The best that officials in Plainfield, N.J., can tell, the hackers got in when someone was on the Internet researching grants, and soon employees in the mayor’s office were locked out of their own files. City officials scrambled to pull servers offline, but three had been compromised, leaving memos, city newsletters and other documents inaccessible.
The culprits said they would release the files, but only if the city coughed up about 650 euros, paid in bitcoin, Mayor Adrian Mapp said. When the city instead turned to law enforcement, he said, the hackers vanished.
The computers in Plainfield had been infected with “ransomware” — a type of malware that cybersecurity experts and law enforcement officials say is proliferating across the United States and around the world. The malware gets into people’s computers, often because they click on a link or open an attachment in an email, then encrypts files or otherwise locks users out until they pay for the key.
Officials say that more people are paying — and, consequently, more criminal enterprises are launching ransomware attacks. In a nine-month period in 2014, the FBI received 1,838 complaints about ransomware, and it estimates that victims lost more than $23.7 million. The next year, the bureau received 2,453 complaints, and victims lost $24.1 million. Researchers discovered this month that even Apple products, typically less penetrable to hackers, are not immune.
“Definitely a growing threat,” said Special Agent Chris Stangl, a section chief in the FBI’s cyber division. “Success breeds more activity.”
The ransom demands are often relatively small — hundreds or thousands of dollars — and the compromised data is important. But the disruption to a business, especially if it has not backed up the data, can be significant.
“Ransomware has been around for a long time, but we’ve never seen a concerted manual effort by hackers to break into a network, hang out for a year, spread to all the machines and then install it everywhere,” said Val Smith, chief executive of Attack Research, a cybersecurity firm. “This is a major shift in effort.”
Mayor Terry Leonard of Ilion, N.Y., said his village paid several hundred dollars to reopen city files in two separate ransomware attacks in early 2014 and have since hired an information technology company to upgrade the computer system. The ransomware had locked officials out of critical payroll and utility payment systems, Leonard said.
“We’re going to be state-of-the-art, for as good as that is, because the bad guys, as you probably know, are one step ahead of the good guys all the time,” he said.
Police in Melrose, Mass., briefly had to go “old school,” writing reports and keeping a call log, last month after ransomware blocked access to the department’s in-house records system, said Lt. Mark DeCroteau, the patrol commander. The city, he said, paid a ransom of less than $500 in bitcoin the next day. “It was more of a nuisance than anything, to tell you the truth,” he said.
Hackers made off with significantly more money in an attack on a Los Angeles hospital around the same time, forcing officials to pay $17,000 in bitcoin to unlock the electronic medical record system.
Last month the FBI issued a flash alert that captured the sophistication of the new strains of ransomware that are afflicting entire networks. “The bad guys burrow into a system often months in advance, map out the network, and then deploy the ransomware at what they believe to be the most critical assets of the organization,” said James Pastore, a former federal prosecutor in New York who worked on a ransomware case involving the Eastern European crime ring Blackshades. In that case, the FBI cooperated with authorities in 18 countries to make 90 arrests in May 2014.
To ensure maximum impact, the hackers search for backups in the system and destroy them, said Pastore, who is now a partner handling cyber cases at Debevoise & Plimpton.
Earlier forms of ransomware, such as one particularly nasty version called Cryptolocker, relied on automated software in which an unsuspecting victim chanced on an infected website and picked up the malicious code. Now, experts say, the hackers are putting time into their targeting, which lets them raise their price.
While hackers have long victimized individuals, Stangl said, they are focusing on more lucrative targets such as businesses and local governments. And they are demanding payment in bitcoin, which is near impossible to track, he said.
Researchers at Dell SecureWorks, a cybersecurity firm, said they have investigated three cases in the past three months involving a tech, manufacturing and a transportation company. The ransom demands averaged about $9,000, said security researcher Phil Burdette. In one case, the company paid and the hacker tried to double the price. The “key message,” he said, is that the hackers were in the victims’ systems for two months to two years before they struck. That meant the company had time to detect and prevent the attack.
Although law enforcement officials and researchers say most of the attackers appear to be from Eastern Europe, some analysts say they are seeing evidence of ransomware being launched by Chinese hackers. Attack Research’s Smith said that his firm and a few other companies worked on some cases around Christmas in which they identified tools, Internet protocol addresses and intrusion patterns that corresponded exactly to Chinese state-sponsored attack patterns. The only difference, he said, was once the hackers got inside the victim’s network, instead of stealing intellectual property or trade secrets, they deployed the ransomware. “This is very out of character” for Chinese government-sponsored hackers, he said, but thought maybe the hackers were Chinese civilians.
Stangl said the FBI advises people to back up data offline, because once a computer is infected, their options are limited. Private security companies can sometimes find keys to unlock encrypted data — especially if hackers reuse them — but that is becoming less common, he said.
Stangl said the FBI does not advise paying ransoms to hackers, because “if they were not successful in receiving those funds, then they go out of business just like any other company would.” But he concedes losing data can be difficult for a company to swallow. “We don’t like to see payments of ransom, but at the end of the day, it’s a business decision,” he said.
In the case of Plainfield, N.J., Mapp said the city can still function, but some files might be lost forever. City officials, he said, have no way to communicate with the hackers, even if they wanted to.
“No leads at this time, and quite frankly, the law enforcement agencies are not, at this point, revealing any information in terms of where the investigation is going,” he said.