FBI’s Advice on Ransomware? Just Pay The Ransom.

Many certificate authorities allow an e-mail address to serve as proof of domain ownership.
FBI Boston’s Joseph Bonavolonta said that paying the ransom is often the easiest path out of ransomware infections.

In-brief: The nation’s top law enforcement agency is warning companies that they may not be able to get their data back from cyber criminals who use Cryptolocker, Cryptowall and other malware without paying a ransom.  

The FBI wants companies to know that the Bureau is there for them if they are hacked. But if that hack involves Cryptolocker, Cryptowall or other forms of ransomware, the nation’s top law enforcement agency is warning companies that they may not be able to get their data back without paying a ransom.  

“The ransomware is that good,” said Joseph Bonavolonta, the Assistant Special Agent in Charge of the FBI’s CYBER and Counterintelligence Program in its Boston office.  “To be honest, we often advise people just to pay the ransom.”

Bonavolonta was addressing a gathering of business and technology leaders at the Cyber Security Summit 2015 on Wednesday at Boston’s Back Bay Events Center. He was referring to ransomware programs like Cryptolocker, Cryptowall, Reveton and other malicious programs that encrypt the contents of a victim’s hard drive, as well as other directories accessible from the infected system. The owner is then asked to pay a ransom – often hundreds of dollars – for the key to unencrypt the data.

FBI Boston's Joseph Bonavolonta address the Cyber Security Summit on October 21st. Bonavolonta said that paying the ransom is often the easiest path out of ransomware infections. (Photo courtesy of FBI.)
FBI Boston’s Joseph Bonavolonta address the Cyber Security Summit on October 21st. Bonavolonta said that paying the ransom is often the easiest path out of ransomware infections. (Photo courtesy of FBI.)

Ransomware, in various forms, has been around for more than a decade. But the past three years has seen a steep rise in incidents involving the programs, which often infect users via malicious email attachments or drive by downloads from compromised websites or malicious web ads (malvertising). That has resulted in an increase in complaints to the FBI, said Bonavolonta. Police departments appear particularly prone to ransomware infections. But the problem has been widely noted. The infections can be difficult to remove, as this article from the Yuma Sun about a Cryptolocker infection in the newsroom notes.

The FBI issued a notice in June, which identified CryptoWall as the most common form of ransomware affecting individuals and businesses in the US. The Bureau said it had received 992 complaints related to CryptoWall between April 2014 and June 2015 with losses totaling $18 million. That message advised victims of ransomware to contact their local FBI field office.

Bonavolonta echoed that advice in his remarks on Wednesday, but also cautioned that the Bureau may not be able to pry encrypted data from the clutches of the ransomware authors, who use ultra secure encryption algorithms to lock up ransomed data.

“The easiest thing may be to just pay the ransom,”Bonavolonta, who said that efforts by the Bureau and others to defeat the encryption used by the malware did not bear fruit. “The amount of money made by these criminals is enormous and that’s because the overwhelming majority of institutions just pay the ransom.”

The success of the ransomware ends up benefitting victims: because so many people pay, the malware authors are less inclined to wring excess profit out of any single victim, keeping ransoms low. And most ransomware scammers are good to their word, Bonavolonta said. “You do get your access back.”

Still, the Boston head of cyber said that organizations that have procedures in place for regularly backing up their data can avoid paying a ransom at all, by simply restoring the infected system to a state prior to the infection. 

And the FBI still wants to hear about ransomware infections, even from firms that pay the criminals off. “Do we want you to call the FBI? Yes,” said Bonavolonta. The FBI has been collecting information on ransomware scams and wants to be able to keep abreast of how the scams are evolving. 

170 Comments

  1. The article’s headline is inaccurate; Cryptolocker has been out of action for well over a year, ever since the takedown of the GameoverZeus botnet. Cryptowall is the most prevalent ransomware today.

    • Hey Patrick. I changed the headline to read “ransomware,” as that’s what the Special Agent was generally referring to. That said: his talk did mention Cryptolocker and not Cryptowall – though he also referred to “ransomware” as if it was a species of malware, rather than a genus. In any case – I hope this helps.

