<p><pre><code> And that is called paying the Dane-geld;
But we've proved it again and again,
That if once you have paid him the Dane-geld
You never get rid of the Dane.
</code></pre>
<a href="http://www.poetryloverspage.com/poets/kipling/dane_geld.html" rel="nofollow">http://www.poetryloverspage.com/poets/kipling/dane_geld.html</a><p>Paying ransom merely teaches the criminal that you're an easy mark that they should demand more ransom from in the future.
Looks like free enterprise has introduced a tax on people who fail to secure their systems against untargeted attacks and fail to make backups.<p>One also wonders what's the point of all NSA's "SIGINT" efforts if they can't or won't use it to catch such usually foreign actors, so maybe they also introduced an argument against mass surveillance.
Note that this is not an official statement, this is something that an agent at a conference:<p><a href="https://nakedsecurity.sophos.com/2015/10/28/did-the-fbi-really-say-pay-up-for-ransomware-heres-what-to-do/" rel="nofollow">https://nakedsecurity.sophos.com/2015/10/28/did-the-fbi-real...</a> has the official statement:<p><pre><code> The FBI doesn't make recommendations to companies; instead, the Bureau explains
what the options are for businesses that are affected and how it's up to
individual companies to decide for themselves the best way to proceed.
That is, either revert to back up systems, contact a security
professional, or pay.</code></pre>
It's probably good advice for any individual person / company who gets infected. Unfortunately, it's terrible advice for society in general, because the blackmailers profit from their crime and will go on to target more people.<p>I'd guess that the malware users are being quite clever in keeping the ransom demands (relatively) small, to make it easy to choose to pay. They then profit in scale because targetting thousands of people is simple.<p>Since the ransom payments are in Bit-coin, it's possible to track the payments and work out how much money the scammers are making. Some estimates put it as high as $325 million: <a href="http://www.coindesk.com/cryptowall-325-million-bitcoin-ransom/" rel="nofollow">http://www.coindesk.com/cryptowall-325-million-bitcoin-ranso...</a>
The FBI should always advise companies <i>never</i> to pay ransoms. It's the only way to stop it. The Bureau doesn't care if a company or individual loses data. They do care about crime, and the only logical way to stop a class of crime is to remove all financial incentive.<p>Whoever is advising people to "just pay the ransom" is a fool.
The sad part is that quite a few of the ransomware cases aren't actually recoverable, as the malware could be just dumb AES implementation which doesn't send the key to some C&C server some where, in some cases the key is hardcoded into the malware or is just generated at random so even if you pay the ransom you might not get your data back.<p>The other important thing to consider is that you data is already tainted so the cost of the ransom are meaningless compared to the cost of re-evaluating all the data once you manage to decrypt it, as well as the cost of the decryption it self it's not like you'll get an easy tool do it.<p>But considering that recovering data from backups also costs a small fortune it might be a reasonable gamble after all.
Um, isn't the reason we have an FBI is to shut down operations such as these? Can't they track payments and have the ransomware operators apprehended, with cooperation from authorities in other countries?<p>Maybe we should defund the FBI if this is the best advice they can think of.
For the record, it's the FBI's advice on cryptowall, cryptolocker and their ilk that it's easier to pay the ransom because it's largely automated to the point that no human is directly involved in processing your ransom and returning the keys to your files - the web site you're directed to even gives you one single file recovered for free. Isn't technology grand? Aren't the disenfranchised youth of Eastern Europe (the primary agents responsible for crypto-ransomware) generous? So unless you had backups from before you were infected, pay the automated system its Bitcoin. It's a shame that so many people have <i>this</i> as their introduction to cryptocurrency.
This is 100% BS.<p>The FBI has already confirmed this "just pay the ransom" was completely misquoted and taken out of context.<p>Stop spreading this clickbait FUD.
I guess the ransomware will stop unless they throw a few of the crooks in to jail. I presume the NSA or someone like that could probably figure who they are but they are probably in Russia or similar where the courts won't do much. Hence a fix might be to do a deal with Putin or some such? - We'll drop some sanctions if you throw a couple of dozen cybercrooks in jail say.