What to do when there is a ransomware attack

Technology lawyer Dai Davis says he would have 'no hesitation' in paying up, irrespective of the fact that in doing so you are encouraging the crime

Wikipedia defines a ransomware attack as a "type of malware that restricts access to the infected computer system in some way, and demands that the user pay a ransom to the malware operators to remove the restriction". The most common form of ransomware uses a virus to infect a computer and causes the data on the computer to be encrypted. Payment is usually demanded in the form of a virtual currency such as Bitcoins in order to retrieve the decryption key.

What are the options?

A ransomware attack is a criminal offence as well as a civil wrong. Therefore, you can report the offence to the police. However, the police are unlikely to do anything to find the culprit as it is simply too expensive to do so. Even enforcement organisations in the USA such as those in Tewksbury, Massachusetts; Midlothian Police Department, Illinois; and Lincoln County, Maine have reportedly found it too difficult to try to track down the culprits, opting instead to pay the ransom. Nevertheless, you should report any such attack to the police: while government is known for its inaction in these matters, eventually the number of crime reports may embarrass politicians into some meaningful activity.

The US police organisations listed above had the resources of the FBI to draw on and yet they still opted to pay. The few hundred pounds it cost them in ransom fees was a lot cheaper than opting to try to decrypt the files. Can the files be decrypted without paying the ransom? Almost certainly the answer is yes. One of the lesser known "Snowden revelations" was that the NSA has allegedly built a machine that can decrypt HTTPS which is used to encrypt "secure" webpages. With this sort of technology, breaking the encryption used by cybercriminals is child's play. However there is the cost element. Allegedly, $750m was spent by the NSA to develop this technology. It is not available commercially. Even if it were available, the cost of the electrical power alone would be greatly in excess of the ransom demanded.

While most people regard virtual currency as being untraceable, that isn't entirely true. It is traceable in reality, but as with decryption it is just far too expensive to be feasible in most normal police investigations.

Alternatively, you could wait five to 10 years to obtain your data back, by which time it is likely that the encryption technology used in today's ransomware could be broken using more commonly available decryption technologies that are likely to be then available.

As a lawyer, from a practical perspective, I would have no hesitation in paying up, irrespective of the fact that in doing so you are encouraging the crime. It is an economic no-brainer if your business is unlucky enough to be hit. It goes without saying, of course, that this is one area of computer security where, again, "prevention is better than cure": take regular backup copies of your data and don't load attachments where you are uncertain of the source.

Dai Davis is a technology lawyer. He is a qualified chartered engineer and a solicitor