    • cryptolocker 3 is on the loose now, i have several clients infected with it this month
      the article is talking about cryptolocker or cryptolocker 2

      • Alex, are you sure that it wasn’t cryptowall 3.0 (I dealt with it myself last June, fortunately made a full recovery between shadow-copies and backups with only a weekend of downtime). Cryptolocker has been down for a long time, most new infections of cryptolocker have been fakes.

      • Hate to say it, but you’re not doing right by your clients if several of them are becoming infected. Remove their admin capabilities for starters.

    • What is the BS FBI reco to pay? I don’t get it? Are are they profiting? This is less than early 2013 spread and easier to fix, why pay? Information not being shared amonst Corporate and Feds. Same Feds and Feds. So, little gets it again.

      This is a simple project shorterm to fix and keep the green-dot loot.

      Who is the FBI Recommendation Speaker or whatever they call him?

  2. This is why backup is so important…not just for your data center, but endpoint backup as well!

    • Agree with that statement! We at Unitrends generally recommend 30 days retention for local backups — that gives you a good buffer to recover your data after you detect the encryption.

    • Yes – and the Special Agent made that point. Frequent backups make getting rid of an infection much easier vs. trying to ‘break their encryption’ which is basically impossible. Preventing infection, also, is increasingly impossible with the use of drive by downloads via malvertising, etc.

      • I would tend to think that the FBI’s chief recommendation would be to keep regular back ups. The title of the article makes it seem like the FBI thinks paying the ransom under most circumstances is advisable. They probably see it as a last resort, not a chief recomendation. If that is the case then the title is a little sensationalist and misleading. You are not providing a service with this article posed like this. You didn’t even mention back-ups in your article when that is the number one form of mitigation.

        • Untrue. From the article: “Still, the Boston head of cyber said that organizations that have procedures in place for regularly backing up their data can avoid paying a ransom at all, by simply restoring the infected system to a state prior to the infection.” And, speaking as the person who heard the presentation, the message was not “backups first and ransom as a last resort.” The message was: “often we’re telling people who come to us hoping to get their data back that the best option is to pay the ransom.” Obviously, these are folks who do not have a restore as an option. I can only report on what the guy said. Its not my job as a reporter to tidy up the FBI’s image.

          • “I can only report on what the guy said. Its not my job as a reporter to tidy up the FBI’s image.”

            Thank you for that! Too many in the media are commentators rather than reporters. I feel that’s a large reason for so many misinformed people out there. Please keep reporting!

        • Didn’t want to state the obvious. Just thought publicly we don’t negotiate with terrorist. And paying them doesn’t mean the deal is done nor data has been copied onto their storage already? The government needs to work with IEEE, Bandwidth Providers, Cell Tower building and management companies to setup rules and guidelines on the gateway, router, FW, switch, modem and tower level. BYOD in Corporate and your environment will NEVER be under control until a major Federal Sensitive Database is brought to it’s knees. Ineviteable. I tested the first WiFi ISA cards before IEEE had standards. I saw this coming in 1999. 2004 I built the first fleet of Tablets with Windows XP Embedded. Then I said this will be the norm some day made by everyone and there is a Cyber catastrophic event in the next decade. I blogged and time-stamped it Christmas day 2004 and still on the net. Congress, DOD, NSA, HOMELAND,FBI,White House, & Pentagon need to rid the entire Federal Sector from BYOD PERIOD or God only knows what will happen but its probably not imaginable to our Engineers in the Security Field. The committees in DC are just not right for recommendations and Cyber Defense Appellations. It has to go to the best Hqcker groups we have. And I mean Ethical Ones. Ones who learned Reverse Malware Engineering.

          • Every time someone uses the word ‘terrorist’ to describe any sort of run of the mill crime, cyber or not, done to an individual — one that isn’t personally targeted and harassing, anyway — I want to smack them upside the head. It does nobody any favors other than those who’d seek to take advantage of outsized fear.

            Please learn restraint and respect. It’s disrespectful to those who have actually been in the midst of an actual terrorist event, and it’s disrespectful and abusive of a populace that is too easily swayed to lose their freedoms just because someone uses words like ‘terrorist’ to describe something like a cyberlocker — or any other crime that is impersonal and seemingly financially motivated. Crimes are crimes. Terrorism is harder to define, but crimes aren’t, by definition, terrorism. Thanks.

