Thieves Are Using Ransomware Programs to 'Kidnap' People's Data Until They Pay

Around for years but now widespread enough that it's likely already caused chaos at a local hospital, police department, or school district, so-called "ransomware" is fast becoming the tool of choice among hackers seeking to extort a quick buck.

The February 5 attack on Hollywood Presbyterian Medical Center in California shined a light on ransomware, a type of computer virus that encrypts a targeted system's data and then demands money in exchange for the key to decrypt the information.

On one hand, the technology uses state-of-the-art encryption to boggle its victims. On the other, it's among the most tried-and-true scams in history.

"Is it really different than kidnapping?" asked Chester Wisniewski, a ransomware expert at cybersecurity firm Sophos. "You're holding something of value and demanding money to return it safely."

The Hollywood hospital paid 40 bitcoins worth around $17,000 in exchange for its data back. The owners of bitcoins are nearly impossible to track.

"The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key," said hospital President Allen Stefanek in a statement.

But the medical center episode was just one of multitudes in recent years.

Related: Hackers Held Data on 5,000 Canadians Hostage and the Government Didn't Tell Anyone

An October study by Cisco Systems' Talos security unit estimated that unnamed hackers using Angler Exploit — just one of a handful of commonly used ransomware bugs — netted $60 million annually. In December, a Kaspersky Lab report found that ransomware infections doubled last year compared to 2014. The lab found ransomware on 50,000 corporate machines. And researchers at Britain's University of Kent found that 41 percent of victims of ransomware software CryptoLocker paid to recover files.

The US Department of Justice has since claimed to have "neutralized" Cryptolocker. It's Russian founder, Evgeniy Mikhailovich Bogachev, is on the FBI's Cyber's Most Wanted List. Accused of stealing $100 million, Bogachev spends his free time boating in the Black Sea, according to the FBI.

One reason people don't hear about ransomware much is because folks rarely advertise their experiences with it.

"It's not an uncommon scam at all," said Wisniewsk."There hasn't been lot of mainstream coverage, which is probably intended by victims. People are ashamed they gave money to crooks. So they don't want to talk about it."

But examples of the hacks abound.

Germany's Die Welt newspaper recently reported that Lukas Hospital in Neuss and other German hospitals have debated whether or not to pay ransoms or lose their data. (Lukas got rid of the virus without paying, suggesting administrators either possessed backups or could lose the data in question.)

Last year, the Boston Globe reported that police departments from Chicago to Tennessee had been paying off extortionist hackers in order to gain access to their clandestinely encrypted arrest and incident reports.

Related: This Police Raid May Have Solved the Bitcoin Creator Riddle

Unidentified hackers posted a bold ransom note on the computer screens of cops in Tewksbury, Massachusetts: "If you really value your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist," the Globe reported.

After five days of trying to break the unwanted encryption, the Tewksbury cops gave in and paid $500 using Bitcoins and Tor, a program that preserves anonymity on the Internet.

The American cities of Durham, North Carolina, and Detroit, Michigan have also been held for ransom. They opted not to pay — Durham had backups and Detroit didn't need the data. Schools in Horry County, South Carolina are now figuring out whether or not they should pay $8,500 to regain access to their data.

Hospitals are especially vulnerable to ransomware attacks because they have enormous, sophisticated but also often-antiquated computer systems — think MRI machines using Windows 95 — reams of vitally important medical information on people and, sometimes, plenty of money to pay ransoms, experts said.

Whether or not Hollywood Presbyterian should have paid $17,000 remains to be seen, though.

"This possibly has the effect of emboldening additional criminal actors," said Ed Cabrera, vice president of cybersecurity strategy at Trend Micro.

Related: Bitcoin Community in Disarray After New Software Introduced

But Kevin Haley, director of Symantec Security Response, said that people have to put themselves in a hospital administrators' shoes. If data that could save someone's life is locked up, it's less expensive to pay a ransom than wait for a techie who probably won't be be able to break the encryption anyway.

In the near future, as ransomware hacks becomes even more prevalent, a lot of people might face similar situations, though hopefully not life threatening ones, Haley added.

"Technically there is nothing to stop the bad guys from doing this on almost any 'Internet of Things' device," said Haley, referring to web-connected lights, refrigerators and other devices. "Would you pay the bad guys to watch television tonight? Would you pay them in the morning so you can start your car in the driveway?"

Follow John Dyer on Twitter: @johnjdyerjr