A lot of computer viruses hide inside your system. Hackers stealing your data go out of their way to operate quietly, stealthily, under the radar.

But there's another kind of attack that makes itself known — on purpose. It sneaks into your network and takes your files, holding them for ransom. It's called ransomware, and, according to cybersecurity experts, this kind of attack is getting more sophisticated.

Stick 'Em Up

Eric Young, who manages the computer network for a small business in Hermitage, Tenn., got a call from work. It was a Monday morning and, he says, it was "a very bad way to start the week."

Somebody in the office opened an email that looked legit. "It has the exact background of like PayPal," Young recalls, "and it says, somebody paid you money."

The employee clicked the link, and out popped a red alert that took up most of the screen. It was a threat: Pay ransom to an anonymous hacker, or all the files in the company network will be encrypted — locked up with a digital key that's so strong, no one can open them ever again.

The threat came with a countdown clock. Young had 72 hours and, as he tried to find solutions, the cyberthieves were slipping into every company computer — starting with Victim No. 1 and ending in the company's servers. "Our database was encrypted, and we were pretty much — we lost everything we had built for 14 years."

NPR spoke with other victims who did not want to be named for fear of losing their jobs or customers. But they described the same sequence of events.

One small business even called 911.

Lt. Catherine Buckley with the Colorado Springs Police Department reviews the call log for NPR.

The attack happened on Nov. 12. An officer went to the crime scene immediately. But when he got there, employees decided he couldn't really solve the problem. So they didn't file a police report. He left within 20 minutes.

Buckley reads from the department notes: "One of the employees had either received an email, or clicked on a link which opened up the malware CryptoWall 2.0."

The Tennessee company decided not to pay. It didn't trust the hackers to give back the files, so it relied on backups that it had. The Colorado Springs company did pay, in the amount of $750.

And here's where it gets weirder.

While ransomware criminals used to accept prepaid cards and other familiar forms of payment, they're now moving into so-called "cryptocurrency." Some rings only take Bitcoin, the electronic cash that's popular among hedge fund investors and online drug traders.

"[It is] not all that easy to come by," says Stu Sjouwerman, founder of the IT company KnowBe4. He keeps a Bitcoin wallet and has been paying ransom for small businesses hit by hackers. "That service is free," he says. "We meet perspective customers that way, and then tell them about our trainings and other services."

Ransomeware Evolves

It's unclear how many people have been hit by ransomware. According to Rahul Kashyap, a researcher at the cybersecurity firm Bromium, the number is grossly underreported as victims feel shame and don't know where to turn for help.

"Many people might actually panic," he says. "They might believe that they did something wrong or they made a mistake which resulted in this compromise."

Bromium just released a study dissecting 30 cases of ransomware. It finds that the criminals are getting better at hiding their identities. Ransomware uses the anonymous online network Tor to conceal all communication between the attacker and victim. That way, for example, the CEO and IT support can't blame a specific employee, or help the employee.

"They wouldn't be able to block the victim from making the payment," Kashyap says. "So it works on both sides for the whole session to be anonymous."

The thieves are also getting better at finding valuable data. Just like gold is worth more than silver, a company's design for a high-rise building is worth more than a holiday memo. Hackers have written code to find high-end file extensions, "like autocad files used for designing industry structures."

Should You Pay?

The ransomware Cryptolocker was lucrative, with an estimated 500,000 victims targeted and $3 million in returns.

While the FBI managed to bust one ring based in Russia and Ukraine, Kashyap says, the problem isn't going away. New, stronger variants of Cryptolocker are already out.

But when asked if he advocates that victims pay the ransom, he says without pause, "Absolutely not. If you pay, they'll build more malware, pretty much as simple as that."

Security experts disagree on this point.

Jaeson Schultz at Cisco says a blanket policy is impractical: "Unless you've got powerful computers and a lot of time to spend guessing keys, there's really no way to get your data back unless you pay the ransom."

Chris Morales at NSS Labs says, "My mom owns her own company, and if it happened to her, I would tell her to pay."

The Department of Homeland Security tells people to not negotiate with the hackers. But another law enforcement agency, a sheriff's office in Tennessee, just paid to get its files back.

Ransomware has gotten so powerful, Morales says, the hackers really do lock down victims' data: "The truth is, is we have no way to recover their data if it gets destroyed. So we can't help them."

The very best defense, he says, is having a backup that's not connected to your machine in any way. Storing things on the cloud or on a USB drive that's plugged into your computer won't cut it.

Copyright 2015 NPR. To see more, visit http://www.npr.org/.

