A few weeks ago I talked about why paying ransom to get your data or computers back online was a bad idea: Like any bully, once they succeed in getting your money it will embolden them to demand more and from more people.
But it turns out that at least one venerable American institution thinks you should pay: The Federal Bureau of Investigation.
Yep, the FBI says you should pay up. They are, in fact, on record (October 22, 2015) telling people to pay the ransom:
Joseph Bonavolonta, the Assistant Special Agent who oversees the FBI’s CYBER and Counterintelligence Program in Boston, spoke at the 2015 Cyber Security Summit and advised that companies infected with ransomware may want to give in to the criminal’s demands.
After my post went online, I heard from a colleague who told me:
I was presenting in an Infragard briefing at the FBI office, and they basically told everyone there was nothing they could do if it happened, that they were pretty much on their own. There is also no telling what the ransomware left behind for another go-round, or continued surveillance while it held the system captive. Merely breathing a sigh of relief and thinking you are in the clear a really bad idea.
Although it’s still the right thing to do, I know that not paying the ransom is difficult, even if you have good backups. It’s not as fast as just paying because it takes a lot of time to restore and you’ll still lose some data. And, whether you pay or not, there’s a good chance you will get hit again with a new strain of ransomware, so why fight it?
I wonder what the dominant type of backlash will be as more US citizens wake up to the fact that law enforcement can’t help them prevent or recover from these new cyber crimes? Anger? Fear? Vigilantism?
What do you think is most likely?