Microsoft: We never encourage a ransomware victim to pay

Ever since ransomware became a top threat in the mid-2010s, people have been arguing about the proper way of dealing with a ransomware attack and the merits of paying or not paying a ransom demand.

A big point of contention has been “the official advice” that various companies or government agencies give out to victims.

For example, in late 2015, the FBI found itself in the middle of a controversy when one of its agents publicly admitted that the bureau was, in many cases, recommending that victims pay ransom demands.

At the time, many were shocked to find out that the FBI was telling victims to pay ransomware demands, and helping criminal gangs boost their profits.

The Bureau changed its official stance a few months later, in 2016, after US senators sent letters asking why the agency was helping out criminals.

Since then, the FBI’s official position has been to defer the decision to pay a ransom to the victim, with no formal advice. Instead, the agency has requested only one thing — that victims report infections, so the agency can get an idea what ransomware strains and groups are the most active today, and the overall breadth of the ransomware epidemy.

The controversy that surrounded the FBI’s initial advice for dealing with ransomware infections has triggered endless debates online about the merits of paying a ransomware demand, and what stance various companies and agencies have on this topic.

In a blog post today, Microsoft, for the first time, revealed its stance on the matter.

“We never encourage a ransomware victim to pay any form of ransom demand,” said Ola Peters, Senior Cybersecurity Consultant for Microsoft Detection and Response Team (DART), the OS maker’s official incident response team.

“Paying a ransom is often expensive, dangerous, and only refuels the attackers’ capacity to continue their operations,” Peters added.

However, Microsoft understands that in many cases, organizations are sometimes left with only one option on the table — paying the ransom — as they don’t have access to recent backups, or the ransomware encrypted the backups as well.

But even if victims choose to pay the ransom, Microsoft warns that “paying cybercriminals to get a ransomware decryption key provides no guarantee that your encrypted data will be restored.”

For example, the decryption key might not work, the decryption app may contain bugs and end up destroying data, or the ransomware gang might have lost the original decryption key, and they’re just running a scam.

Instead, Microsoft would want companies to take a pro-active approach and treat ransomware or any form of cyber-attack “as a matter of when” and not “whether.”

Companies, Microsoft says, should invest in minimizing the attack surface and in creating a solid backup strategy so they can recover from any attack. More precisely, the OS maker recommends that companies follow six simple steps to prepare to respond to a ransomware attack, whenever that would happen:

1. Use an effective email filtering solution
2. Regular hardware and software systems patching and effective vulnerability management
3. Use up-to-date antivirus and an endpoint detection and response (EDR) solution
4. Separate administrative and privileged credentials from standard credentials
5. Implement an effective application whitelisting program
6. Regularly back up critical systems and files