[iamsohungry]

> Unfortunately, for the individual victim, paying is usually the best of a set of bad options

Is it?

From the perspective of the hacker, the hacker's best move is to take the money and simply demand more. There's zero incentive for the hacker to return the victim's data.

This becomes a probablistic situation: the approach I'd take if I were a victim would be to borrow an analogy from poker for the problem of deciding whether to call in order to possibly win a pot. First, I'd determine how much the data is worth to me, and use that to determine my "pot odds":

    pot_odds = ransom / value_of_data

I'd then try to figure out how often hackers actually return the data on a ransom:

    odds_of_data_being_returned ~= times_data_has_been_returned_after_ransom_paid / times_ransom_has_been_paid

At this point, we can decide whether it's a rational choice to pay the ransom:

    if pot_odds < odds_of_data_being_returned:
        pay_the_ransom()

Areas for research: this is a pretty unsophisticated way of determining the odds of the data being returned. I don't have data on how often hackers return data upon being paid the ransom, but I suspect if we gathered data we could get a better probability. For example, one could use linguistic patterns in the hacker's communication to fingerprint different ransomware hackers, and use that to get a probability for each individual hacker. It's likely that some hackers never return the data, and some hackers always return the data, and each of these probabilities has drastically different effects on the outcome of our decision algorithm.

[llamataboot]

Not in the long-term, because then they gain a reputation as someone not to be "trusted". Many of these outfits have their own support forums, make it easy to pay, etc and happily hand your data back over because they make money in volume, not from one particular mark. You gain a reputation as being easy to work with and unlocking data and offering the support to do so, many more people will pay just to get rid of the headache when their computers are locked down.

[iamsohungry]

While I'm sure this is true and some hackers behave based on this idea, there are two issues:

1. "Many of these outfits" is not all: we still need a way to determine whether we should pay a ransom.

2. I'm sure I could manufacture a support forum which shows me to be trustworthy in an afternoon.

[lkowalcz]

For (1), this is the reason the ransom is small. Since "many" are actually trustworthy, it's a small risk to pay the relatively small ransom. (Also, you can verify via bitcoin address if you're dealing with a hacker who is known to give data back.)

For (2), could you also find a way to get the FBI to release a statement saying you are trustworthy?

[icebraining]

Also, you can verify via bitcoin address if you're dealing with a hacker who is known to give data back.

How so? Presumably they use a different one for each payment, no? Otherwise, how could they tell who paid?

[lkowalcz]

Apparently they reuse the primary wallet quite frequently:

http://www.coindesk.com/cryptowall-325-million-bitcoin-ranso...

[spdustin]

The vast majority of the "hackers" never see you signing in and paying the Bitcoin. The systems are automated to the point that paying the ransom triggers a process that results in the browser passing the decryption key back to the client-side malware which then decrypts your file. Electronic software delivery is a much more economical way for these enterprising thugs to be profitable at scale.

[hsitz]

"> Unfortunately, for the individual victim, paying is usually the best of a set of bad options

Is it?"

Also, think what would happen if a ransomer failed to give the data back after being paid. The only benefit for the ransomer on that mark is to then say, "No, now I want x-more dollars." What is the mark going to do then, once the ransomer has proven untrustworthy? Give them yet more money?

[iamsohungry]

99% of the time, no, the mark will give them nothing, but it only takes 1% to make it viable.

I do buy the reputation argument when applied on a larger scale, though. I didn't realize that some of these operations were as large as other commenters have pointed out.