FBI Director Wray Tells Ransomware Victims Not to Pay Up

Don’t ever pay a ransom to retrieve hijacked data or regain network access, Federal Bureau of Investigation director Christopher Wray advised ransomware victims in remarks to a U.S. Senate Appropriations Committee concerning the agency's $10.3 billion funding request for fiscal year 2022.

"In general, we would discourage paying the ransom because it encourages more of these attacks, and frankly, there is no guarantee whatsoever that you are going to get your data back," Wray said, according to a Reuters account. The Justice Department recently disclosed it helped the Colonial Pipeline--which became prey to Russian hackers a few weeks back and paid upwards of $5 million to regain its data and network access--to recover some $2.3 million in cryptocurrency ransom it paid to hackers. "Sometimes through other work we've done, we might have the decryption key and be able to help the company unlock their data without having to pay the ransom," Wray said.

“We have to make it harder and more painful for hackers and criminals to do what they are doing,” Wray said, according to a transcript of his testimony.  "We took upwards of 1,100 actions against cyber adversaries last year, including arrests, criminal charges, convictions, dismantlements, and disruptions, and enabled many more actions through our dedicated partnerships with the private sector, foreign partners, and at the federal, state, and local entities," he told the Committee in a prepared initial statement.

Federal law enforcement is investigating 100 different ransomware variants and now considers ransomware attacks as terrorism, Wray told the Wall Street Journal in a recent interview. Many of the ransomware types the agency is examining, each of which is responsible for at least a dozen and perhaps as many as 100 attacks in the U.S., can be traced back to Russian hackers, he said.

Ransomware events have tripled in the past year based on complaints to the FBI and input from businesses, according to Wray. Some security specialists figure that the average ransom payment has spiked precipitously in the past two years as the type of attacks have mutated from multiple, smaller forays to so-called big game heists. For example, Coveware’s Quarterly Ransomware Report shows the average ransom payment in the first three months of this year was $220,298, up 43 percent from $154,108 in the final three months of 2020. Figures from cybersecurity researchers at Palo Alto Networks are even more eye popping, pegging the average ransom paid by victims in North America and Europe at $312,493 in 2020 for a 173 percent jump from $115,123 in 2019.

Wray’s position that victims refuse to meet a ransom demand stands up to the findings in a number of research studies. Eight in 10 organizations hit by a ransomware attack that elected to pay a ransom demand were attacked a second time, often by the same cyber crew, a global study by Cybereason of some 1,300 security professionals found. Many of those organizations that paid the ransom believed that they would recover their data intact by doing so. However, nearly half (46%) that regained access to their systems got back tainted data.

In another study by cybersecurity provider Kaspersky, despite ransomware’s growing popularity among hackers, employees’ awareness of how to act in a cyber extortion crisis is remarkably low. For example, some 37 percent of respondents were unable to accurately define ransomware let alone understand the damage it can deliver. Of those survey respondents who suffered a ransomware attack, 40 percent said they would not know the immediate steps to take in response.

Kaspersky counsels its customers to never pay a ransom no matter the circumstances. “When it comes to the question of paying a ransom, our recommendation is to never pay a ransom, and there are a few reasons for this,” said Brian Bartholomew, the security provider’s principal security researcher in its global research and analysis team. “First, paying a ransom will never guarantee that all of your data will be returned – it might be partially returned or not at all. There is also no way to tell if your information has been sold in underground markets once obtained,” he said.

“Second, paying a ransom only encourages cyber criminals to further carry out these attacks as they are one of the most financially profitable attacks malefactors can perform. The more business organizations give in to ransomware attacks, the more we will see them continue to trend in the threat landscape.”

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.