FBI’s Advice on Ransomware? Just Pay The Ransom.

Many certificate authorities allow an e-mail address to serve as proof of domain ownership.
FBI Boston’s Joseph Bonavolonta said that paying the ransom is often the easiest path out of ransomware infections.

In-brief: The nation’s top law enforcement agency is warning companies that they may not be able to get their data back from cyber criminals who use Cryptolocker, Cryptowall and other malware without paying a ransom.  

The FBI wants companies to know that the Bureau is there for them if they are hacked. But if that hack involves Cryptolocker, Cryptowall or other forms of ransomware, the nation’s top law enforcement agency is warning companies that they may not be able to get their data back without paying a ransom.  


Get the New 2017 SANS Research Report on 'Threat Hunting' -- Written by experts from the SANS Institute, the survey reveals a number of interesting data points about the challenges and benefits of threat hunting.


“The ransomware is that good,” said Joseph Bonavolonta, the Assistant Special Agent in Charge of the FBI’s CYBER and Counterintelligence Program in its Boston office.  “To be honest, we often advise people just to pay the ransom.”

Bonavolonta was addressing a gathering of business and technology leaders at the Cyber Security Summit 2015 on Wednesday at Boston’s Back Bay Events Center. He was referring to ransomware programs like Cryptolocker, Cryptowall, Reveton and other malicious programs that encrypt the contents of a victim’s hard drive, as well as other directories accessible from the infected system. The owner is then asked to pay a ransom – often hundreds of dollars – for the key to unencrypt the data.

FBI Boston's Joseph Bonavolonta address the Cyber Security Summit on October 21st. Bonavolonta said that paying the ransom is often the easiest path out of ransomware infections. (Photo courtesy of FBI.)
FBI Boston’s Joseph Bonavolonta address the Cyber Security Summit on October 21st. Bonavolonta said that paying the ransom is often the easiest path out of ransomware infections. (Photo courtesy of FBI.)

Ransomware, in various forms, has been around for more than a decade. But the past three years has seen a steep rise in incidents involving the programs, which often infect users via malicious email attachments or drive by downloads from compromised websites or malicious web ads (malvertising). That has resulted in an increase in complaints to the FBI, said Bonavolonta. Police departments appear particularly prone to ransomware infections. But the problem has been widely noted. The infections can be difficult to remove, as this article from the Yuma Sun about a Cryptolocker infection in the newsroom notes.

The FBI issued a notice in June, which identified CryptoWall as the most common form of ransomware affecting individuals and businesses in the US. The Bureau said it had received 992 complaints related to CryptoWall between April 2014 and June 2015 with losses totaling $18 million. That message advised victims of ransomware to contact their local FBI field office.

Bonavolonta echoed that advice in his remarks on Wednesday, but also cautioned that the Bureau may not be able to pry encrypted data from the clutches of the ransomware authors, who use ultra secure encryption algorithms to lock up ransomed data.

“The easiest thing may be to just pay the ransom,”Bonavolonta, who said that efforts by the Bureau and others to defeat the encryption used by the malware did not bear fruit. “The amount of money made by these criminals is enormous and that’s because the overwhelming majority of institutions just pay the ransom.”

The success of the ransomware ends up benefitting victims: because so many people pay, the malware authors are less inclined to wring excess profit out of any single victim, keeping ransoms low. And most ransomware scammers are good to their word, Bonavolonta said. “You do get your access back.”

Still, the Boston head of cyber said that organizations that have procedures in place for regularly backing up their data can avoid paying a ransom at all, by simply restoring the infected system to a state prior to the infection. 

And the FBI still wants to hear about ransomware infections, even from firms that pay the criminals off. “Do we want you to call the FBI? Yes,” said Bonavolonta. The FBI has been collecting information on ransomware scams and wants to be able to keep abreast of how the scams are evolving. 

170 Comments

  1. Pingback: Kaspersky Lab: malware en puntos de venta y ataques híbridos a empresas marcaran a la región en 2016 | Notas de Prensa TI

  2. Pingback: Ransomware Works on Smart TVs, Too! | The Security Ledger

  3. Regardless of what the FBI’s intentions were, I still think it was a very irresponsible statement to make. When you have as much power as the FBI has, your words weigh a lot. My concern is that a lot of people are just going to give up trying to protect themselves and simply pay it out, without realizing there are ways out. Backups are essential, and should not be missed. Another way to revert ransomware such as cryptolocker is to get third party restore software, like Rollback Rx. This and others similar to it can wipe off the malware without any payment made to nobody.

