FBI’s Advice on Ransomware? Just Pay The Ransom.

Many certificate authorities allow an e-mail address to serve as proof of domain ownership.
FBI Boston’s Joseph Bonavolonta said that paying the ransom is often the easiest path out of ransomware infections.

In-brief: The nation’s top law enforcement agency is warning companies that they may not be able to get their data back from cyber criminals who use Cryptolocker, Cryptowall and other malware without paying a ransom.  

The FBI wants companies to know that the Bureau is there for them if they are hacked. But if that hack involves Cryptolocker, Cryptowall or other forms of ransomware, the nation’s top law enforcement agency is warning companies that they may not be able to get their data back without paying a ransom.  


Get the New 2017 SANS Research Report on 'Threat Hunting' -- Written by experts from the SANS Institute, the survey reveals a number of interesting data points about the challenges and benefits of threat hunting.


“The ransomware is that good,” said Joseph Bonavolonta, the Assistant Special Agent in Charge of the FBI’s CYBER and Counterintelligence Program in its Boston office.  “To be honest, we often advise people just to pay the ransom.”

Bonavolonta was addressing a gathering of business and technology leaders at the Cyber Security Summit 2015 on Wednesday at Boston’s Back Bay Events Center. He was referring to ransomware programs like Cryptolocker, Cryptowall, Reveton and other malicious programs that encrypt the contents of a victim’s hard drive, as well as other directories accessible from the infected system. The owner is then asked to pay a ransom – often hundreds of dollars – for the key to unencrypt the data.

FBI Boston's Joseph Bonavolonta address the Cyber Security Summit on October 21st. Bonavolonta said that paying the ransom is often the easiest path out of ransomware infections. (Photo courtesy of FBI.)
FBI Boston’s Joseph Bonavolonta address the Cyber Security Summit on October 21st. Bonavolonta said that paying the ransom is often the easiest path out of ransomware infections. (Photo courtesy of FBI.)

Ransomware, in various forms, has been around for more than a decade. But the past three years has seen a steep rise in incidents involving the programs, which often infect users via malicious email attachments or drive by downloads from compromised websites or malicious web ads (malvertising). That has resulted in an increase in complaints to the FBI, said Bonavolonta. Police departments appear particularly prone to ransomware infections. But the problem has been widely noted. The infections can be difficult to remove, as this article from the Yuma Sun about a Cryptolocker infection in the newsroom notes.

The FBI issued a notice in June, which identified CryptoWall as the most common form of ransomware affecting individuals and businesses in the US. The Bureau said it had received 992 complaints related to CryptoWall between April 2014 and June 2015 with losses totaling $18 million. That message advised victims of ransomware to contact their local FBI field office.

Bonavolonta echoed that advice in his remarks on Wednesday, but also cautioned that the Bureau may not be able to pry encrypted data from the clutches of the ransomware authors, who use ultra secure encryption algorithms to lock up ransomed data.

“The easiest thing may be to just pay the ransom,”Bonavolonta, who said that efforts by the Bureau and others to defeat the encryption used by the malware did not bear fruit. “The amount of money made by these criminals is enormous and that’s because the overwhelming majority of institutions just pay the ransom.”

The success of the ransomware ends up benefitting victims: because so many people pay, the malware authors are less inclined to wring excess profit out of any single victim, keeping ransoms low. And most ransomware scammers are good to their word, Bonavolonta said. “You do get your access back.”

Still, the Boston head of cyber said that organizations that have procedures in place for regularly backing up their data can avoid paying a ransom at all, by simply restoring the infected system to a state prior to the infection. 

And the FBI still wants to hear about ransomware infections, even from firms that pay the criminals off. “Do we want you to call the FBI? Yes,” said Bonavolonta. The FBI has been collecting information on ransomware scams and wants to be able to keep abreast of how the scams are evolving. 

