Faced with few options, companies are increasingly giving in to cybercriminals who hold their data hostage and demand payment for its return, while law enforcement officials struggle to catch the nearly invisible perpetrators.
The risks to organizations have become so severe that many simply pay their attackers to make them go away—a strategy that may only embolden the crooks.
It’s a case of asymmetric electronic warfare. Ransomware, which encrypts files until a victim pays to have them unlocked, can be devastating to an organization. Barring an up-to-date backup, little can be done aside from paying the attackers to provide the decryption keys.
Less common but just as harmful are extortion schemes, where attackers claim to have stolen critical data and threaten to publicly release it unless their demands are met. Timeframes are tight: Hackers may give a company less than 48 hours to comply, setting off a race to confirm what data, if any, has been stolen.
The costs of ransomware and extortion are difficult to calculate. Last June, the FBI estimated that the CryptoWall ransomware family alone had cost U.S. organizations $18 million over the prior year. In October, an industry group put the total cost of CryptoWall—which was first detected in mid-2014—far higher, at a staggering $325 million.
Extortion costs are even harder to estimate, since companies are often unwilling to admit they fell victim. Computer security company FireEye says it knows of companies that paid more than $1,000,000 to prevent sensitive data being released, though most incidents are resolved for less.
The volume of cases is overwhelming law enforcement, said Erin Nealy Cox, a former federal cybercrime prosecutor and head of the incident response unit at Stroz Friedberg, which conducts computer forensic investigations.
The FBI and the Secret Service “in many cases are fine with in essence acquiescing to payment of the ransom,” Nealy Cox said, though he emphasized that this is not their official position.
Groups conducting the attacks are difficult to find. They’re experienced at covering their tracks and demand payment in the cryptocurrency bitcoin, which makes payments hard to trace. Also, the hackers are often based in countries that don’t cooperate closely with the U.S. on cybersecurity, making arrests unlikely.
Unlocking the encrypted files is often near impossible.
“It’s a a big challenge to decrypt victims,” said Andrew Komarov, CIO of InfoArmor, which collects intelligence on cyberthreats.
InfoArmor has had some success in disrupting ransomware, by infiltrating the computer networks used to control it. In one example, Komarov said a vulnerability was found within the command-and-control network used to distribute ransomware called CryptoLocker.
The vulnerability allowed researchers to send a command that made it appear that thousands of victims had paid their ransom, causing their computers to be decrypted, according to InfoArmor’s report.
But happy endings are uncommon. The most well-documented ransomware incidents have hit the medical industry. Hollywood Presbyterian Medical Center in Los Angeles paid 40 bitcoins—about $17,000—to decrypt its files.
Allen Stefanek, president and CEO of Hollywood Presbyterian, said the payment was “in the best interest of restoring normal operations.”
Four weeks later, Methodist Hospital of Henderson, Kentucky, said a piece of ransomware known as Locky infected its systems, according to computer security writer Brian Krebs. The hospital did not pay a ransom but was able to restore its systems, according to a local news report.
Ransomware and extortion schemes offer advantages over other methods of cybercrime. Rather than stealing data and needing to find a buyer for it in risky transactions that take place in underground forums, a vulnerable victim is approached for payment directly.
“We’re starting to see adversaries in many regions start thinking of data as a weapon,” said Dmitri Alperovitch, CEO of Crowdstrike. “Certainly the North Koreans did that with Sony.”
Sony Pictures, whose attackers released gigabytes of sensitive internal data and destroyed computers, was asked to not release a film that was seen as offensive to North Korean leader Kim Jong-un. The U.S. government quickly attributed the attack to North Korea.
Paying a ransom is a hang-wringing proposition and not one without its opponents.
Last month, Roman Hussy, who runs a security blog, launched a Ransomware Tracker—a tool that catalogs servers around the world that have been tied to ransomware campaigns. He started the tracker after seeing many people become victims.
“The golden rule is performing backups frequently and never pay any ransoms,” Hussy wrote. “Paying ransoms will fund the miscreants’ cybercrime operation and the infrastructure that they are using to commit further fraud, as well as motivate the attackers to keep carrying out their attacks.”
Hussy’s resistance strategy might work eventually, but it would require many organizations to fall on their swords.
Kevin Mandia, chief operating officer of FireEye and founder of Mandiant, said the result of not paying could mean great risk and embarrassment—if, for example, a company’s general counsel’s email is leaked.
“What would you do?” Mandia said in a recent interview. “The alternatives are pretty bad.”
The uptick in ransomware and extortion attempts is likely an outgrowth of better payment card security in the U.S. Stolen card details are getting harder to monetize, so attackers have ound an easier route to generate cash.
FireEye has seen some of the same hacking tools and infrastructure use for state-sponsored cyberespionage now being used for extortion, suggesting experienced hackers see a gravy train.
“Finally, Russian organized crime and groups out of China realized, well, we still have the hacking skills, we’re getting card data we can’t monetize as easily anymore, so just extort,” Mandia said.
On March 22, the Department of Justice unsealed charges against three members of the Syrian Electronic Army, a group that waged a multi-year hacking campaign in support of President Bashar al-Assad.
Two of the men are also accused of extorting 14 U.S. and international victims after hacking their systems and threatening to cause damage or sell stolen data. The victims included a Chinese online gaming company, a U.K. web hosting provider and an online media company.
All told, the men allegedly demanded more than $500,000, although they frequently lowered their demands after negotiation, according to the criminal complaint.
“Some of this is like hostage negotiations,” Crowdstrike’s Alperovitch said. “You can start the dialog with a criminal and see if you can stall them and get yourself more time.”
But “nothing is foolproof when you’re dealing with thieves,” he said.