Ransomware: When Hackers Lock Your Files, To Pay Or Not To Pay?

Enlarge this image iStockphoto iStockphoto

A lot of computer viruses hide inside your system. Hackers stealing your data go out of their way to operate quietly, stealthily, under the radar.

But there's another kind of attack that makes itself known — on purpose. It sneaks into your network and takes your files, holding them for ransom. It's called ransomware, and, according to cybersecurity experts, this kind of attack is getting more sophisticated.

Stick 'Em Up

Eric Young, who manages the computer network for a small business in Hermitage, Tenn., got a call from work. It was a Monday morning and, he says, it was "a very bad way to start the week."

Somebody in the office opened an email that looked legit. "It has the exact background of like PayPal," Young recalls, "and it says, somebody paid you money."

The employee clicked the link, and out popped a red alert that took up most of the screen. It was a threat: Pay ransom to an anonymous hacker, or all the files in the company network will be encrypted — locked up with a digital key that's so strong, no one can open them ever again.

The threat came with a countdown clock. Young had 72 hours and, as he tried to find solutions, the cyberthieves were slipping into every company computer — starting with Victim No. 1 and ending in the company's servers. "Our database was encrypted, and we were pretty much — we lost everything we had built for 14 years."

NPR spoke with other victims who did not want to be named for fear of losing their jobs or customers. But they described the same sequence of events.

One small business even called 911.

Lt. Catherine Buckley with the Colorado Springs Police Department reviews the call log for NPR.

The attack happened on Nov. 12. An officer went to the crime scene immediately. But when he got there, employees decided he couldn't really solve the problem. So they didn't file a police report. He left within 20 minutes.

Buckley reads from the department notes: "One of the employees had either received an email, or clicked on a link which opened up the malware CryptoWall 2.0."

The Tennessee company decided not to pay. It didn't trust the hackers to give back the files, so it relied on backups that it had. The Colorado Springs company did pay, in the amount of $750.

And here's where it gets weirder.

While ransomware criminals used to accept prepaid cards and other familiar forms of payment, they're now moving into so-called "cryptocurrency." Some rings only take Bitcoin, the electronic cash that's popular among hedge fund investors and online drug traders.

"[It is] not all that easy to come by," says Stu Sjouwerman, founder of the IT company KnowBe4. He keeps a Bitcoin wallet and has been paying ransom for small businesses hit by hackers. "That service is free," he says. "We meet perspective customers that way, and then tell them about our trainings and other services."

Ransomeware Evolves

It's unclear how many people have been hit by ransomware. According to Rahul Kashyap, a researcher at the cybersecurity firm Bromium, the number is grossly underreported as victims feel shame and don't know where to turn for help.

"Many people might actually panic," he says. "They might believe that they did something wrong or they made a mistake which resulted in this compromise."

Bromium just released a study dissecting 30 cases of ransomware. It finds that the criminals are getting better at hiding their identities. Ransomware uses the anonymous online network Tor to conceal all communication between the attacker and victim. That way, for example, the CEO and IT support can't blame a specific employee, or help the employee.

"They wouldn't be able to block the victim from making the payment," Kashyap says. "So it works on both sides for the whole session to be anonymous."

The thieves are also getting better at finding valuable data. Just like gold is worth more than silver, a company's design for a high-rise building is worth more than a holiday memo. Hackers have written code to find high-end file extensions, "like autocad files used for designing industry structures."

Should You Pay?

The ransomware Cryptolocker was lucrative, with an estimated 500,000 victims targeted and $3 million in returns.

While the FBI managed to bust one ring based in Russia and Ukraine, Kashyap says, the problem isn't going away. New, stronger variants of Cryptolocker are already out.

But when asked if he advocates that victims pay the ransom, he says without pause, "Absolutely not. If you pay, they'll build more malware, pretty much as simple as that."

Security experts disagree on this point.

Jaeson Schultz at Cisco says a blanket policy is impractical: "Unless you've got powerful computers and a lot of time to spend guessing keys, there's really no way to get your data back unless you pay the ransom."

Chris Morales at NSS Labs says, "My mom owns her own company, and if it happened to her, I would tell her to pay."

The Department of Homeland Security tells people to not negotiate with the hackers. But another law enforcement agency, a sheriff's office in Tennessee, just paid to get its files back.

Ransomware has gotten so powerful, Morales says, the hackers really do lock down victims' data: "The truth is, is we have no way to recover their data if it gets destroyed. So we can't help them."

The very best defense, he says, is having a backup that's not connected to your machine in any way. Storing things on the cloud or on a USB drive that's plugged into your computer won't cut it.