By Sean Sposito, San Francisco Chronicle
At a cybersecurity summit last week in Boston, an FBI agent gave a disquieting piece of advice to a room of executives: If your computer is infected with certain forms of ransomware, and you haven’t backed up that machine, just pay up.
Ransomware encrypts a computer’s files and then holds the key needed to unlock them for ransom — usually somewhere between $200 and $10,000, according to a July alert from the agency.
Strains such as CryptoLocker and CryptoWall are so difficult to crack that it would almost certainly cost less to pay the bribe than to hire someone to attempt to fix those computers.
“The ransomware is that good,” said Joseph Bonavolonta, an assistant special agent in charge of the FBI’s Cyber and Counterintelligence Program in the Boston office, according to the information security website.
“To be honest, we often advise people just to pay the ransom.”
He was speaking at the 2015 Boston Cyber Security Summit, a meeting meant to connect senior executives to vendors and others who can help protect their companies.
The FBI said that between April 2014 and June 2015, its Internet Crime Complaint Center received nearly 1,000 CryptoWall complaints.
Victims, the agency said, reported losing more than $18 million.
CryptoWall’s latest version, 3.0, has netted the criminals behind it roughly $325 million, according to the Cyber Threat Alliance, a group consisting of Intel Security, Palo Alto Networks, Fortinet and Symantec.
An FBI spokeswoman said Bonavolonta’s statements came at the end of the question-and-answer portion of a roughly 35-minute talk.
In an email, she made it a point to say that by regularly backing up systems, such criminal threats will be ineffective.
“The FBI doesn’t make recommendations to companies; instead, the Bureau explains what the options are for businesses that are affected and how it’s up to individual companies to decide for themselves the best way to proceed,” the spokeswoman wrote.
“That is, either revert to backup systems, contact a security professional, or pay.”
That last option must be a particularly difficult admission for the FBI.
“These businesses are coming to them with the hope that they are able to defeat the malware and get their data back and, in essence, what he was saying is (this ransomware) is pretty good,” said Paul Roberts, Security Ledger founder and editor in chief.
Law enforcement traditionally has struggled to chase down cybercriminals who use ransomware, said Marco Balduzzi, a senior security engineer and researcher at Trend Micro, who researches the dark Web.
Ransomware often connects victims to criminals over the dark Net — a collection of websites whose servers are obscured.
In addition, Balduzzi said, bad guys often get paid in bitcoin, a virtual currency that is difficult to trace.
At the point a criminal cashes out, turning digital currency into traditional currencies, law enforcement agents might be able to track that person down.
But, the problem is that there are many virtual currencies — LiteCoin, DogeCoin and Peercoin, to name a few — and crooks often exchange one for another so many times that following a trail becomes next to impossible, said Vincenzo Ciancaglini, another senior research scientist at Trend Micro.
“So the fact that they use cryptocurrencies together with the (dark Net) infrastructure makes them very resilient to being taken down by law enforcement,” said Balduzzi.
©2015 the San Francisco Chronicle Distributed by Tribune Content Agency, LLC.