170 Comments

  1. Pingback: With $325 Million In Extorted Payments CryptoWall 3 Highlights Ransomware Threat | Templar Shield

  2. Pingback: Betala lösensumman för att bli kvitt ransomware? Ja, ibland är det enda utvägen. | Dator Kunskap

  3. Pingback: Evil Zone | FBI recommends that victims of ransomware pay up

  4. I’ve dealt with this kind of encryption scam several times in the past couple years. There is a way to decrypt the files and get all the data back. I have experimented with it. Again, it’s wise to have back up, in the case you fail at decryption. 🙂

  5. Carl Force IV would be proud. Looks like we have Hundred’s and Hundreds’ of them now…

  6. Pingback: All CoinVault and Bitcryptor ransomware victims can now recover their files for free - GeekTechTalk

  7. Pingback: All CoinVault and Bitcryptor ransomware victims can now recover their files for free | Templar Shield

  8. Pingback: СТОЛКНУЛИСЬ С ВЫМОГАТЕЛЬСКИМ ПО? ФБР СОВЕТУЕТ ЗАПЛАТИТЬ | HACHERHOME.TK

  9. Pingback: All CoinVault and Bitcryptor ransomware victims can now recover their files for free | Computer network knowledge

  10. Pingback: Don’t Listen to the FBI – Daily Security Byte EP. 168 - Varanoid.com

  11. Pingback: Cryptowall 3.0 reported to cost victims $325 million | OSINFO

  12. Pingback: All CoinVault and Bitcryptor ransomware victims can now recover their files for free | All About Tech in News

  13. Pingback: El final de CoinVault y Bitcryptor

  14. Pingback: Osibogun and Partners - Law Firm

  15. Great….the FBI is now telling us to give the mouse a cookie.

    People…think about this. Unless you absolutely cannot afford to lose your data, do not give in to these scum-runners. And if you absolutely cannot afford to lose your data, you should be buying Carbonite, Crashplan, or some other form of backup, preferably on and offsite, but if you can only afford one, a basic subscription offsite. If you can’t do without it, then you should ask yourself -what if a fire, flood, theft, etc. took my computer and data away from me?

    The FBI should be making clear to people that giving in is the last resort. If people stop paying off these frauds, they’ll stop doing it because it won’t be profitable. And as Eastern European organized crime is often responsible, this money won’t go to fund other not-so-pleasant things.

  16. Pingback: FBI Suggests Ransomware Victims — ‘Just Pay the Ransom Money’ | S4mpl3d

  17. Pingback: Chimera Ransomware focuses on business computers - botfrei Blog

  18. Pingback: CryptoWall Extorts $325M from 400K Infections | BTCMANAGER

  19. Pingback: BackupAssist | Windows Backup and Disaster Recovery Software » Blog Archive Ransomware - FBI says play safe or pay up | BackupAssist

  20. Pingback: Abejotina FTB rekomendacija sukėlė sąmyšį IT saugumo industrijoje | Sprendimai Verslui

  21. Pingback: Cryptowall 4.0 Encrypts File Names, Clears Restore Points | Threatpost | The first stop for security news

  22. The FBI should be telling people to dump the Windows OS! How long will we continue to suffer the Stockholm syndrome with bad Microsoft Software? Other operating systems/computer ecosystems have shown much greater security. Cryptolocker and Cryptowall are hideious Windows infections.

    The worst Mac OS ransomware infection so far was a javascript that fooled you into thinking your computer was locked, but it wasn’t. Easily deleted and fixed. There has never been a ransomware in the wild for iOS. Other OS’s while not having as stellar a record as Apple’s OS’s still have greatly improved track records over Windows. Dump Windows! Keep your hardware, but dump Windows.

    • @Nobody Special,

      1) – You can’t keep your hardware, but dump Windows if you wish to adopt an Apple OS; it would completely violate Apple’s licensing policies
      2) – You’re blaming an operating system, when you should be blaming the scum that are doing this.
      3) – Just because this hasn’t been done on Linux or Mac OS X doesn’t mean it couldn’t be done. Both have encryption technologies available. It just isn’t profitable to do so at this time. Should the marketshare of either increase drastically, and the marketshare of Windows decrease in proportion, it is a guarantee you’ll see this happen. Not a possibility, a guarantee.

