Catholic Charities of Santa Clara County was one click away from danger — a threat that has been costing businesses hundreds of millions of dollars.

The email that arrived the morning of March 1 struck Anna Perez, a receptionist at the San Jose nonprofit, as harmless: “Dear Customer: The attached document is a transaction payment confirmation from GlobalMarketing Ltd. Thank you for your business. We appreciate it very much.”

But exactly 57 seconds after Perez opened the compressed file, a series of strange actions started taking place on the organization’s network.

Her Windows desktop connected with a server in Ukraine and downloaded a piece of powerful, malicious code — just like an automatic software update. Except in this case, it was ransomware, a devious type of virus that encrypts files in such a way that only a criminal hacker holding the key can unlock them. Typically, a digital extortionist charges between $200 and $10,000 to decrypt the files, often asking for payment in bitcoin, a virtual currency which is hard to trace.

At Catholic Charities, the malware began encrypting files on the receptionist’s machine almost immediately. But the nonprofit was lucky: It had been testing a device from Darktrace that scans the network for unusual behavior — like a desktop in San Jose contacting a server in Ukraine.

A Darktrace analyst in New York City swiftly noticed that something was amiss and alerted the charity’s information-technology staff. A colleague disconnected Perez’s computer from the charity’s network. A few of the files on the computer had been encrypted but no real harm was done.

When ransomware isn’t caught early, it can be extremely costly. From January to the end of March, the FBI received reports of more than $209 million in losses due to such attacks. Two large complaints accounted for most of that amount.

In some cases, the FBI has even recommended that ransomware victims who haven’t backed up their files pay up rather than try to crack the encryption. In February, Hollywood Presbyterian Medical Center administrators paid digital ransomers about $17,000 to gain back control of their network.

Darktrace, a cybersecurity startup with headquarters in San Francisco and the United Kingdom, does not think it — or anyone — will be able to identify the sender of the suspicious email.

“I’d be really surprised if … you traced back the attackers and (they) were actually in the same country,” said Dave Palmer, the director of technology for Darktrace, referring to the Eastern European origins of the attack. “They could have just as easily been American citizens that were using infrastructure in Romania, or Ukraine.”

Ransomware often contains code that frequently changes the location of the servers it connects to, making it hard to trace. Thieves sometimes place hostile code for short periods on machines paid for with stolen credit cards, quickly moving between legitimate providers before any malicious activity is reported.

“You’ll be gone 14 hours later,” Palmer said. “So it doesn't matter if the feds track you down, because you’ve already moved on. It’s just quite a neat way of not really worrying about the law enforcement side of things.”

Gangs that typically use the type of ransomware that attacked the charity often just email entire lists of potential victims, said Palmer.

Nonprofits, schools and municipalities — organizations traditionally without big budgets for cybersecurity — are especially vulnerable.

Catholic Charities has an annual budget of about $35 million, according to Will Bailey, its director of information technology, who said it spends roughly $600,000 on IT. That mostly goes for salaries of Bailey and several other full-time staff members.

That team is responsible for more than 500 employees and 300-plus devices. Some work remotely, while others are spread out in churches and offices from San Jose to Gilroy.

In September, the Arc of Winnebago, Boone and Ogle Counties, an Illinois nonprofit, reportedly paid a $700 ransom in bitcoin in order to rescue 10 computers and an in-house server.

And last week, a public utility in Lansing, Mich., had its email, phones, printers and other equipment shut down by ransomware, according to the Lansing State Journal.

Had the infection spread beyond that one desktop PC at Catholic Charities, the nonprofit could have spent thousands of dollars restoring its files, Bailey said.

If it hadn’t caught it and stopped it in its tracks by taking the machine offline, he said, “Who knows what could have happened?”

Sean Sposito is a San Francisco Chronicle staff writer. Email: ssposito@sfchronicle.com Twitter: @seansposito