomware is finished encrypting, the victim receives a message demanding money for the return of their data. A recent variant of this example uses the same mechanism, however the ZIP file contains a tiny attachment that appears to be a simple text file. When the user opens the file, a connection is made to a malicious web site that silently downloads the Trojan and executes the attack.

Of course, the best way to combat any malware or virus is to avoid getting it in the first place. Don’t ever open an attachment from a sender you don’t know. Period. You can also disable hidden file extensions in Windows, which can help you recognize the type of attack as often the malicious files end with extensions such as “.EXE” or “.JS”. We also highly recommend making back-ups of any important files. If you’re diligent about backing up information, attacks like these lose their power because you are no longer at the hacker’s mercy—you can simply access your back-up files instead of paying for the decryption.

In a perfect world, everyone would put these precautions into place. However, we understand we don’t live in a perfect world and mistakes and oversights happen. If you DO become a victim of CryptoLocker, we recommend you do not pay the ransom. Will you get your files back? Maybe, but not necessarily in a usable form. Additionally, paying the ransom will most likely encourage these types of attacks to continue as they become highly profitable. If your files are absolutely critical and you must have them, the only option then becomes to pay the ransom and possibly be able to decrypt your files. There is no concrete data out there about the recovery rate once a ransom is paid, so if you choose this option, you’re still taking the chance you might never get your files back. In addition, if you pay the ransom once, it’s quite likely the attacker will come after you again, demanding even larger sums of money.

As with any security issue, an ounce of prevention is worth a pound of cure when it comes to CryptoLocker or any ransomware. Make it a policy not to open attachments from sources you do not fully trust and have a dependable back-up process and these types of attacks will pose much less of a threat for you or your business.