      This should not be about blaming an operating system –it should be about ensuring that no matter which operating system, people are taught to back up everything for disaster recovery. If one’s house burns down and their computer is melted to slag, Linux isn’t to blame. If a hard disk fails, it’s not the fault of OS X. We need to treat this as a disaster-recovery opportunity, not a chance to blame an OS, and we need to use all forensic tools at our disposal to go after the scum doing this to people, because in the end, the criminals are responsible.

    • And note -while thwarted, possibly the first Linux ransomware seen in the wild. As it’s a 1.0, I’m sure we’ll see a 1.1.

      http://www.theregister.co.uk/2015/11/12/cures_for_ransomware_linux_cryptowall/

      This underscores that the operating system is not relevant – a solid disaster recovery procedure however, is.

  23. Pingback: Updated Cryptowall Encrypts File Names, Mocks VictimsDigital Era | Digital Era

  24. DO NOT NEGOTIATE WITH TERRORISTS. THE UNITED STATES DOES NOT NEGOTIATE WITH TERRORISTS. the fbi should be ashamed of themselves.

  25. Pingback: Held ransom by malicious spyware? Just pay up, FBI says - AdTrustMedia Blog

  26. Pingback: Booming crypto ransomware industry employs new tricks to befuddle victims | River Net Computers | Frenchtown, NJ

  27. Pingback: TECNOLOGÍA » Booming crypto ransomware industry employs new tricks to befuddle victims

  28. Pingback: Evil Zone Groups | Updated Cryptowall Encrypts File Names, Mocks Victims

  29. Pingback: Did the FBI really say “pay up” for ransomware? Here’s what to do… | absenteereality

  30. Pingback: Новый Cryptowall шифрует имена файлов, глумится над жертвой | Threatpost | Новости информационной безопасности

  31. Pingback: Booming crypto ransomware industry employs new tricks to befuddle victims | TecBlog

  32. Pingback: A Government Standing on Principle - The Electric Deep

  33. Pingback: Cryptowall 3.0 reported to cost victims $325 million | Cyber Security News

  34. Pingback: Создатели программ-вымогателей придумывают новые способы выманивания денег - itfm.pro

  35. Pingback: You would not believe the virus that is infecting everyone! Here are 3 recommendations to prevent it you should be doing recommendation #2 | codelikeasir

  36. Pingback: Booming crypto ransomware industry employs new tricks to befuddle victims - Meta Thrunks Security Blog

  37. Pingback: Bundeskriminalamt widerspricht FBI bezüglich der Handlungsempfehlung bei Ransomware - botfrei Blog

  38. Pingback: Buggy ransomware locks up your data, then throws away the encryption key – HOTforSecurity

  39. Pingback: Buggy ransomware locks up your data, then throws away the encryption key | Dennis Nadeau Complaint Blog

  40. Pingback: Ransomware Recap - Practical Help for Your Digital Life®

  41. Pingback: Neuer Cryptowall verschlüsselt Dateinamen und verhöhnt Opfer - Securelist

  42. Pingback: Podcast @1060interfase: Seguridad Digital | Ornitorrinco Digital

  43. Pingback: Ransomware: pagare o non pagare il riscatto? Il parere degli esperti di ESET

  44. Pingback: Updated Cryptowall Encrypts File Names, Mocks Victims | »XoZZeN«

  45. Pingback: Kaspersky Lab: malware en puntos de venta y ataques híbridos a empresas marcaran a la región en 2016 | Corporate IT

  46. Pingback: Malware y ataques híbridos a empresas marcarán a Latam en 2016

  47. Pingback: Ransomware’s latest threats: What to do about CryptoWall, Chimera, etc | TMD Technology Services

  48. Pingback: ESET: If a ransomware threats to upload your pictures and videos, don’t believe it! | GlobalMedia IT Caribbean

  49. Pingback: Siete stati colpiti da un Ransomware? Pagate il riscatto e rassegnatevi | corradoignoti.it

  50. Pingback: New Ransomware Threatening to Leak Victims’ Personal Data - PureVPN