Do we have actual, hard data backing this up ? I see this touted each time ransomware is involved, sometimes backed with the 'logical' argument that the business model would crumble if that wasn't the case. But I have yet to see any research into whether those ransomware really do unlock those files.

Not the commentor, and also don't have data other than some anecdotal, but what benefit do the hackers gain by not unlocking data? If they stop unlocking, then people stop paying. It would become a lose lose situation if they didn't follow through with their promises. Even criminals understand that.

I think the main benefit would be that they have a better chance of getting paid. Developing an unlocking mechanism is technically challenging and takes time and money to implement. It also adds risk - if there's an unlocking mechanism it's possible someone can crack it.

By not developing an unlock in the first place they can get it out quicker and have less risk. Sure, the next hacker may not get paid because they aren't trusted but for the most part we're talking about individual operations.

> if there's an unlocking mechanism it's possible someone can crack it.

Not at all. This is run-of-the-mill encryption. You pay the bitcoins, your computer receives the decryption key. There is no possible way to crack it, otherwise the entire internet would be broken. (i.e. TLS)

I don't follow - are you referring to this specific malware (which tbh I don't know much about) or ransomware in general? There have been plenty of ransomware cracks and decryptors released - programmers aren't perfect.

https://noransom.kaspersky.com/

Oh, just ransomware in general. I was under the impression that most of the big ones just did simple encryption, and hold the decryption key ransom on an external server. It would defeat the purpose if they kept the decryption key on the local machine, because yeah, then you could just release a tool like the ones you mentioned.

Except there've been multiple cases of ransomware where the encryption was improperly implemented and trivially cracked.

Similar to the entire internet, while the tools to securely encrypt things exist, incompetence can cause people to roll their own, or roll things out improperly.

Encryption is difficult to get right. Multiple ransomwares have failed because they screwed it up and it was possible to decrypt without paying. It's also time consuming. It takes a long time to encrypt every file on a hard drive and antivirus will scan for that kind of behavior.

Whereas throwing together a program that corrupts every file on the hard drive is not too difficult.

Oh yeah I saw that, but this was also interesting:

> This is not really a mistake from the ransomware authors, as they properly use the Windows Crypto API. Indeed, for what I've tested, under Windows 10, CryptReleaseContext does cleanup the memory (and so this recovery technique won't work)

(From https://news.ycombinator.com/item?id=14377328)

So it's yet another security bug in Windows that lets people recover those keys.

It's a tragedy of the commons problem. For any individual author of cryptolocker malware, your incentive is to just not bother writing an unlock mechanism. It's easier to just overwrite everything from /dev/urandom.

If a sufficiently large proportion of cryptolocker malware didn't actually have an unlock mechanism, it would become apparent quite quickly. We'd see reports on places like HN and SO, ultimately trickling out into the popular press. Only the most naive victims would ever bother paying the ransom, because it would be common knowledge that it doesn't work.

In the long run, ransomware is only successful if paying the ransom usually works. There may be an element of collusion amongst organised criminals, or simply a sense of personal pride by the authors.

The collusion can happen without actual discussions.

Everybody understands that it is in their future business interest to unlock.

"but for the most part we're talking about individual operations" I'd actually argue against this. From what I've read, most of these are run by organized crime in eastern European countries or Russia.

I don't have any data, but a professor who taught me said that this is how it works. He's an expert on botnets and is in close contact with major AV vendors.

Yes (citation required, but I've read articles to that exact effect). This is what distinguishes this as organised crime vs petty vandalism. If the mob smashed up your place even after you paid the protection money, they'd go out of business.

Did you ever see an article about someone paying a ransom and not getting their data back?

Some ransomware (e.g. Hitler [1]) deletes files rather than encrypting them, making ecovery impossible.

[1]: https://www.bleepingcomputer.com/news/security/development-v...

Sure, but if we were to use the same argument on that ransomware as the standard "encrypting" type, then if you pay before the time limit is up, it's still going to give you back your files.

Are there any examples where that's not the case? Where regardless of payment, you're still fucked (either by files not being decrypted or by them deleting regardless of payment?)

A coworker paid one for an organisation he helps out with it issues. The files were unlocked

Apparently, hoy can even try to negotiate with them

http://www.radiolab.org/story/darkode/

What about really old ransomware where the payment release systems are no longer maintained? Are there some cases where old dead ransomware is still infecting people, but the scripts to unlock things on payment are no longer running?

My understanding is that the decryption key release is performed manually.

> Ransomware attacks are typically honest

For a rather generous interpretation of "honest" :)

If the malware wasn't removed will it kick in again after a while or does paying the ransome gives you immunity?