Microsoft: We Never Encourage a Ransomware Victim To Pay

An anonymous reader shares a report: Ever since ransomware became a top threat in the mid-2010s, people have been arguing about the proper way of dealing with a ransomware attack and the merits of paying or not paying a ransom demand. A big point of contention has been "the official advice" that various companies or government agencies give out to victims. For example, in late 2015, the FBI found itself in the middle of a controversy when one of its agents publicly admitted that the bureau was, in many cases, recommending that victims pay ransom demands. At the time, many were shocked to find out that the FBI was telling victims to pay ransomware demands, and helping criminal gangs boost their profits.

The Bureau changed its official stance a few months later, in 2016, after US senators sent letters asking why the agency was helping out criminals. Since then, the FBI's official position has been to defer the decision to pay a ransom to the victim, with no formal advice. [...] In a blog post today, Microsoft, for the first time, revealed its stance on the matter. "We never encourage a ransomware victim to pay any form of ransom demand," said Ola Peters, Senior Cybersecurity Consultant for Microsoft Detection and Response Team (DART), the OS maker's official incident response team. "Paying a ransom is often expensive, dangerous, and only refuels the attackers' capacity to continue their operations," Peters added.

Except It's because of M$ That They Have To

[Anonymous Coward]

I find it ironic that the authors of the most insecure O/S of all time... OF... ALL... TIME... get all high and mighty about "we don't encourage people to pay the ransom to recover their data when our horrifically insecure O/S is compromised by skript kiddies."

Microsoft is the original article.

[Anonymous Coward]

It's pretty funny that Microsoft says they don't want people paying ransomware authors. Microsoft is the original form of ransomware! Want to open your Excel or Word document? Pay Microsoft the MS Office ransom or else your data is inaccessible. These new ransomware authors are just more of the same type of thinking -- take people's data, store it in some inaccessible format, and then charge people money to get access to their own data.

Re: Microsoft is the original article.

[Cmdln Daco]

How did you create those files? Don't you still have the software you created them with?

Re:

[LenKagetsu]

Not to mention open office and libre office can open them,

Re:

[Opportunist]

Unfortunately no, because it doesn't run anymore in the new OS they duped the user into installing, and stepping back is not an option. For ... let's say compatibility reasons.

Re:

[Duh-People-Really]

BS.
Are you telling me that my Office 2010 is not working? Shit I just edited an Excel file, opened a Word document from 2004 and even updated a Access Database.

I am sure glad you told me I can't do that any more.

Running on a 2011 era Asus Motherboard with Windows 1909 x64.

Re:

[Rhipf]

This isn't ransomware since you need to have Excel or Word to create the Word or Excel document in the first place. It isn't like Microsoft scrubs your system and turns all file into Excel or Word documents.
Aside from that there are plenty of other programs out there that can read Word or Excel files.

Re:

[stealth_finger]

It's pretty funny that Microsoft says they don't want people paying ransomware authors. Microsoft is the original form of ransomware! Want to open your Excel or Word document? Pay Microsoft the MS Office ransom or else your data is inaccessible. These new ransomware authors are just more of the same type of thinking -- take people's data, store it in some inaccessible format, and then charge people money to get access to their own data.

This is basically the Software as a Service model.

Re:

[kilodelta]

Oh no kidding. I've been using Windows 10 since it came out and I've seen crappy bluetooth implementation that got fixed in a later update, I saw one update the broke the timer app, and a quiet one that fixed it.

Re:

[Joce640k]

You're unhappy now?

Wait 'til the Windows "monthly subscription" license scheme starts...

Re:

[Duh-People-Really]

You mean like UNIX did in the 90's?

Welcome to the "good old days".

Re:

[kilodelta]

Not necessarily true - for example I have a machine that doesn't have MS Office installed. Why? Because I refuse to pay their extortionate pricing. I use Libre Office instead - opens all the MS word and excel files.

Re:

[ArchieBunker]

Honestly all the permissions and controls are in the OS but nobody bothers using them correctly.

Re:

[Opportunist]

Maybe people would if they didn't insist in burying those controls in the most ridiculously overconvoluted way possible.

Re:

[Skuld-Chan]

Honest question - what is inside Linux or BSD to prevent a user space malware application from running and encrypting all the files you have r/w access to?

Re:

[Duh-People-Really]

Don't forget:
By implication all Open Source users are superior programmers because they can read (not necessarily understand but understanding is not really required) code? And they read and provide proof that all the software running in their systems is "bug free" and non-comprisable.

Re:

[donaldm]

Honest question - what is inside Linux or BSD to prevent a user space malware application from running and encrypting all the files you have r/w access to?

Basically any OS can be compromised, especially if you log in as a system administrator. Linux, Unix and even MS-Windows allow the user to log in as a "normal" user (i.e. one without any system admin privileges) although many people will log in (especially with MS-Windows) as a user with privileges which can be catastrophic if they get "conned" into instaling malware.

