Another reason why paying a ransomware threat isn’t worth it

Ransomware victims willing to talk to the press sometimes suggest there is “honour among thieves” if they’ve been able to recover their encrypted machines, particularly if the attackers help them through the sometimes complex ways of buying the digital currency demanded.

But Cisco Systems’ Talos threat intelligence service warned this week that increasingly some attackers have no intention of releasing data. Instead, unknown to the owner the data has been destroyed as soon as the machine is infected and all the attacker wants is the ransom.

This is a different way of framing the debate over whether organizations should pay when a ransom is demanded: Increasingly the odds are it’s useless.

The report looks at this in the context of a new ransomware variant Cisco dubs Ranscam, which it says is similar to an already-discovered threat called AnonPop. A typical screen the victim sees is below:

See the yellow box that says “I made payment”? If the victim clicks on it after buying and submitting the ransom the message merely changes to one that reads “Payment not verified. You have not paid. One file will be deleted.”

To find out more about one attacker Cisco researchers pretended to have trouble getting the bitcoin and emailed them for assistance. And indeed there was a reply, offering advice on buying digital currency and promising when payment has been verified files will automatically be restored. It’s a waste of time.

By the way, in addition to deleting data, this malware deletes the core Windows executable responsible for System Restores, deletes shadow copies, delete several registry key associated with booting into Safe Mode and sets registry keys to disable Task Manager.

The lesson — again –is that backups are the best defence against ransomware.

“By paying ransomware authors organizations are contributing to the proliferation of ransomware by providing threat actors with the capital necessary to mature their capabilities and infect future victims,” says Cisco [Nasdaq: CSCO]. And they teach attackers there’s a victim they can hit again.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Article

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows that as the demand for skilled workers...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now