If you’re one of the 4,000 victims a day who gets hit with ransomware, you’re now stuck with a dilemma.
While the key advice to dealing with ransomware is prevention — update your patches, back up your files, don’t open any suspicious emails — it really doesn’t mean much after you’ve already been locked out of your computer while hackers extort your own encrypted files from you.
So now the question is: Do you pay up?
The short answer is no, but if you want the long answer, keep reading.
The WannaCry virus has struck in more than 200 countries, seized more than 300,000 devices and set a deadline for this Friday — one week after it infected hospitals, universities and businesses. Payments for the ransom spiked on Monday, one day before the ransom doubled from $300 to $600.
There were more payments on that Monday than on Tuesday, Wednesday and Thursday combined, according to a tracker following bitcoins heading into the hackers’ wallets. As the deadline looms, more victims are refusing to pay the ransom.
The majority of government agencies and cybersecurity researchers agree that victims should not pay the ransomware, but left it up to people to evaluate their own situations: Would losing the files leave them in financial ruin? If WannaCry infected computers in a hospital, is it a life-or-death situation?
Here’s what each organization had to say about paying the ransom:
Federal Bureau of Investigation
That’s the agency’s most recent policy, released on September 15, 2016. The FBI recommends that victims should not pay the ransom, because payment does not guarantee the victim will regain access to the locked-down data. Paying the ransom also encourages future attacks from hackers.
“While the FBI does not support paying a ransom, it recognizes executives, when faced with inoperability issues, will evaluate all options to protect their shareholders, employees and customers,” the agency said.
The FBI encourages victims to report the attacks as it tries to understand more about how ransomware attacks work and who’s behind them.
Department of Justice
The Department of Justice also does not encourage paying ransomware. It pointed out cases in which victims were targeted again by hackers because of their willingness to pay.
In other situations, victims were asked to pay even more money for a promised decryption key after they had already sent the bitcoins.
“After systems have been compromised, whether to pay a ransom is a serious decision, requiring the evaluation of all options to protect shareholders, employees and customers,” the department wrote in its guidelines on ransomware.
Central Intelligence Agency
The CIA follows the Department of Justice’s and the FBI’s guidelines on paying ransomware, a spokesman said.
Department of Homeland Security
Homeland Security follows the guidelines set up by the US Computer Emergency Readiness Team, a spokesman said. On paying ransomware, the guidelines recommend against it and encourage victims to report incidents to the Internet Crime Complaint Center.
Kaspersky Lab is a cybersecurity company that offers protection to more than 400 million users. It looked deep into WannaCry as the threat broke out.
“We advocate that people avoid paying a ransom because there is no guarantee the files will be returned. People should remember that it is possible to avoid being infected by having a multilayered approach to proactively protecting themselves,” said Ryan Naraine, head of the global research and analysis team. “For those infected, the situation is not entirely hopeless as criminals often make mistakes in their cryptographic implementations that make the data retrievable. Decryption tools are available for some families of ransomware, and can be found from programs like NoMoreRansom Project.”
The security firm did a survey and found that more than half of victims affected by ransomware would not pay to get their personal data back. That statistic changes when you’re a business — 70 percent of victims paid to get their financial files returned. With WannaCry, the company has already heard of cases in which victims did not get their data back, even after paying.
Like the others above, IBM Security recommends that victims do not pay the ransom.
“Firstly, nothing succeeds like success — paying will further propagate the spread of ransomware as a way for attackers to make money; criminals will go where the money is,” said Diana Kelley, a security adviser at IBM Security. “We’ve seen many cases in which the criminals don’t end up releasing the data even after the ransom is paid. Keep in mind these are criminals. Why should you trust them?”
The cybersecurity group makes the rare recommendation of paying the ransomware but also suggests you try negotiating with the hackers.
“In some cases, paying the ransom is inevitable; customer, patient and financial data can’t be easily replaced and has more than just personal or sentimental value associated with it,” a Malwarebytes spokeswoman said. “In some attacks, there’s also a very high probability you will get all of your files back when you pay. In situations like that, we recommend attempting to negotiate with the attacker for a decreased ransom payment or the decryption of key files rather than paying the entire ransom.”
First published May 19, 7:01 a.m. PT.
Update, 7:43 a.m. PT: Adds comment from Malwarebytes.
CNET Magazine: Check out a sampling of the stories you’ll find in CNET’s newsstand edition.
Tech Enabled: CNET chronicles tech’s role in providing new kinds of accessibility.