Linux and Unix are fairly safe against malware which is aimed against MS-Widows users although it must be remembered that no operating syste

Re:

[AmiMoJo]

To be fair they did adopt open formats for Office documents over a decade ago. The main compatibly issue tends to be with macros, especially in Excel. But no one else has solved that either, Libre Office macros and Google macros and all the rest are incompatible.

Micosoft should go the next step

[jellomizer]

Use all the personal info they collect on all of us. Find who the ransomware attacker is. And order a fleet of Apache Helicopters after them.

Re:

[quintus_horatius]

And order a fleet of Apache Helicopters after them.

It's Microsoft, they would never send open source helicopters. It'll be proprietary helicopters running IIS, and they'll charge a fortune per seat.

Re:

[nitehawk214]

Use all the personal info they collect on all of us. Find who the ransomware attacker is. And order a fleet of Apache Helicopters after them.

Surely it would be a fleet of IIS helicopters?

yeah you just encourage to pay to security company

[gl4ss]

who just pays on your behalf then to the people running the extortion racket.

I mean thats the easiest way anyways. it's not cheaper of course since you pay to a middleman, but you can at least pretend that you didn't pay the criminals.

Re:

[alvinrod]

We've got all kinds of alphabet agencies and other miscellaneous government spooks that we already pay for so why not just let them take the gloves off and sort things out. From a marketing perspective I don't think it's too hard to spin the attacks against hospitals, etc. as a form of terrorism which means you've got about half of the country behind it for that reason alone.

Once a few bodies pile up I think that people will start to get the message. I won't stop the state actors targeting the state or m

Re:

[PPH]

A lot of these ransom operations are based in foreign countries. Although they are probably not state sponsored actors, their host governments probably turn a blind eye toward them so long as they don't attack domestically. Now, turn the situation around. How would we like it if Russia sent Spetsnaz into Texas to start kicking in the doors of phony corporations hiding ogliarchs' assets?

Also, the NSA can probably trace back to the source of the infected e-mails that launched the ransomware attack. But that'

Re:

[Opportunist]

Hey, the US has gone to war over more ridiculous reasons.

Re:

[fustakrakich]

Also, the NSA can probably trace back to the source of the infected e-mails that launched the ransomware attack.

Or maybe the NSA is the source... it's not such a big stretch.

Anyway, it's simple economics, whether it's cheaper to pay the ransom or to keep backups

Re:

[PPH]

Or maybe the NSA is the source... it's not such a big stretch.

The source in that they might be the original authors of the malware, yes. I doubt the ransom operations is any of their doing (they have plenty of budget as it is). But once they see their toolkit being used by crooks, they probably do just keep their mouth shut about it.

Re:

[gl4ss]

well, they don't know who it is and they don't have the resources to decrypt the data without paying.

it's all about convinience really. also normal countries regularly pay ransoms for kidnappings and such. they always say they don't, but they do.

plus what you're describing is highly illegal(internationally and domestically) and they don't know WHICH bodies they would need to make into dead bodies and they would need to publicize it because otherwise it wouldn't have any deterrent and to publicize it would b

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[XxtraLarGe]

leaving your customers with a buggy operating system that permits these sort of attacks to succeed in the first place

How exactly is it the operating system's fault? Ransomware authors aren't hacking into computers & encrypting things, they're tricking the end user into launching an executable that does it. Same thing could happen on a Mac or on Linux. Humans are always the weakest link in security.

Re: and why would you?

[ShooterNeo]

Because Microsoft Windows is designed in such a way that programs have extensive and deep permissions. Also, many require "administrator", which is almost as many privileges as root, to function at all.

To be fair it's not like Microsoft can really fix this without breaking most existing software. And the Android/iOS security model, while it is a lot better, is inherently flawed in that most users are going to say yes to most permission popups.

Re:

[Duh-People-Really]

So in your world everyone runs as a member of the Administrator group?

You are begging to be hacked or you work for one of most stupid companies on the planet.

Yeah I know the issue. I worked for a company that had every Windows NT user running as a Administrator. When the Corporate Security officer came to our campus and did a security scan - with a company sanctioned hacker inside our firewall that had stopped the hacker from getting into the campus systems.

It took the hacker 5 seconds to break into our SAP

Re:

[screwthempaa]

The biggest issue we had was the fucking vendors coming in and wanting Admin access to "install" and manage their software on our hardware/network. I escorted a few of them out of the Datacenter, contacted our security officer who had a closed office "discussion" with them. Each and every one of them worked with us to install their software, because they wanted the money.

That is crazy insane. That means that there are companies that allow this sort of thing? The entire computing industry needs to formalize and require professional credentials and policies. Like a UL listing or something for both development and system management.