      • Hi Paul,

        Drive by downloads can be mitigated by keeping computers updates (specifically Adobe Flash and Java). Creating an application whitelist is also effective, though time consuming to setup and maintain (a properly configured whitelist will prevent most crypto variants from running).

    • Backup is useless unless you can affort DAYS downtime…

      We use FreeBSD with ZFS in all our servers with snapshots every 4 hours, and webservers or anything in php or java running into another zfs FS and using jails.
      The windows servers ,without any anti-virus, runs on virtualbox (that is in the zfs snapshot too).
      There is NO root passwords and access is done only using ssh trusted notebooks running UNIX
      disks are mirrored and the servers are in a clean room. and login into the server is possible only in the console and boot single user, besides, you need to know the pen-drive password too (to open the geli)

      The servers HD have high cryptography (geli) in the disks and boot is done using a protect password pen-drive

      It has been more than 10 years, nothing happend, so far, so good

  3. Pingback: Malware Victims Should Pay Bitcoin Ransoms | Bitcoin Mining Review

  4. Pingback: FBI: Malware Victims Should Pay Bitcoin Ransoms | 三个硬币

  5. Pingback: Virtual Mining Bitcoin News » FBI: Malware Victims Should Pay Bitcoin Ransoms

  6. Pingback: The FBI recommends that you pay up if hackers infect your computer with ransomware - bns24.com

  7. Pingback: The FBI recommends that you pay up if hackers infect your computer with ransomware | DIGG press

  8. Pingback: The FBI recommends that you pay up if hackers infect your computer with ransomware | Recipe Course

  9. Pingback: The FBI recommends that you pay up if hackers infect your computer with ransomware | Cách ăn giảm cân

  10. The FBI is lazy. Don’t pay it. Just back up yourself up. Buy an external hard drive. There is nothing on my computer that is of real importance to me. Paying the ransom is encouraging the hackers. I’m surprised the FBI would say that. I guess they don’t have the man power to deal with it.

    • Chances are if they’re cryptowalling your device they’re also stealing all of your credentials. Just bear that in mind — a backup’s nice, but if you have anything personal, private, bank info, anything at all — you’re missing the point. Then there’s also the other scam — snag the address book, say you’re stranded somewhere, and have them send ‘you’ money. Or they can just use a phone exploit and run systematically through your phone book going after everyone in it to eventually or immediately possess your friends’ devices too.

      The point being, this isn’t just a backup issue. You shouldn’t be keeping anything important on your phone, period, in the first place. And I certainly wouldn’t be connecting that device to your machine without doing a full cache, data, device wipe and reset, too — just to be cautious.

      Treat it like any PII theft: assume all your accounts have been hacked and accessed — email, everything. Don’t just assume you can’t access the data. And don’t just assume if you unlock the data that the problem goes away.

      • PS: I’d also completely reinstall the OS, not just do a device reset — with an up to date image. Assuming it’s available (and with android it often isn’t, which means if it could be exploited to get where it got, chances are it can be exploited again — so I’d look into ways to lock that down and finding out how you got hacked in the first place).

        The FBI is giving a lot of weird advice lately.

      • I think this is good advice, Walter. I’ll note however, that the ASAC Bonavolonta was asked about follow-on attacks (reinfection as well as id theft) and downplayed the risk during his Boston talk – suggesting that it was really about getting the ransom $$. I thought that was a bit of a sour note. Like you, I’d assume that anyone using cryptomalware in a scheme is smart enough to do some credential harvesting and data theft prior to brining the hammer down.

        • In theory, it’s probably pretty easy once a cybercriminal has your IMEI/IMSI, tower info, GPS, etc, to just keep reinfecting you, especially with the android ‘own it all’ stuff that was put out this past year by a certain security company (stagefright et al). Which is to say, if you’ve been owned, especially by an MMS, not just installing a hacked app, and you pay a ransom, you’ve also indicated you’re easy to relocate, and easy to sucker into paying again — or just infecting via the latter vector even if you were infected initially by the app vector. Honestly I don’t think we’ve seen a lot of repeated harassment, and I think it’s a mistake to believe most cybercriminals would go the repeat route (for one thing, that’d bring a whole lot more attention to them, for another, a lot of the locker crimes seem to be largely passive and not aggressive so far). It’s like picking up a call when a telemarketer gives a ring — you’re added to a list of potential victims (just like replying to spam), though: one has to bear in mind that it does mean you’ve suggested you’re willing to pay.

