This week we learned about two events of data ransom. One is in the distant (by the Internet news cycle's terms) past, and the other is quite recent. In 2007, a group of people got ahold of the private key that Nokia used to sign smartphone software, including operating system updates. Once you get ahold of the signing keys like this, it becomes pretty trivial to do something like turning every Nokia phone into a device dedicated to showing people Goatse. The fact that they had the signing key is an implicit indicator of further compromise. Once you are so deep on someone's network that you grab their signing keys, that means you popped everything else on the way there.
Nokia carefully weighed the realities of how fucked they were and what was best for their customers. They did the right thing: paid out the millions of euros that were asked of them. That was the last they heard of it. We in fact would have never even heard of this incident had Finnish police not been dumb enough to comment on it to Finnish newsmedia. Just goes to show that calling the cops will never help you in a situation like this.
Two days ago, a company called CodeSpaces was compromised to a similar degree. CodeSpaces company mission is to provide, I quote, "secure Source Code hosting and project managements
". The very description of their business is security and they completely failed at it. I'm sure this level of incompetence will follow founder Floyd Price and CTO Adrian O'Conner around to future job interviews and investment proposals. CodeSpaces got owned. They were asked for a payout. They refused to comply. CodeSpaces's backups had been poisoned. They were popped end to end. Everything got deleted and there are no useful backups. CodeSpaces is no longer in business.
There's a lesson here. You need to take care of information security in advance. If you don't, and you get owned, pay the fuck up. Some people ask, "what's to stop my attackers from coming back and demanding more money later?". Firstly, think about it from the perspective of self-interest in the marketplace. This is the question everyone is asking when they are pondering paying out. Now, if you're the kind of person that makes his living from extortion you need to establish a reputation that you are going to make good on your promises. If everyone knows that they aren't actually going to get what they ask for when they pay out, they no longer have an incentive to pay. Nobody can actually identify cases of data ransom where people's businesses were interrupted after a payout. There is a clear reason for this: it is bad for the business of data ransom.
Secondly, think about this from the perspective of game theory. If you pay the fee, it is a cost of doing business and you have a hope of recovering from the loss with future revenues. If you don't pay the fee, you can rest assured that you will be ruined completely and there will be no possibility of recovery. There is only one avenue of action that leads to a positive result: paying up. So seriously, for the good of your business, and the good of your customers, do the right thing. Whip out your fucking checkbook when it is asked of you.