Re:

[George_Ou]

This is not an OS security issue. Trojans are never an OS security issue. Even if Microsoft forced users to run in user-level permissions, it doesn't stop Ransomeware because Ransomeware only targets user-level data.

Who Cares?

[Luthair]

I don't hate Microsoft, but why would anyone care what they think? This is the equivalent of Ford stating that they don't encourage bank tellers to hand over money in the event of a robbery.

Re:

[Duh-People-Really]

So the people you work for do not have a person in charge of computing security? Or are you being complicit in making your company vulnerable.

But they have the end of Windows 7 ransom

[xack]

Pay for security updates or pay or Windows 10 with telemetry and forced updates on your company secrets. Less than a month before the end of support “fun” begins.

Corrupt files = no jail time?

[bussdriver]

So, if I just corrupt your files instead of remove them completely I won't be comitting a crime?.... like MS does with MS-Office? almost encrypt all your docs into something that will never completely work with different software (including skipping too many versions of Office.)

Upgrade MS (pay $) or suffer the consequences!

No.

[nuckfuts]

The fact that Windows 7 is at end-of-life does not equate to "ransom". First of all, Microsoft has long provided details for how long their products will be supported, and to what extent. If you don't like their terms, don't use their products.

Furthermore, you're under no obligation to adopt Windows 10. Again, if you don't like it, use something else.

What else can be done?

[ErichTheRed]

If you don't have a good backup of the data, and the encryption can't be brute-forced, I can't see another way to get the data back. Of course you can say that these companies should have had offline backups that can't be encrypted. But, the vast majority of these ransomware attacks (at least the public ones) have been local government and healthcare. Local government is infamous for having essentially a zero IT budget - if they're lucky they have FTEs of which they can't attract the best because of the low

Re:

[skiingyac]

There is a simple solution to this. Make *paying* the ransom for ransomware (or any kind of IT access ransoms) illegal at the federal level with only some exception for the FBI to pay in life or death situations. This could probably be done by executive order since it is already mostly illegal as the payment likely violates sanctions or assists/funds the associated criminal group. Overnight, local governments and any reasonable-sized or publicly traded businesses (the preferred customers of ransomware pe

Re:

[qubezz]

Make paying for the scalps of these perpetrators legal.

Criminals now posting confidential docs

[wwphx]

Post today by Brian Krebs that if you rebuild your infrastructure without paying, the criminals are now posting documents that they exfiltrated from your network on to public web sites, or possibly selling it to competitors. So you're screwed either way. Your best solution would be to pay, rebuild your infrastructure from scratch, and harden the hell out of it.

Interesting GDPR consequences. And what if the company didn't notify its customers, much less if there was credit card information involed.

h [krebsonsecurity.com]

Re:

[Opportunist]

Depending on the company you are, your options may also include "find out who they are and consider that dead men don't sell information".

"We don't encourage." LIES!

[Chas]

Nowadays, these companies' data is their most valuable asset.
And if their backup solution is insufficiently robust (a real problem as most small companies can't really afford the depth of backup retention a properly paranoid setup would call for.
Or if recent additions are inordinately valuable (like you're trying to close on a multi-million dollar deal your star salesguy pulled out of his ass last week).
Do you tell the ransomware asshole "Fuck off! It's only going to destroy my company!"?
Or do you pay?

If y

Re:

[donaldm]

In the case of corporations, it is essential to have a documented, testable disaster recovery plan that will work under all possible scenarios. Of course the more complex a disaster recovery plan the more it will cost so you have to weigh the pros and cons, but at the top of the list of any plan should be backups and testable recoveries.

Microsoft's perspective is not yours

[bluegutang]

Paying the ransom might get your data back (good). However it encourages hackers to conduct ransomware attacks on other people (bad).

Microsoft recommends that you not pay. You lose your data, but the hackers are likely to attack fewer other people in the future.

This may be the best approach for society as a whole, and for Microsoft's customers as a whole. Thus Microsoft recommends it. But is it the best approach for you personally? I guess it depends how much you are willing to sacrifice in the name of altr

"We Never Encourage a Ransomware Victim To Pay"

[hcs_$reboot]

"But we don't offer any solution either"

Re:

[nuckfuts]

"But we don't offer any solution either"

Microsoft provides free and effective backup solutions with Windows:

Windows Backup and Restore [microsoft.com]

Windows Server Backup" [microsoft.com]

Then work harder

[AHuxley]

to create a more secure and "modern" OS?
Work harder with trusted AV brands to better secure the OS?
ie get the world to upgrade to Windows 10.
Work much harder on securing Windows 10...
Hire a lot more security "experts"...

If one pays, pass the story it didn't help

[aRTeeNLCH]

Whichever grounds companies / organizations have to pay, they should always communicate that it didn't help and the data wasn't restored.