Grayson Barnes had just started working at his father’s law firm in Tulsa, Oklahoma when a note popped-up on one of the computer screens. It informed him that all the files on the firm’s digital network had been encrypted and were being held ransom. If he ever wanted to access them again, he had to pay $500, in the Internet currency Bitcoin, within five days. If he didn’t, the note concluded, everything would be destroyed.
“It wasn’t just a day’s worth of work,” Barnes told TIME. “It was the entire library of documents, all the Word documents, all the Excel.”
Uncertain of what to do next, Barnes called the police and then the Federal Bureau of Investigations. Everyone he spoke to told him the same thing: there was nothing they could do.
If he paid the $500, there was no guarantee he’d get the files back, they said. But if he didn’t pay, there was no way to save the firm’s data and, because many of these sorts of cybercriminals live abroad, there’s no way for the police or the FBI to prosecute the attackers. “They said, basically, ‘Look, we can’t help you,’” Barnes said. Two days later, the firm paid up.
And that, cybersecurity experts say, is why so-called “ransomware” attacks have become so ubiquitous in the last two years: they’re relatively low-budget, low stakes, and don’t require much skill to pull off. Instead of going after high-value, heavily fortified systems, like banks or corporations, that require complex technological skills to hack, cybercriminals use ransomware to go straight for easy targets: small businesses, schools, hospitals, and Joe Blow computer users like us, who are likely to pay a few hundred—or a few thousand—bucks to get our digital lives back.
“It’s a one-to-one relationship with the victim, and it’s anonymous,” said Juan Guerrero, a senior security researcher at Kaspersky Lab, a cybersecurity company that fielded 750,000 attacks last year, just among its own clients.
While each type of ransomware virus is different, some, like CryptoLocker, boasted a 41% “success rate”—meaning that more than a third of victims ended up paying the ransom, according to a survey in the United Kingdom by the University of Kent. That virus earned between $3 million and $27 million for its criminal overlords, according to various estimates.
While there’s no central clearinghouse that keeps of every ransomware attack, cybersecurity experts estimate that there are several million attacks on American computers a year. The average victim shells out about $300, according to a study by the global cybersecurity firm Symantec. But that adds up overtime.
In 2014, for example, one version of ransomware, CryptoWall, infected more than 625,000 computers worldwide, including a quarter million in the U.S., according to Dell Inc., and earning hackers roughly $1 million in just six months.
Between April 2014 and June 2015, the Internet Crime Complaint Center, a partnership between the nonprofit National White Collar Crime Center and the FBI, received 992 complaints about another version of ransomware, Cryptowall, in which victims reported losses of more than $18 million. Some cybersecurity experts estimate that hackers are earning north of $70,000 a month on ransomware.
With that much money flowing in, ransomware is on the rise. “These sorts of attacks are absolutely increasing,” Guerrero said.
According to Symantec, there was a 250% increase in new ransomware available on the black market between 2013 and 2014, and by 2015, the underground ransomware industry had begun to mimic the way modern software is developed: there are criminal engineers and manufacturers, retailers, and “consumers”—hackers on the lookout for the newest, most effective product.
Some criminals, who are usually based in Russia, Ukraine, Eastern Europe and China, have begun licensing what’s known as “exploit kits”—all-inclusive ransomware apps—to individual hackers for a couple hundred dollars a week.
As with most computer viruses, victims are often first targeted with a fraudulent email. If hackers can get victims to open an email and then download an attachment, then they can infiltrate their computer—and any computer associated with that computer’s network. Roughly 23% of people open phishing messages, according to a 2015 data-breach report from Verizon Enterprise Solutions. More than 10% then click on the attachments.
Victims can also have their computers infected merely by visiting a compromised website—no download required—or joining an infected network. Sites that are the most likely to get people in trouble are those peddling pirated movies, TV and sports games, pornography, or networks like Tor that facilitate sharing of huge numbers of user files. PC users are generally more vulnerable to ransomware than Mac users in part because there are more PCs in the world. From a criminal’s perspective, malware designed to exploit a PC offers access to more potential victims.
Ransomware viruses have gotten more sophisticated in recent years, experts say. For example, some versions of ransomware are now designed to seek out the files on a victim’s computer that are most likely to be precious, such as a large number of old photographs, for example, tax filings, or financial worksheets. Other versions use social engineering tricks to make a victim feel guilt or shame—and therefore more likely to pay the ransom. Some appear to be official notices from the FBI or a cyber law enforcement agency claiming to know that a victim recently watched illegal porn, bought drug paraphernalia, or downloaded a pirated movie. In some particularly alarming cases, ransom notes come in over a computer’s speakers: the booming voice of a stranger demanding a Bitcoin payment echoes through the victim’s living room.
In the past year, ransomware attacks have shut down at least three health care centers, including one hospital in Los Angeles that paid $17,000 to regain access to its patients’ records. In March, MedStar Health, the massive, $5 billion health care juggernaut that operates 10 hospitals in the Washington, DC region, saw its computer system knocked offline for days in what some employees characterized as a ransomware attack.
Police departments, school districts, and small businesses, like Barnes’ law firm have also been recent targets, in part because they have less sophisticated security systems. According to Intel Security, 80% of small and medium-sized businesses don’t use data protection and fewer than half secure their email.
The only way to protect against a ransomware attack is rote: keep your operating system up to date, renew your anti-virus software regularly, back up your files on a daily or weekly basis, and never download anything from an email address you don’t recognize. Many cybersecurity experts warn that people should be particularly skeptical of emails with attachments that appear to be from trusted brands, like FedEx or Amtrak, when they arrive unexpectedly.
Once a computer has been infected with ransomware, there’s often very little that a consumer can do, said Robert Siciliano, the CEO of ID Theft Security.com. With some, limited variations of ransomware, law enforcement have the tools to reverse and remove the virus. But in most cases, victims are stuck between a rock and a hard place.
If a victim pays a ransom and the files are not restored, there’s no way to demand a refund. Most ransomware schemes require Bitcoin payments to be routed through file-sharing technologies, so law enforcement officials can’t usually identify where the money went. Like many in the cybersecurity world, Siciliano advises not paying the ransom in the first place. That money, he says, ends up funding newer, more innovative variations of the virus.
Barnes says he doesn’t feel great about having paid the $500 ransom for his law firm’s files, but given the situation, he and his colleagues didn’t have much of a choice. “Everything is backed up now,” he said. “It’s not happening again.”