Don’t pay ransoms. But if you must, here’s where to buy the Bitcoins

Ransomware grew into a $1 billion industry last year, and ransom payments now account for nearly 10 percent of the entire Bitcoin economy.

Avoiding becoming part of that statistic requires good endpoint security and effective backups. But what if your defenses fail, your backups are inadequate, all attempts to restore the data fail, and you have to pay the ransom after all — what do you do?

First of all, get the ball rolling on improving your security. Second, if the ransomware includes a recommendation for where to buy the Bitcoins, take it with a grain of salt. These guys are, after all, criminals. They might steer you wrong.

Instead, go to a reputable exchange.

Several experts recommended Coinbase. It’s the largest Bitcoin company and received a license from the New York Department of Financial Services earlier this year. That means it has met the state’s consumer protection and cybersecurity standards.

“Coinbase is also the only exchange that is insured,” said Konstantinos Karagiannis, CTO of the security consulting practice at BT Americas. “They have Lloyds of London.”

It also has low transaction fees and is easy to use, he added.

“That’s what I recommend for newbies,” he said. “Coinbase is the most user-friendly and safest way to get Bitcoin.”

“But if you lose your password, they’re not going to cover you,” he warned.

Rick Holland, vice president of strategy at London-based Digital Shadows, also recommended Coinbase, but added that transactions can sometimes take up to four days.

“When dealing with a ransomware payment, however, time might be critical, so you need to find an exchange that transfers Bitcoin into your account quickly,” he said, recommending the Bitcoin broker Local Bitcoins.

For more exchanges, check out the list of recommendations at Bitcoin.com, said Israel Barak, CISO and incident response director at Cybereason.

“There are plenty of reputable sources there,” he said.

Barak said that he’s used several Bitcoin exchanges, including Coinbase, Bitpay, and Coingate, and they’ve delivered on their premises.

In addition, some vendors may also offer Bitcoin-related services, said Barak, if one of their clients needs to pay a ransom in a hurry.

Stock up in advance

If you think there’s a chance that your company will be hit and that you might have to pay a ransom, it might make sense to set up your Bitcoin account ahead of time and go through the exchange’s authentication system, and maybe even buy some Bitcoins to keep in reserve.

This is particularly important for companies that don’t have an emergency procurement process, said Barak.

“In some enterprises, if they get hit by ransomware and want to buy Bitcoin, it can take a while to go through procurement,” he said. “In some organizations, that can take days, maybe even more.”

The currency exchanges will normally have a wallet to keep Bitcoins in.

Coinbase, for example, allows customers to set up multiple wallets for their Bitcoins, and also offers a Bitcoin “vault” with extra security measures including the option to require approval from multiple users for each transaction.

“So if someone hijacks one of your email addresses, they won’t be able to get the money out that way,” said BT America’s Karagiannis.

“If it’s a small modest amount you want to keep on hand for quick transactions, Coinbase is good for that,” he added.

There are also other Bitcoin wallet alternatives out there, including ones that a company can keep on its own premises — though if the wallet itself gets caught up in the ransomware attack, that could cause problems.

How much should you buy?

According to Barak, ransom sizes vary based on the size of the victim. Individual consumers are typically hit for 1 or 2 Bitcoin, which is approximately $1,000 or $2,000.

Small to midsized companies see typical ransom demands of between 2 and 20 Bitcoin, said Barak.

“A large enterprise can see higher demands,” he added. “The largest we’ve seen was about $150,000, which was about 150 Bitcoin. But we are seeing a trend for an increase in the ransom demands, especially as it relates to larger enterprises and in ransomware that creates a bit more damage.”

Most experts recommend not paying the ransoms.

“The fact that ransomware attacks keep growing and are so prevalent is because there are people paying,” said Luis Corrons, PandaLabs technical director at Panda Security. “If all victims stopped paying, ransomware attacks would disappear in a matter of days.”

But that isn’t always practical, said Barak. Say, for example, the ransomware propagates through a large number of machines and attacks not only the data but also the operating systems.

Luis Corrons, PandaLabs technical director at Panda Security

“Option number one is that you reinstall all those machines,” he said. “That could take you days. Or you could pay the ransom and recover your business operations in an hour or so.”

But in some circumstances, you should never pay a ransom at all. Say, for example, an attacker threatens to release your corporate data.

“Even if the attacker proves that they have the data, shows some of it to you, you can never control where the data will go once they have it,” he said. There’s no guarantee that the criminal will erase all the data, like they promised.

And if you’re trying to avoid having to report a breach, paying the ransom won’t help, since you know the criminals have the data.

Another situation where you shouldn’t pay a ransom is to fend off a Distributed Denial-of-service attack (DDoS), said Barak.

“Ransom demands for DDoS attacks have been around for a long time and most of them are fraudulent,” he said.

Even for traditional ransomware, where the attackers encrypt your files, there are some good reasons not to pay, said Eldon Sprickerhoff, founder and chief security strategist at eSentire.

For example, the hackers may have embedded themselves in your systems, and if you don’t wipe the machines and restore from a good backup, they may stick around.

“You put yourself at risk for future attacks,” he said. “If a hacker is successful the first time, they will try again.”

Plus, even if you pay up, they might not restore all your files, or restore nothing at all, he said. “It’s just not worth the risk,” he said.

Instead, companies should prepare for an attack by making sure their back-ups are good, patching is up to date, systems are hardened and that users have been trained on what to look for, he said.

Finally, before deciding to make that ransomware payment, check with your legal department.

“Organizations need to understand the implications of paying out a ransom,” said Digital Shadows’ Holland. “A cyber security insurance policy could be invalidated because of a ransom payment.” 

Alternatives to paying the ransom

If you’ve been hit by ransomware, there’s a problem with the backups, and you don’t want to pay — or the criminals took your money and didn’t restore your data — there may be some options.

“The first thing you should do is look at some of the tools already published,” said Karagiannis. “It might be possible that you could have that removed without paying a penny.”

One place to get started is No More Ransom, a site backed by security companies including Intel Security, Kaspersky, Avast, Bitdefender and Trend Micro and a number of law enforcement organizations including Europol.

The site helps victims identify the type of ransomware they’ve been hit with, and offers downloads of the decryption solution if one is available.