Transcript

ROBERT SIEGEL, HOST:

Today, a computer virus that can hold your digital life for ransom - if you've ever lost the contents of a computer hard drive, you know what a huge problem that can be. All your documents, financial records, photos, music - gone - scary. Well, cyber criminals know just what a threat that is, and some are now using a computer virus to lock up people's data as a form of extortion. It's called ransomware. Here's NPR's Aarti Shahani.

AARTI SHAHANI, BYLINE: Eric Young, who manages the computer network for a small business in Hermitage, Tennessee, got a call from work.

ERIC YOUNG: I believe it was a Monday, and it was in the morning. And it was a very bad way to start the week.

SHAHANI: Somebody in the office opened an e-mail that looked totally legit.

YOUNG: It has the exact background of, like, PayPal and it says that somebody paid you money.

SHAHANI: Out popped a red alert that took up most of the screen.

YOUNG: It was definitely very alarming. It says, like, if you don't pay this ransom, your files will be encrypted. It had a clock that was counting down.

SHAHANI: Young had 72 hours. And as the clock counted down, the cyber thieves were slipping into every company computer, starting with victim number one, locking all the files with a digital key so that no one could open them.

YOUNG: Our database was encrypted, and we were pretty much - we lost everything we had built for 14 years.

SHAHANI: NPR spoke with other victims who did not want to be named for fear of losing their jobs or customers, but they described the same sequence of events. One small business even called 9-1-1.

CATHERINE BUCKLEY: On November 12, 2014, in the afternoon, we received a call for service.

SHAHANI: Lieutenant Catherine Buckley with the Colorado Springs Police Department is reviewing the call log for us. They dispatched an officer, but when he got there, employees decided he couldn't really solve the problem so they didn't file a police report. He left within 20 minutes.

BUCKLEY: I have that the officer did note that someone - one of the employees had either received an e-mail or clicked on a link which opened up the malware, Cryptowall 2.0.

SHAHANI: The Tennessee company decided not to pay. They didn't think it would work, and they relied on backups they had of their files. The Colorado Springs company did pay $750. And here's where it gets weirder. The criminals don't accept cash or credit card. They take bitcoin.

STU SJOUWERMAN: Bitcoin is an electronic currency that is not all that easy to come by.

SHAHANI: Stu Sjouwerman sets victims up with these payments through his company, KnowBe4.

SJOUWERMAN: So we have a few of those bitcoins in our electronic bitcoin wallet, and we pay the ransom for these people.

RAHUL KASHYAP: Many people might actually panic.

SHAHANI: Rahul Kashyap is describing the victim's mindset. He's a researcher at the cyber security firm, Bromium.

KASHYAP: They might believe that they did something wrong or they made a mistake which resulted in this compromise.

SHAHANI: Bromium just released a study dissecting 30 cases of ransomware, and they find the criminals are getting better at hiding. They use the anonymous online network Tor to conceal all communication between attacker and victim. That way, for example, the CEO and IT support can't blame a specific employee or help them.

KASHYAP: So it works on both sides for the whole session to be anonymous.

SHAHANI: The thieves are getting better at finding valuable data, too. Just like gold is worth more than silver, a company's design for a high-rise building is worth more than a holiday memo. Kashyap says despite efforts by the FBI to crack down, ransomware isn't going away. So I ask him, do you advocate paying the ransom?

KASHYAP: Absolutely not. If you pay, there will be more malware - pretty much as simple as that.

SHAHANI: But security experts Chris Morales at NSS Labs and Jaeson Schultz at Cisco say he's being a Boy Scout.

CHRIS MORALES: My mom owns her own company, and if it happened to her, I would tell her to pay.

JAESON SCHULTZ: Unless you've got a really powerful computer and a lot of time to spend guessing keys, there's really no way to get your data back unless you pay the ransom.

SHAHANI: The Department of Homeland Security tells people to not negotiate with the hackers, but another law enforcement agency, a Sheriff's office in Tennessee, just paid to get their files back. And ransomware has gotten so powerful, Morales says, it really does lock down victims' data.

MORALES: The truth is is we have no way to recover their data. If they don't, it gets destroyed. So we can't help them.

SHAHANI: The very best defense, he says, is having a backup that's not connected to your machine in any way. Storing things on the cloud or on a USB drive that's plugged into your computer won't cut it. Aarti Shahani, NPR News, San Francisco. Transcript provided by NPR, Copyright NPR.

300x250 Ad

Support quality journalism, like the story above, with your gift right now.

Donate