Ransomware attacks like CryptoLocker have been plaguing users for a while now. The recent shutdown of the Gameover Zeus botnet has led to a dramatic decline in these types of attacks, but you can expect that cybercriminals will regroup and launch new ones soon enough. But KnowBe4, a company that offers security awareness training, is so confident it can teach users to protect themselves, it's offering to pay the ransom if a customer falls victim to a ransomware scheme.
Ransomware attacks like CryptoLocker compromise a PC by encrypting all of its data (and possibly all data on connected external or network drives as well) and holding it ransom. The attackers demand payment — often in the form of Bitcoin which is more difficult to trace — in exchange for providing the key necessary decryption key.
The FBI estimates that more than 200,000 users have been affected by ransomware, including CryptoLocker, CryptoDefense, and CryptoBit — accounting for somewhere in the neighborhood of $30 million worth of ransom payments in the last quarter of 2013 alone.
Unfortunately, ransomware falls into an area that is as much social engineering as it is malware in most cases, and often antimalware tools fail to detect it. It is the user behavior of opening attachments or clicking on links that leads to compromise.
"Now is a very good time for IT to seize the moment and train its users," said Stu Sjouwerman, CEO of KnowBe4, in a statement. "Anyone hit with CryptoLocker knows how destructive it can be. With the large number of phishing threats hitting companies, people can become immune to alerts. We help IT be more proactive and train employees to learn which Red Flags to look for and how to keep themselves and the network protected."
It may be more of a publicity stunt than anything else, but the guarantee is nothing to scoff at. It is a simple truth that users are the weakest link in the security chain, and it makes sense that an investment in security awareness training should yield as much or more benefit than an equal investment in yet another layer of defense — a layer that can be easily bypassed by preying on human nature and tricking the user into doing something they shouldn't.
Sign up for Computerworld eNewsletters.