Published on August 18th, 2019 📆 | 5460 Views ⚑0
Opinion | They Stole Your Files, You Don’t Have to Pay the Ransom
The F.B.I. has struggled to send a clear message to ransomware victims ever since 2015, when an agent told the audience at a computer security conference in Boston, “We often advise people just to pay the ransom.” The F.B.I. later corrected its position: that victims should not pay ransoms.
“The F.B.I. doesn’t support paying a ransom in response to a ransomware attack,” the website states, adding that paying a ransom does not guarantee victims will get their files back and may serve to fund other criminal activity. But most of what the F.B.I. recommends are preventive measures, such as patching software or backing up data — which is good advice, but it won’t help victims whose computers have already been infected by ransomware.
But ransomware victims who don’t have offline backups of their data do have options. Many common strains of ransomware have, in fact, been reverse engineered by software engineers and security firms that provide decryption tools, including the ones aggregated in the No More Ransom project. These tools won’t work for every victim, but there are more than 100 decryption tools, each targeting a specific strain of ransomware, available free on the No More Ransom site. As a victim, of course, you may not be sure whether you’re infected with the Marlboro or the Pylocky or the Popcorn or the BigBobRoss strain, but if you upload any of the encrypted files created by the ransomware on your computer, or any email, website or Bitcoin address left behind by the attackers, No More Ransom will let you know if it has any tools that can help.
In order for these tools to be effective, victims have to know where to find them in the first place, and so far, American law enforcement has done much less than its European counterparts to publicize the existence of these options. For example, the strain of malware that infected the Lake City systems was called Ryuk, and Emsisoft, a security firm, says it is can decrypt Ryuk malware using its free tools in 3 percent to 5 percent of the cases. But it’s unclear whether Lake City knew about any of these tools and tried to decrypt its data before acquiescing to the ransom demands.
If the victims had sought advice exclusively from United States law enforcement agencies, like the F.B.I., the Department of Homeland Security’s Computer Emergency Readiness Team or the Secret Service, they certainly would not have found any mention of the No More Ransom project or other resources for decrypting infected files, such as the website ID Ransomware, which an Emsisoft employee created to help victims identify the ransomware they are facing. The most the federal government has done to support these efforts is give an F.B.I. Director’s Community Leadership Award to the creator of the ID Ransomware site.