Are businesses stockpiling bitcoins in case of ransomware? If so, they shouldn’t

There’s been a lot of press coverage, up to TV coverage, of the claim that businesses are stockpiling bitcoins in case of a ransomware attack, particularly in the past year or so. For the ransomware section in chapter 7 of the book, I tried tracing this claim back to its sources. (This is always an interesting exercise, and if you need to sort out the substance from the BS in the blockchain world, I urge you to get some practice in.)

What I found: pretty much all the press traced back to a single Citrix 2016 press release, a survey making a claim that a third of the businesses they spoke to were stockpiling bitcoins. The precise claim was:

The poll also revealed that a third (33 per cent) of UK companies are now building a ready stockpile of digital currency (for example, Bitcoin) in case of ransomware attack

They didn’t release the survey data itself or the wording of the questions that I could find, just the press release. In June 2017, just as I was finishing up, Citrix released a followup survey, generating a bit more press.

It makes good headlines, and you can get people to comment at length on the implications of it, so the press ran many stories on the subject — but these two press releases are the only sources of numbers for the claim.

(I must note that Citrix haven’t done anything questionable here — they seem to have just done a survey on security that got an interesting and potentially important result, that was good for some publicity and their name in the papers.)

I asked in the comments of the second post about the question wording and the survey method, and someone from Citrix UK & Ireland kindly replied with the full survey wording. The question on this particular topic was:

4. Do you keep a ready stock of digital currency (e.g. Bitcoin) in case of ransomware attack?

The survey was conducted by OnePoll from a somewhat self-selecting sample. Anyone in IT will have encountered the typical IT survey — you’re on a site and it asks you to do a survey, possibly for a T-shirt or the chance at an Amazon voucher, or they have your address so you get an email asking you to do it.

This is completely standard methodology for surveys in IT. However, the self-selection means it may still be of questionable statistical validity as a properly random sample.

In particular, I’m sceptical that a full third of UK companies are stockpiling bitcoins. I could be wrong, but this seems just implausible to me. I have heard of zero cases asking amongst the IT people I know, and they don’t know of any either.

In the wake of the original press releases, there have been occasional claims without numbers, and I do hear the odd bit of comment-section gossip from people saying they know of companies doing this. And this is the sort of area where gathering hard numbers is going to be difficult, because people aren’t going to want to talk about it. So I would guess that some companies are indeed doing this, but that the percentage isn’t very large.

I must note that it’s really not a good idea to count on paying the ransom to get your files back. The FBI recommends against paying ransoms, as you mark yourself a victim for future ransoms, and quite often you don’t get a decryption key anyway. Telstra’s Cyber Security Report 2017 (PDF) echoes that last point — “Our research found that nearly one in three of the organisations who paid a ransom did not recover their files.” (Their survey was conducted in a similar somewhat self-selected manner.)

You are vastly better served by proper backups. On Windows in particular, keep up with security updates. You want to be in a state where if your machine is ransomwared, you can wipe it and start afresh, and lose no more than a few hours’ work.

This is entirely achievable and the standard you should be working to. When the NHS was hit by the WannaCry ransomware in May, it took out PCs for most of Friday afternoon and evening — but the patient data was all on central servers, so all they had to do was spend Saturday wiping and reimaging thousands of PCs. (So I’m told by someone in IT at an NHS trust who thought he was going to have a weekend, but instead got to enjoy this fabulously dull task.)

If you do get an apparent ransomware infection, it’s worth checking it isn’t fake ransomware, that locks your screen and demands your money, but doesn’t bother encrypting your files!

Become a Patron!

Your subscriptions keep this site going. Sign up today!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.