A California hospital this week paid a $17,000 ransom to free its computers from a hacker's virus, thrusting a little-known but wildly lucrative cyber scheme into the limelight.
Cyber criminals have extorted hundreds of millions from victims using these attacks, yet the technique has baffled law enforcement and received little attention on Capitol Hill.
On Wednesday, Hollywood Presbyterian Medical Center announced that it had paid hackers a ransom in bitcoin — an anonymous digital currency — to regain access to their locked systems. For almost a week, the hospital was thrown into the dark ages, relying on paper charts and fax machines to care for its patients.
Law enforcement is scrambling to keep up as some victims, desperate to regain access, simply pay the price without consulting police. The FBI has even told victims to pay up — a controversial move for security experts.
“The ransomware is that good,” said Joseph Bonavolonta, assistant special agent in charge of the Cyber and Counterintelligence Program in the FBI’s Boston office, during a cybersecurity conference last fall. “To be honest, we often advise people just to pay the ransom.”
And it often works. Experts say attackers usually deliver on their promise to restore access — because it's good business.
“They understand that if they don’t deliver the key to decrypt the data, then they’re going to be killing their own business model,” says Levi Gundert, the vice president of IT security at security firm Recorded Future and a former agent in the Secret Service’s electronic crimes unit.
The Justice Department estimates that only 1.3 percent of victims of one particular ransomware virus paid the ransom, but a 2014 study from the United Kingdom suggested that the number is much higher — 40 percent.
Even police departments have paid ransoms ranging from $300 to $500 to unlock their systems.
In a matter of years, cyber criminals have been able to build a low-risk, high-reward underground industry on the back of these sophisticated viruses.
“This is a business like any other legitimate business,” Gundert said.
Security experts say it's easy to launch a ransomware business — low overhead, minimal setup time, huge rewards.
Stu Sjouwerman, CEO for cybersecurity training firm KnowBe4, said a major operation could get off the ground for somewhere between $20,000 and $40,000. That includes “millions of email addresses” to target and a “bullet proof server.”
Within weeks, that shop could rake in millions, netting potentially a 1,000 percent return on investment, he said.
“Insane,” he said, “but in these circles it’s not uncommon.”
Other projections are more tempered but nonetheless predict outsized profits. Security firm Trustwave projected that a one-month campaign might cost $5,900 and generate about $90,000 in revenue.
Even a computer novice can pay someone to launch a ransomware campaign on their behalf. Like any hired gun, the attacker simply takes a commission, often 10 to 20 percent of the ransom payment, which averages around $500, Sjouwerman said.
The number of ransomware campaigns has grown exponentially in recent years.
While modern ransomware has been around for over a decade, the tactic exploded in 2013. Cyber crime syndicates started going after more businesses and tailoring their attacks.
According to experts, the amount of ransomware infections has more than doubled between 2014 and 2015. A recent Kaspersky Lab study showed that in 2015 twice as many corporate computer networks had been hit with ransomware as in the previous year.
“This is very rapidly expanding into a scourge,” Sjouwerman said.
Security experts are concerned that the Hollywood Presbyterian case may be a tipping point. Not only did the hospital pay the ransom, but media reports earlier in the week suggested the hospital originally considered paying a $3.6 million price.
Although researchers speculate that the hospital misunderstood the price in bitcoin that the hackers were asking for, the fact that such an astronomical figure was even on the table might make cyber criminals greedier.
“The medical world has put a target on its back for high numbers,” said Rodney Joffe, senior vice president and fellow at the security firm Neustar. “Now that the bad guys can see that there’s a possibility of millions of dollars, I think it’s going to ramp up immensely.”
The medical industry is already a prime target. Even if a hospital refuses to pay up, a person's medical records can be sold on the dark Web for roughly $80, Sjouwerman estimated. By comparison, credit card numbers only fetch a few dollars each.
Law enforcement is doing everything it can to keep up. The FBI last year offered a $3 million reward for information leading to the arrest or capture of Evgeniy Bogachev, the elusive Russian hacker thought to be linked to the most malicious strain of ransomware, CryptoLocker, which is responsible for over $325 million in damages.
It's the largest reward ever offered for a cyber criminal.
“We are using all the tools in the toolbox,” said David Hickton, a U.S. attorney for Pittsburgh, where Bogachev was indicted.
But the authorities can only do so much, experts say. Ransomware often goes unreported, bitcoin payments are hard to track and many digital kidnappers are protected by friendly Eastern European governments.
On Capitol Hill, ransomware has started to pique the interest of lawmakers, who have spent the last few years more focused on the massive data breaches at high-profile companies like Target, Home Depot and JPMorgan.
The top-two members of the Senate Homeland Security Committee recently pressed the FBI and the Department of Homeland Security to explain how they are fighting back.
“While much must be done to bolster the cyber defenses of our federal agencies, a far larger group faces a growing threat from ... ransomware,” Sens. Ron JohnsonRon JohnsonA guide to the committees: Senate Hopes rise for law to expand access to experimental drugs Dems ask for hearings on Russian attempts to attack election infrastructure MORE (R-Wis.) and Tom CarperTom CarperA guide to the committees: Senate Senate advances Trump's Commerce pick Warren: Trump's EPA pick the 'attorney general for Exxon' MORE (D-Del.) wrote in a December letter.
The attention to big breaches is not misguided, experts say, but it has come at the expense of ignoring a more insidious cyber threat.
Data breaches, Sjouwerman said, are “still happening."
"But in the meantime, back at the ranch, ransomware is taking off.”