Criminals Increasingly Hold Government Computers for Ransom

This article was originally published at Stateline, an initiative of The Pew Charitable Trusts, and was written by Jenni Bergal.

In Maine, cybercriminals took over the computer system shared by five police agencies for about two weeks last year until the departments paid the crooks $300. In Los Angeles, a large hospital shelled out $17,000 this year to regain access to its electronic medical records that criminal hackers took hostage. And in eastern Ohio, Columbiana County was forced to pay more than $2,800 in ransom in June after computers in its juvenile court system became infected.

Cyber-age extortionists — who use so-called ransomware software to hijack computer systems and hold them hostage until their victims pay a ransom — increasingly are preying on local governments, hospitals and even police departments, and forcing officials to decide whether to meet the demands or risk losing their data.

“Without that information in our computers, we were stuck,” said Ronald Young, police chief of Damariscotta, Maine, one of the police departments hit in last year’s attack. “We needed to get it back. We use it on a daily basis. It contains information about arrests and warrants and any contact we have with the public.”

Even if officials decide to pay hundreds or thousands of dollars in ransom as the Maine departments did, their computer networks and communications are often crippled for a day or more by the viruses. If officials decide not to pay and restore their systems on their own, it can take days, even weeks, to get back up and running. In the meantime, public services for residents, schoolchildren and even hospital patients may be affected.

In a nation whose policy is not to pay ransom to terrorists, having to pay what often is taxpayers’ money to extortionists who frequently operate out of Eastern Europe or Russia is especially galling to someone like Young.

“It’s a sign of terrorism,” Young said. “I’m a former Marine and we don’t negotiate with terrorists.”

But in the end, he said, paying $300 was the only technologically feasible way the departments could reclaim their data. Paying ransom is a prospect that local and state officials increasingly are confronted with.

City and county governments, along with local school districts, have “seen an exponential rise” in threats in the last 18 months, said Srini Subramanian, a state cybersecurity specialist at the consulting firm Deloitte & Touche LLP.

Local and state governments were struck by as many as 450 infections a month between October and May, said Brian Calkin, a vice president of the Multi-State Information Sharing and Analysis Center (MS-ISAC), a federally funded group that tracks cybersecurity issues for states and local governments.

Since 2005, the FBI’s Internet Crime Complaint Center has received about 9,600 ransomware complaints from individuals, businesses and government agencies. The criminals typically demand between $200 and $10,000, but victims face other costs, such as loss of productivity, legal fees and IT services. Last year, they lost more than $24 million, according to the FBI.

“It’s a very large problem. We continue to see it grow,” Calkin said

A ‘Very Lucrative’ Crime

About six to 10 variations of ransomware are now being used to attack local and state agencies fairly regularly, Calkin said.

The infectious software typically gets launched when a computer user unknowingly clicks on an email with an attachment or link to a website. Sometimes, a user downloads it by browsing a website and clicking on what appears to be a legitimate link, such as a movie clip.

Once the malware is opened, it gets lodged in the computer system and locks files, encrypting them so data such as Microsoft Word documents or Excel spreadsheets can’t be accessed. It displays a message saying the computer has been infected and gives victims a certain period to pay ransom to unlock it so they can open their files or risk losing the data forever.

The ransom usually is small — in the hundreds or thousands of dollars — to make it easier for victims to comply, and often demanded in the digital currency bitcoin. Once they do comply, scammers send information showing how to unlock the files.

Ransomware perpetrators generally aren’t interested in stealing data and personal information from victims, as are other types of cybercriminals. They see it simply as a means to turn hacking into cash.

“Ransomware is very lucrative,” Calkin said. “If they send a million emails and only 1 percent click on it and they get $500 from each person, that’s not bad for a day’s work.”

The criminals, especially if they operate overseas, can be very difficult to track down, let alone prosecute, said Deloitte’s Subramanian.

Some write the software, others develop and test it, some send out the spam and some handle the ransom payments. Bitcoins are stored electronically and are transferred all over the internet, which makes the payments difficult to trace.

What’s easy to see are the effects the criminals can have.

When Hollywood Presbyterian Medical Center in Los Angeles was struck in February, the malware prevented staffers from communicating by email and using electronic medical records for 10 days. The hospital ended up paying about $17,000 in bitcoin to regain control of its system.

Calling Their Bluff Costs

Some victims call the criminals’ bluff and refuse to pay, usually because they have backup systems that can restore data without major delays and expense. But even that often comes at a cost.

Tom Barwin, city manager of Sarasota, Florida, said his city had no intention of coughing up ransom money when it was struck by hackers in February after a city staffer inadvertently opened a phony email. The cybercriminals asked for a huge amount — half a bitcoin per file, which staffers estimated would have cost about $33 million at that time, as 160,000 files were affected.

The ransomware corrupted the city’s file-sharing and storage network, so staffers had to freeze the system to fix it. Although the data was backed up, it took a day and a half to restore the information, Barwin said. Since then, the city has spent at least $100,000 for additional firewall and virus protection, and improving the speed and capacity of its servers.

Barwin scoffed at the idea of shelling out ransom. “We weren’t going to pay them a dime,” he said. “Our job is to enforce laws. We don’t encourage people to break them.”

Most state governments, whose computers store a lode of personal information on their residents, so far have successfully blocked ransomware attacks with firewalls and updated anti-virus programs, said Doug Robinson, executive director of the National Association of State Chief Information Officers.

But recently, he said, they’re seeing new, more sophisticated varieties that are harder to protect against.

“It has become very serious very quickly,” Robinson said. “In the last few years, it was primarily focused on smaller jurisdictions — local governments, water departments, police agencies. Now, we’re seeing it spread into the states.”

A survey of state information technology security officers released last month found that ransomware was one of the most prevalent cybersecurity threats they expect to face in the coming year.

Some states are taking extra precautions.

In Ohio, State Auditor Dave Yost’s office ran an in-house test in June, sending out a fake email to 100 randomly selected staffers. Twenty percent opened it. His office reported the results in an in-house, e-newsletter and warned employees to be careful. Then it sent out a set of fake emails to the entire staff in August. Seven percent opened them. After that, every staffer was required to complete mandatory cybersecurity training.

Even so, Yost cautioned that government officials can’t stop ransomware just by requiring staffers to be vigilant about email. “If something gets through, you’d better have your system locked down so they can’t do the kind of harm they want to do,” he said.

Some lawmakers also are taking notice and are seeking to up the punishment for unleashing ransomware. The California Legislature unanimously passed a bill in August that defined ransomware as a type of extortion, making it a felony punishable by up to four years in prison. Democratic Gov. Jerry Brown signed the measure into law last month.

But Calkin of the MS-ISAC said it’s unlikely such laws are going to have much effect on criminal hackers who operate abroad.

“Realistically, a state bill doesn’t make a lot of sense to me,” he said. “State legislation is not going to stop these people.”

Calkin said his multi-state group works with the FBI to help build ransomware cases. As of now, he knows of no arrests that have been made.