          Re my MMS comment, maybe it’s a good idea to suggest people change their phone numbers too, incidentally.

          Going to avoid getting into the politics of this; I’ve seen too many FBI statements take the opposite tact, and while I’m not fond of the advice, I’d rather calm than ‘the sky is falling’ considering there isn’t much the FBI can exactly do about it anyway that they’re probably not already at least considering technically.

  11. Pingback: The FBI recommends that you pay up if hackers infect your computer with ransomware

  12. Pingback: The FBI says you may need to pay up if hackers infect your computer with ransomware

  13. Pingback: The FBI Thinks Ransomware Victims Should ‘Just Pay Up’ | Monterey Blades

  14. Pingback: Press Today » The FBI Thinks Ransomware Victims Should ‘Just Pay Up’

  15. and we pay the FBI for what? FBI needs to replace Bonavolonta with a leader that demands solutions and results. Jason is right, they are lazy!

  16. ***There are several reasons why you should not pay CryptoLocker’s ransom. You can see below some of them:

    There is no guarantee that paying CryptoLocker’s ransom will decrypt your files.

    Paying this ‘fee’ will support malware developers, allowing them to create additional malicious content and target other computer users.

    Taking steps to remove CryptoLocker with a legitimate security program will not actually endanger your files or prevent you from decrypting them.

    • True, John. But an individual organization confronted with the choice of “get your data back, or don’t” can’t really afford to be altruistic and will likely take their chances. Agent Bonavolonta did make a point of saying that the criminals are usually good to their word and deliver the decryption key. There’s obviously a market interest in doing so – scamming people by taking money and not giving access back will backfire because future victims will get wind of that and opt not to waste their money. If this is a “business” – albeit an illegal one – you want to provide the (extortive) service you’re charging for. That was part of the agent’s message.

    • Many of these groups who use this malware are terrorist groups. As such, paying the fine would be literally funding terrorism.

      • If the first part of your statement is true then the second part of your statement is (probably) true, also. But I haven’t seen any conclusive evidence that the first part of your statement is true some of the time, all of the time, none of the time. If you have it, please share!

        • Did the FBI say what % of the time you’d get your data back if you pay? My files were encrypted by something that appears to be Cryptowall,but possibly of a different “species”. I’m not sure if it’s the same criminals or some other spin-off.

        • I totally agree with Paul the author in that when you lose your data, sorry, you’re not thinking about how a few hundred $$ is going to MAYBE fund some terrorists. You’re thinking about increasing the chances of getting your important files back. PERIOD.

  17. Pingback: The FBI says you may need to pay up if hackers infect your computer with ransomware | e-Shielder Security

  18. Pingback: The FBI says you may need to pay up if hackers infect your computer with ransomware - wito's

  19. Pingback: FBI Suggests Ransomware Victims — 'Just Pay the Ransom Money' -

  20. Pingback: FBI Suggests Ransomware Victims — 'Just Pay the Ransom Money' - Middle East Post | Middle East Post

  21. Pingback: Ernsthaft? FBI rät bei Ransomware Lösegeld zu zahlen - botfrei Blog

  22. Pingback: The FBI says you may need to pay up if hackers infect your computer with ransomware | DAVE&CHAD.COM

  23. Pingback: FBI Advises Ransomware Victims To Pay The Ransom for Retrieving Data

  24. Pingback: FBI throws up its hands and says “just pay the ransom”

  25. Pingback: 2 – FBI’s Advice on Ransomware? Just Pay the Ransom - Exploding Ads

  26. Pingback: FBI: Ransomware Victims Should "Just Pay the Ransom"

  27. Never pay the ransom, you only perpetuate the problem. You lose your data. Learn to back your data up and that effectively kills this problem. Just restore from backups.

