Online

Are you an idiot for paying a ransomware fee?

Ransom

If you’ve read some of the pieces that have been posted online since the weekend’s WannaCry ransomware attack, you’d be forgiven for thinking paying up is akin to holding a whip round for Islamic State. The truth is, as ever, more nuanced. Even the security experts we’ve spoken to say it’s not necessarily daft.

The collective wisdom of the press is that you’re an idiot for paying a ransom. The harsh truth is you’re an idiot to be caught out in the first place, because a decent backup system would make a ransomware attack little more than an inconvenience.

But then we’re all idiots. How many of us have a foolproof backup system at home or at work? How many of us have seen the repeated Windows reminders to back up our data and have then spent the next half hour arguing about Jeremy Corbyn on Twitter instead? We’re an unreliable, hugely fallible bag of atoms, which is why attacks such as WannaCry enjoy an enormous, devastating success rate.

So it’s little wonder that when presented with the opportunity to rescue the sole copy of your daughter’s wedding photos, or your company’s accounts or some other piece of irreplaceable data, many decide to pay up.

Security experts say it sometimes boils down to cold, hard economics. Here’s award-winning security journalist Davey Winder:

Even experts from the security firms, such as Trend Micro’s vice president of security research, Rik Ferguson, say it’s a viable last resort:

Can you be certain that your data will be unscrambled if you do hand over the money? There are many reported cases of people’s PCs being freed once the ransom is paid. Indeed, the scam’s business model relies on it, because if it was common knowledge that paying the ransom never worked, nobody would bother stumping up the cash.

That said, you’d be wise to do your homework before blindly handing over the Bitcoins, especially if you are a WannaCry victim. Security firm Check Point have analysed the WannaCry code, and claims that “unlike its competitors in the ransomware market, WannaCry doesn’t seem to have a way of associating a payment to the person making it”.

“Most ransomware, such as Cerber, generate a unique ID and bitcoin wallet for each victim and thus know who to send the decryption keys to,” the company further explains. “WannaCry, on the other hand, only asks you to make a payment, and then… Wait.” In other words, it has no idea who’s handing over the ransom fee, making it highly unlikely you’re going to be rewarded for meeting the hijackers’ demands.

As Ferguson said, paying up is a gamble – an unpalatable deal with the devil. But you’re not necessarily an idiot for doing so. You’re something far worse: human.

About the author

Barry Collins

Barry has scribbled about tech for almost 20 years for The Sunday Times, PC Pro, WebUser, Which? and many others. He was once Deputy Editor of Mail Online and remains in therapy to this day.

Add Comment

Click here to post a comment

Leave a Reply

%d bloggers like this: