If you’ve read some of the pieces that have been posted online since the weekend’s WannaCry ransomware attack, you’d be forgiven for thinking paying up is akin to holding a whip round for Islamic State. The truth is, as ever, more nuanced. Even the security experts we’ve spoken to say it’s not necessarily daft.
The collective wisdom of the press is that you’re an idiot for paying a ransom. The harsh truth is you’re an idiot to be caught out in the first place, because a decent backup system would make a ransomware attack little more than an inconvenience.
But then we’re all idiots. How many of us have a foolproof backup system at home or at work? How many of us have seen the repeated Windows reminders to back up our data and have then spent the next half hour arguing about Jeremy Corbyn on Twitter instead? We’re an unreliable, hugely fallible bag of atoms, which is why attacks such as WannaCry enjoy an enormous, devastating success rate.
So it’s little wonder that when presented with the opportunity to rescue the sole copy of your daughter’s wedding photos, or your company’s accounts or some other piece of irreplaceable data, many decide to pay up.
Security experts say it sometimes boils down to cold, hard economics. Here’s award-winning security journalist Davey Winder:
@bigtechquestion Yes. If valuable data would be lost, if paying a ransom was far less costly than restoring systems any other way. It’s not black & white.
— Davey Winder (@happygeek) May 15, 2017
Even experts from the security firms, such as Trend Micro’s vice president of security research, Rik Ferguson, say it’s a viable last resort:
@bigtechquestion If they have no other option, it comes down to a risk management decision in the end. There is no right or wrong.
— Rik Ferguson (@rik_ferguson) May 15, 2017
Can you be certain that your data will be unscrambled if you do hand over the money? There are many reported cases of people’s PCs being freed once the ransom is paid. Indeed, the scam’s business model relies on it, because if it was common knowledge that paying the ransom never worked, nobody would bother stumping up the cash.
That said, you’d be wise to do your homework before blindly handing over the Bitcoins, especially if you are a WannaCry victim. Security firm Check Point have analysed the WannaCry code, and claims that “unlike its competitors in the ransomware market, WannaCry doesn’t seem to have a way of associating a payment to the person making it”.
“Most ransomware, such as Cerber, generate a unique ID and bitcoin wallet for each victim and thus know who to send the decryption keys to,” the company further explains. “WannaCry, on the other hand, only asks you to make a payment, and then… Wait.” In other words, it has no idea who’s handing over the ransom fee, making it highly unlikely you’re going to be rewarded for meeting the hijackers’ demands.
As Ferguson said, paying up is a gamble – an unpalatable deal with the devil. But you’re not necessarily an idiot for doing so. You’re something far worse: human.