  28. Pingback: The FBI isn’t wrong; sometimes you will have to pay the ransom | Templar Shield

  29. Pingback: FBI Advises Ransomware Victims To Pay The Ransom for Retrieving Data - Skengkel

  30. Pingback: Ransomware Victims Should “Just Pay the Ransom”, Says the FBI | Dennis Nadeau Complaint Blog

  31. Pingback: The FBI Thinks Ransomware Victims Should 'Just Pay Up' | Gizmodo Australia

  32. Pingback: Held ransom by malicious spyware? Just pay up, FBI says - Middle East Post | Middle East Post

  33. Pingback: Held ransom by malicious spyware? Just pay up, FBI says | NewZSentinel

  34. Pingback: rt: Held ransom by malicious spyware? Just pay up, FBI says | All you need to know about intelligence

  35. Pingback: FBI gives shocking advice to ransomware victims - Lastwarez

  36. Pingback: Held ransom by malicious spyware? Just pay up, FBI says | EU Noticias

  37. Paul – in journalism school, do they teach you about context? You completely mis-characterized what was actually said, to generate page views. I say that, because noone could accidentally take those statements so far out of context, unless it was intentional. That’s called site whoring.

    • Excuse me? Were you at the event Jorge? If anything, I omitted comments that would be even more inflammatory, Jorge. And this wasn’t a throw away comment or aside. This was a flat out statement by the agent that paying ransom in cases of ransomware was often the easiest resolution to the issue, where no other technical means (restore from backup) are available. But the agent didn’t start talking about backups – he started talking about how often the easiest thing is just to pay the ransom. I can put you in touch with other attendees who will corroborate that, if you wish, and if there’s video of the session, I welcome it, as it will support my account of the talk. If you were there and somehow have another memory of the talk, feel free to call me and we can discuss offline. If you weren’t there, please stop trolling and impugning my character and my journalistic ethics.

  38. Pingback: The FBI says you may need to pay up if hackers infect your computer with ransomware | . . TheSecurityBlogger . . .

  39. Pingback: СТОЛКНУЛИСЬ С ВЫМОГАТЕЛЬСКИМ ПО? ФБР СОВЕТУЕТ ЗАПЛАТИТЬ | EyeLog

  40. Pingback: FBI: vítimas de malware que sequestra arquivos deveriam pagar pelo resgate | Tech News

  41. Pingback: Did the FBI really say "pay up" for ransomware? Here’s what to do... -

  42. Pingback: Did the FBI really say “pay up” for ransomware? Here’s what to do… | Dennis Nadeau Complaint Blog

  43. Pingback: Did the FBI really say “pay up” for ransomware? Here’s what to do… | Prague City Magazine / Living | the ins and outs of living in prague, czech republic

  44. Pingback: "Pay The Ransom" Says FBI Ransomware Advice - eTeknix

  45. What’s funny is how few people are actually discussing the issue at hand. And of course the journalist highlighted the most interesting part of the story, which also happens to be the most important part of the story. If you can’t implicitly determine that a backup should be used first(if available), then that’s a whole different problem. There is a solution to encrypting malware, but I’m pretty sure it doesn’t involve feigning confidence that criminals will just become uninterested and stop. Therefore, while telling people to pay may be promoting some activity, it is also the ethical thing to tell people who currently want their data back.

    • Yes. This is exactly the point: if you’re a business or individual who needs to get data back and doesn’t have a backup, you have few options. What the Boston FBI was saying, essentially, is that breaking the malware’s crypto isn’t one of them, so don’t count on it. That’s also a warning for companies that haven’t yet been hit to put the necessary protections in place so that you can recover from a crypto malware attack. Namely: frequent off site backups, user least privilege (so write privs to network directories only when absolutely necessary), etc.

  46. Pingback: FBI to ransomware victims: Just pay up - IT Manager Daily

  47. Pingback: The FBI isn't wrong; sometimes you will have to pay the ransom - iRTW

  48. Pingback: Betala lösensumman för att bli kvitt ransomware? Ja, ibland är det enda utvägen. » KATHING

  49. Pingback: Pay the malware ransom! Says FBI! - BestVPN.com

  50. Pingback: Ransomware : le FBI conseille parfois de payer la rançon | Logiciels espions