You’re an entrepreneur, managing the business from your PC. You’re a doting mother, with hundreds of photos of your children on your laptop. Now, if someone seized all those files, how much would you pay to get them back?
There’s nothing theoretical about the scenario. Hundreds of thousands of people have had to wrestle with that question as so-called ransomware infections have surged, encrypting billions of documents. Hackers demand hundreds or thousands of dollars to provide the key that unscrambles files so you can view and use them again. One particularly virulent strain, called CryptoWall, has infected about 625,000 systems and encrypted more than 5.25 billion files since mid-March, according to new research from Dell SecureWorks. One desperate U.S. victim paid the hackers $10,000.
Most malware is like a pickpocket, taking your valuables before you’re aware of it. CryptoWall and other ransomware is like a mugger: your money or your files. It’s smart, really, because in most cases, your files are most valuable to you. It’s also easy money for hackers, a lot less work than trying to sell 40 million purloined card numbers on the black market, a la the Target breach. Keith Jarvis, a SecureWorks researcher in Atlanta, found that 1,683 CryptoWall victims forked over a total of $1.1 million to the hackers.
“There’s nothing going on in the back end for these guys, they just sit back and wait for the money to come in,” says Jarvis. “They don’t have to paw through the data, they don’t have to figure out how to sell it.”
The stickup artists have also gotten a lot better at the scam in recent months. Ransomware started surfacing a few years ago, designed to lock your computer screen and demand money to get access back, says Jarvis. It was a bluff, though; the hackers might claim your files were encrypted, but they weren’t. Victims could break the lock with security software. The criminals relied on ignorance and threats of legal action for illegal downloads of movies or pornography to cow people into paying.
A more powerful version emerged last September called CryptoLocker, which, as the name suggests, really did encrypt files. If you didn’t pay, you lost your files forever. CryptoLocker spread to more than 530,000 machines, reaping $3 million for the group behind it, according to Fox-IT, before the infrastructure it relied on got taken down as part of a massive law enforcement effort in late May.
TDHServices, a small construction company near Houston that specializes in doors and frames, got hit in October. An office worker set the malware loose by clicking on an e-mail attachment, and within 24 hours up to 40,000 files on the company’s server and its cloud backup files were encrypted, says Julian Ramos, TDH’s vice president and the son of the company’s founder.
“We had 15 years’ worth of work in that server,” he says.
The screen displayed on the compromised computer had an ominous-looking timer that counted down from 72 hours, the ransom deadline, Ramos remembers. He quickly figured out he wasn’t going to be able to break it, and his father paid the $300 demanded. The thieves kept their end of the bargain and decrypted the company’s files. If they hadn’t, TDHServices might now be out of business.
“I don’t know what the threshold is where we would have said no,” Ramos says. “I think we probably would have paid up to every penny we all had, because every file is important.”
CryptoWall is the latest ransomware du jour, and it also does the encryption right. Unless you have backups somewhere unconnected to your computer or server, there’s no way to get your files without paying. Rates vary; SecureWorks saw one victim shell out $10,000, but most paid $500 to $1,000. Although large enterprises may have enough protections in place to foil ransomware on their networks, small businesses and individuals often don’t, Jarvis says. Adding to the headache: The CryptoWall group requires payment in Bitcoin, which most people and businesses don’t use.
More traditional ransomware varieties are also on the rise. Kovter, one of the screen-locking types, reached a high of 43,713 infections on a single day in June, according to security company Damballa. For the third quarter so far, the peak count for a single day has already surpassed that, at 59,589.
At TDHServices, no one in the office opens anything unless they recognize it, and the cloud file backup has its own backup. Just to be safe, Ramos also copies everything to a separate external hard drive on Fridays, before he leaves.
“We saw a police report that said don’t pay ’em,” Ramos says. “And I thought, ‘That’s easy for you to say, it’s not your business that’s on the line.’”