Skip to content

Illustration by Steve McCracken

How Criminals Made $18 Million By Holding Our Data Hostage

Imagine you are using your computer at work, searching through some of your files looking for a document to assist a colleague, when a message pops up on your screen: “Your files are encrypted. File decryption costs $500.” Do you wipe your computer and use your backups to get your files back? Or do you pay?

This is the exact conundrum that Tewksbury Police Department in Massachusetts faced earlier this year when its computer network became infected with ransomware, encrypting crucial documents needed for day-to-day operations, like police reports and arrest records. 

After spending five days attempting to decrypt its files and even going so far as to send the computer to the Commonwealth Fusion Center to have experts take a whack at it, the department paid the $500 ransom to get its data back, The Boston Globe reports.

And it’s not the only victim to do so. Between April 2014 and June 2015, the FBI’s Internet Crime Complaint Center received 992 CryptoWall-related ransomware complaints, with victims reporting losses totaling more than $18 million, the agency said in a June public service announcement.

That’s not counting other costs related to ransomware, including network mitigation, network countermeasures, loss of productivity, legal fees, IT services, and the purchase of credit monitoring services for employees or customers, the announcement explained. “These financial fraud schemes target both individuals and businesses, are usually very successful, and have a significant impact on victims.”

While ransomware generating record-level profits is a new development, ransomware itself is not. In fact, Adam Young of Columbia University put it on the radar screen when he presented a paper on cryptovirology at the Institute of Electrical and Electronics Engineers Security and Privacy Symposium in May 1996.

In his presentation, Young discussed some of the first ransomware prototypes that used the process of asymmetric encryption, according to the May 2015 McAfee Labs Threat Report.

“Asymmetric encryption is cryptography in which a pair of keys is used to encrypt and decrypt a file,” the report says. To exploit this, cyber criminals trick victims into clicking on infected advertisements, e-mails, or attachments or into visiting an infected website. The ransomware then moves onto the victim’s computer, using asymmetric encryption to encrypt all of the files on it—and in some cases files on shared drives connected to the computer.

“The public-private pair of keys is uniquely generated by the attacker for the victim” in ransomware, the report explains. “The private key to decrypt the files is stored on the attacker’s server and is available to the victim only after the payment of the ransom.”

This ransom can vary in amount, but is typically between $200 and $10,000 for the key to decrypt the victim’s files. Without this key, it’s almost impossible to decrypt the files and get the data back. And sometimes even when victims pay the ransom, they don’t get the key in exchange.

Since Young’s presentation, ransomware has evolved, and different forms of it are typically referred to as a ransomware “family.” One of the first major families was Gpcode.ak, which appeared in 2008 and encrypted huge lists of files on victims’ computers. Then, in 2013, CryptoLocker came onto the scene, targeting people who banked online and eventually claiming 500,000 victims.

In a rare victory, law enforcement was able to stop CryptoLocker in May 2014 by dismantling the GameOver Zeus botnet that distributed it. Industry also came together through Fox-IT and FireEye to create a portal—Decrypt CryptoLocker—where victims could find the key to decrypt their files.

But this doesn’t mean that ransomware is now defunct. “It’s just like crime in general. If you get rid of one gang, another one will eventually take its place,” says Robert Freeman, manager of IBM’s X-Force, a commercial security research and development team. And the new powerful ransomware on the cyber block is Curve Tor Bitcoin (CTB)-Locker.

CTB-Locker gets its name from its use of Elliptical Curve Encryption, an extremely secure form of cryptography. It’s a destructive form of ransomware that gives victims 96 hours to get their decrypted files back before the decryption keys are deleted, leaving the files permanently encrypted.

And lots of people are paying the ransom to get their data back, making it a great return on investment for cyber criminals, says Raj Samani, vice president and CTO at Intel Security. “We’ve seen an increase in ransomware because the reality is it actually generates real revenue,” he explains.

Cyber criminals are able to generate a good income—a few thousand dollars per week in some cases—because the start-up costs to conduct a campaign are small and the current ransomware campaigns require little cyber expertise, Samani adds.

“It doesn’t cost very much to run a campaign. And actually you don’t need to be technically savvy to conduct a campaign,” he says. “Now you can go online and there are portals that will help take you through a step-by-step guide on conducting these types of campaigns.”

Along with the step-by-step guides, ransomware is following an overall trend of moving away from direct sales to a sort of “extortion as a service” model, making it easier for criminals to conduct campaigns, Freeman explains.

“Most malware and exploit kits and tools that the attackers tend to use have generally migrated away from direct sales in the same way that you don’t go to the store to buy software anymore; you buy it online,” he says. “The same thing is happening in the underground where you don’t necessarily own the software anymore to attack other people, but there might be 24-7 support and you’re just leasing it for some period of time.”

Additionally, with CTB-Locker, cybercriminals can customize their campaigns to target individuals in locations that are more likely to be able to pay the ransom to decrypt their data, such as the United States and Western Europe. “It’s a business decision…the cybercriminals are looking at ways to maximize the number of people that are likely to pay,” Samani explains. 

And unfortunately, this is a trend that will probably continue into 2016—especially if ransoms remain in the $200 range, Freeman says. 

“As long as those prices remain in the $200 or so range, it’s going to be very lucrative for the attackers,” he adds, because people might consider it more convenient to pay the ransom than back up their data. “I don’t see us being able as a community to easily convince the general public that they shouldn’t pay up if they don’t have another source to get their data back.”

Instead, greater emphasis needs to be placed on encouraging good cyber hygiene to avoid clicking on malicious links and files, and corporate IT departments need to regularly back up their data, make sure backups work, and regularly test backups to make sure they aren’t also infected.

“The hard part about recovering from ransomware attacks now…is that if you have a backup—whether it’s a local disk, a USB drive, or a cloud service—and it’s mounted, meaning you can access it on the computer, so can the malware and the malware’s encrypting that, too,” Freeman says. “Users need to consider, or in some cases reconsider, what are the best practices for backing up their data.”

Companies should also limit individual users only to files and drives they require access to instead of “giving someone keys to the whole kingdom,” Samani says. If a computer is connected to all of a company’s file shares, ransomware can easily spread from one infected computer to encrypt all of the company’s data just by that computer user inadvertently clicking on a malicious link. That’s what happened in a case Samani is familiar with.

“Subsequently what [the employee] did was he locked all those files,” Samani adds. “And the reality was that when they paid the ransom, they actually didn’t get the decryption key. The entire business was completely locked down.”

Most important, however, is taking a proactive approach to decrease the chances of ransomware infecting your devices and having to choose between losing your data and paying a ransom to decrypt it.

“You don’t want to leave the fate of your company or the fate of your business or the photographs of your family growing up to chance,” Samani says. “When it comes to ransomware, being proactive is the best defense.”