  4. Pingback: FBI’s Advice on Ransomware? Just Pay The Ransom. | University of South Wales: Information Security and Privacy

  5. Pingback: Il nuovo Cryptowall codifica i nomi dei file e si prende gioco delle proprie vittime - Securelist

  6. Pingback: WatchGuard 2016 Security Predictions: #1 Ransomware - Varanoid.com

  7. Pingback: Senators Ask: Does Uncle Sam Pay Ransom? | The Security Ledger

  8. Pingback: FBI’s Advice on Ransomware? Just Pay The Ransom. | The Security Ledger | Georgia 2600 Hackers irc.2600.net #GA2600

  9. Pingback: The Future of Viruses and Cyber Security - Modernized Security

  10. Never, ever pay the ransom. That’s a shot in the dark, at best, and an endorsement for such criminal activity.

    • Also, keep a separate administrator account while using a standard user day-to-day. If this is a business station, no one, including upper level management and owners, should have admin permissions. Businesses, and end-users that can afford it, should also employ security appliances in between the public and private networks.

  11. Pingback: Predicciones para Latinoamérica 2016 de Kaspersky Lab: Malware en puntos de ventay ataques híbridos | Datamation

  12. Pingback: Ransomware’s latest threats: What to do about CryptoWall, Chimera and their ilk

  13. Pingback: Best backup method and products - Digital Survival Guide -

  14. Pingback: The Complete Ransomware Guide | Varonis Blog

  15. Pingback: 2015 Cybersecurity in review: Threat predictions for 2016 - SecureLink

  16. I agree that the FBI statement is, in fact, irresponsible, and I daresay would not have been contemplated by old-guard FBI men.

    I can understand their frustration and inability to respond or provide help for a growing stream of infection reports, but their statement provides material support and encouragement for criminal enterprise. Their spokesman should have pointed the public to a simple to understand document on an FBI-based URL that would provide tips to keeping your system and/or data from becoming victims (and which should say never, ever, pay ransom).

    Never too late, guys.

  17. Yet again, an erred response which should not be taken as word. What the Special Agent needs to understand is that one does not need to do the easiest thing, but the correct one. Take this problem into the real world, in where the ransom is not via computer but in person. Would someone pay the criminals for this, or alert the police? I think you have your answer there. Make sure you get a backup solution asap, and strong anti-malware and software that can reverse any awful changes made to your computer like Deep Freeze and Rollback Rx.

  18. Pingback: Ransom32, du JavaScript pour chiffrer vos données - XPEnology France

  19. Pingback: Cryptolocker Virus - Still Going Strong. | Tech II Business Services

  20. Pingback: Ransom32, du JavaScript pour chiffrer vos données ⋆ XPEnology France

  21. Pingback: IDG Contributor Network: Ransomware: 7 tips for recovery and prevention - Micro Penguin

  22. I’ll immediately seize your rss feed as I can not find your email
    subscription hyperlink or e-newsletter service. Do you’ve any?
    Kindly let me realize in order that I may subscribe.
    Thanks.

  23. Pingback: RANSOMWARE ATTACKS SMART TV’s | WASHC

  24. Pingback: CryptoWall ransomware campaigns are carried out by a small set of attackers; pattern mirrors that of traditional organized crime | OCG Systems

  25. Pingback: WTF: Ransomware, Cryptolocker, Coinvault | Athena Bitcoin

  26. Pingback: Limit the Damage of Ransomware in Two Steps - Sentinel IPS

  27. Pingback: Ransom note – pay or don’t pay? Ransomware on the rise – diginomica

  28. Pingback: No One Should Ever Pay to Remove a Bitcoin Ransomware Infection – newsBTC | Everyday News Update

  29. Pingback: Hospital's IT systems held hostage by ransomware, results in severe disruption of care

  30. Pingback: No One Should Ever Pay to Remove a Bitcoin Ransomware Infection | NewUCity

  31. Pingback: Ransomware Extortionists Land $17,000 in Bitcoin – Welcome to Shop-a-to |Homefront Aggregate

  32. Pingback: Ransomware Extortionists Land $17,000 in Bitcoin | NewUCity

  33. Pingback: Hollywood Hospital Pays $17K Ransom to Decrypt Files | Threatpost | The first stop for security news

  34. Pingback: Hollywood Hospital Pays Bitcoin Ransom After Cyber Attack

  35. Pingback: Ransomware Extortionists Land $17,000 in Bitcoin • sevenfortwo

  36. Pingback: FBI Suggests Ransomware Victims — 'Just Pay the Ransom Money' - Genius web Press

  37. Pingback: No One Should Ever Pay to Remove a Bitcoin Ransomware Infection – Welcome to Shop-a-to |Homefront Aggregate

  38. Pingback: Hackers Hold L.A. Hospital for Ransom, Make Off with $17,000 - Breitbart

  39. Pingback: NETWORK ZONES | Hollywood Hospital Pays $17K Ransom to Decrypt Files

  40. Pingback: No One Should Ever Pay to Remove a Bitcoin Ransomware Infection | Crypto Coin News

  41. Pingback: За криптирането и хората. Your personal files are encrypted! – Блогът на Сайхет