Ransomware victims willing to talk to the press sometimes suggest there is “honour among thieves” if they’ve been able to recover their encrypted machines, particularly if the attackers help them through the sometimes complex ways of buying the digital currency demanded.
But Cisco Systems’ Talos threat intelligence service warned this week that increasingly some attackers have no intention of releasing data. Instead, unknown to the owner the data has been destroyed as soon as the machine is infected and all the attacker wants is the ransom.
This is a different way of framing the debate over whether organizations should pay when a ransom is demanded: Increasingly the odds are it’s useless.
The report looks at this in the context of a new ransomware variant Cisco dubs Ranscam, which it says is similar to an already-discovered threat called AnonPop. A typical screen the victim sees is below:
See the yellow box that says “I made payment”? If the victim clicks on it after buying and submitting the ransom the message merely changes to one that reads “Payment not verified. You have not paid. One file will be deleted.”
To find out more about one attacker Cisco researchers pretended to have trouble getting the bitcoin and emailed them for assistance. And indeed there was a reply, offering advice on buying digital currency and promising when payment has been verified files will automatically be restored. It’s a waste of time.
By the way, in addition to deleting data, this malware deletes the core Windows executable responsible for System Restores, deletes shadow copies, delete several registry key associated with booting into Safe Mode and sets registry keys to disable Task Manager.
The lesson — again –is that backups are the best defence against ransomware.
“By paying ransomware authors organizations are contributing to the proliferation of ransomware by providing threat actors with the capital necessary to mature their capabilities and infect future victims,” says Cisco [Nasdaq: CSCO]. And they teach attackers there’s a victim they can hit again.