Law enforcement authorities and computer security experts are in general agreement that paying off the criminals who distribute CryptoLocker ransomware is ill-advised, yet that's exactly the path chosen by a Massachusetts police department when it was recently victimized.
From a local newspaper report:
The department paid $750 for two Bitcoins - an online currency - to decrypt several images and word documents in its computer system, Swansea (Mass.) Police Lt. Gregory Ryan said.
"It was an education for (those who) had to deal with it," Ryan said, adding that the virus did not affect the software program that the police department uses for police reports and booking photos.
What exactly was in the encrypted clutches of CryptoLocker was not clear from the story, nor was the police department's explanation for paying the ransom. It's difficult to imagine a compelling enough reason, though, as John Hawes at the Sophos Naked Security blog notes:
The advice of Naked Security, the FBI, the UK's National Crime Agency and many others has been not to give in to crooks by paying this ransom.
Sure, there will be cases where something deeply personal or otherwise irreplaceable has been encrypted and people will be willing to pay for its return, but there should be nothing like this on a police system, at least not without proper backups. ...
Even if the files were hugely important and still usable, most taxpayers would be less than happy to know that the police they were funding were passing on their cash to a gang of international criminals.
The only reason this type of attack succeeds is because people are willing to pay up. If no-one ever paid, there would be no ransomware. ... It's a pretty hard demand to make of anyone, and all but impossible to insist on for everybody, but it has to start somewhere; someone has to set a good example for others to follow.
Especially if that someone works in law enforcement.
As for a better approach, my Network World colleague Ellen Messmer recently addressed that in a story headlined: "Businesses offer best practices for escaping CryptoLocker hell."
Those best practices do not include the use of Bitcoins.
Welcome regulars and passersby. Here are a few more recent buzzblog items. And, if you’d like to receive Buzzblog via e-mail newsletter, here’s where to sign up. You can follow me on Twitter here and on Google+ here.
- Snowden used sys admin role to collect passwords.
- Eye-opening Morris worm turns 25.
- Prosecutor in Aaron Swartz case targeted by "swatting."
- Do Twitter's active user numbers add up?
- That was fast: Beckett out, Lester in, all is well.
- Geek-Themed Meme of the Week Archive.
- Yahoo has that Y3K problem under control.
- Did “The Most Interesting Man in the World” steal a ‘90s-era meme?
- Research buries Microsoft’s Bing-vs.-Google claims.
- New York Times corrects the record on Mario and Luigi.
- Judge orders patent troll to explain ‘Mr. Sham’ to jury
- There are tragedies and then there are sunset photos.
- Did you know Google could do this? I didn’t.
- “This is a 3D printed jet engine”
- 2013’s 25 Geekiest 25th Anniversaries