On a bitter cold Friday in January, an ominous warning popped up on a computer screen at the Chamber of Commerce in Bennington, Vt.
The warning — next to a ticking countdown clock — threatened to destroy all data on the computer if the chamber refused to pay a $400 ransom within 40 hours.
Local computer whiz Max Squires quickly identified the culprit: CryptoLocker, computer malware that freezes access to every file, including photos, documents and programs with a secret pass key known only to the hacker.
Hackers operating on the Internet's "Dark Web" are spreading a new, more sophisticated generation of the malicious software known as "ransomware," anonymously shaking down anyone with an unprotected computer, from lawyers and cops to small businesses. Where small groups of anonymous hackers once hit individual consumers, the hackers have now organized into crime syndicates that boldly launch massive attacks against entire companies, computer experts and law enforcement authorities said.
Some victims get lost in the cumbersome details of the ransom payment process and run out of time, leaving their computers locked forever. Others pay right away and have their computers unlocked. Still others pay up, only to have the hackers run off with the money — and with the secret key.
Computer-threat researchers at Dell SecureWorks, who along with other security companies first identified the CryptoLocker attacks in September, estimate that the virus struck 250,000 computers in its first 100 days last fall. An Italian researcher who traced ransoms paid by victims in the anonymous digital currency bitcoin discovered that the hackers had set up more than 2,000 online "wallets" to accept ransoms. In three months, the researcher traced 771 ransom payments, eventually worth $1.1 million as bitcoin rose in value. Those ransoms, the researcher found, were transferred to a central online wallet on Nov. 23 that contained bitcoins worth $6 million.
"This suggests that our estimate of their racket is very conservative," researcher Michele Spagnuolo wrote.
The amount doesn't account for ransoms paid through anonymous credit cards, an option also offered by the hackers.
Computer security company Symantec said a CryptoLocker imitator, CryptoDefense, struck computers at least 11,000 times in March alone, extorting more than $34,000 from the owners.
The attacks are frustrating both computer experts, who can't defeat the virus once it infiltrates a computer, and law enforcement agents, who have busted few of the underground rings that specialize in these attacks.
"CryptoLocker is the first mainstream attack where security companies don't have a method for decrypting the (virus)," said Roel Schouwenberg, senior security researcher for Kaspersky Lab North America, a computer-security company. "There is, effectively, no cure."
CYBERCROOKS BEHIND THE CRIME
Security researchers believe the latest versions of ransomware were created by hackers in Eastern Europe and Russia. The hackers conceal their identities by deploying the virus through The Onion Router, known by its TOR acronym. TOR allows users to bounce their communications through multiple computer servers to make them nearly impossible to trace.
The crooks infect computers by sending tainted e-mails that appear to come from the FBI, local police agencies or package delivery services such as UPS and FedEx, or in PDF attachments. When the user opens the e-mail or file, the virus invades the PC.
The crooks also implant the viruses on websites, called "watering holes," and then try to lure people there, often with pornography or the promise of free goods.
"The tools are being continuously engineered to be more malicious, more harmful," said FBI Agent Nick Savage, assistant special agent in charge of the cyberbranch in the criminal division at the FBI's Washington, D.C., field office.
Ransomware crooks have also become bolder, demanding more money and targeting bigger fish, Savage said.
Victims who have gone public about the attacks include The Yuma Sun, a newspaper in Arizona that got hit twice in November, a police department in Massachusetts that paid $750 in bitcoin and LEAM Drilling Systems, a drilling company with 850 employees, based in Louisiana. The attack at the Vermont Chamber knocked three computers and a server out of commission.
HOW IT KIDNAPS YOUR HARD DRIVE
Once a ransomware virus invades an unprotected computer, it worms through the files and then codes them with a complicated encryption so the owner can no longer access his or her data without a key to unlock the code.
Then a pop-up screen appears with detailed instructions about how to pay the ransom and obtain the code to unlock the computer.
The criminals exact their ransoms through anonymous payment systems such as Ukash, PaySAFE, MoneyPak and bitcoin. The hackers provide detailed instructions, including a frequently asked questions link and a guide to purchasing bitcoin.
"It's a very cheap and effective way for cybercriminals to make an easy buck," said JD Sherry, vice president of technology and solutions at Trend Micro, a computer security company based in Irving-Las Colinas, Texas.
Wade Williamson, a senior threat research at Shape Security, says hackers deliberately seek only small sums of money and small- to mid-size targets because that is what the market will bear.
"If millions were stolen per transaction, you see a lot more interest from the FBI, from Interpol," Williamson says. "This stays underneath the radar."
At Paul Goodson's Charlotte law office, the virus came in through a brand new, top-of-line service that delivers voicemails directly to employee e-mail. An employee clicked on it, not noticing a slight alternation in the file name, and launched the virus.
The screen turned red. The ransom note, in awkwardly written English, demanded $300 to be paid with a Green Dot card within three days or the ransom would double. The IT staff wanted Goodson, a disability attorney, to simply pay the ransom and move on.
"My reaction was not that calm and not one that you can print," Goodson said. "I'm a trial lawyer. When pushed, we don't back up. We push back. It's not in my nature to just roll over and see what happens."
Goodson never got the chance. The ransom screen did not reappear and the files remained frozen. Fortunately, the law office had backup systems and the tech experts restored 85% of the firm's data.
Charlotte Police Detective Chris DeCarlo of the cybercrimes unit described the attack as "one of the most sophisticated that we'd seen."
"You could spend many lifetimes running computer software to try to break the encryption," DeCarlo said.
CryptoLocker placed a coded key on Goodson's computer network while creating a different coded key held by the hackers.
"Think of it like a nuclear launch. You need two people to turn the key at the same time," DeCarlo said. "To get them to turn the key, you have to pay a ransom."
The cybercrimes team examined the emails used to launch the virus and the malware itself. They traced it back to Poland and Ukraine, DeCarlo said. And there the trail ended.
Law enforcement discourages victims from paying the ransom since it encourages the perpetrators to strike again.
It's also a risky business. Sometimes, after the ransom is paid, the criminals send the key to decrypt the files, Savage said. Other times, they take the money and run, leaving the files inaccessible. Some victims pay the ransom, only to get hit again.
"As they say, no honor among thieves," Savage said.
A DECADE-LONG BATTLE
Ransomware emerged on the scene in 2006 in Russia. By 2009, computer-security experts had traced it to hackers in Russia and Eastern Europe. Since then, it's moved steadily West, in various new-and-improved iterations.
The earliest versions of ransomware did not lock computers. Instead, messages appeared to come from law enforcement, tax collectors or other official agencies. The messages threatened an arrest if the victim failed to pay a fine for some alleged infraction of the law, usually visiting a porn website.
In February 2013, Spanish Police and the European Cybercrime Center arrested a 27-year-old Russian and 10 accomplices who allegedly extorted millions of dollars using ransomware. The ransom notes, which appeared to be from police, demanded a "fine" of 100 euros, and first appeared in Spain in 2011.
U.S. CERT, the Computer Emergency Readiness Team at the Department of Homeland Security, issued an alert about Cryptolocker on Nov. 5. A day later, cybercriminals shook down police in Swansea, Mass., who were forced to pay $750 in bitcoin to unlock their hijacked police department files.
The National Crime Agency in the United Kingdom issued an alert on Nov. 15 warning of a mass email spamming that appeared to be from banks and carried the CryptoLocker virus. The agency attributed the attack to organized crime groups.
British authorities urged victims not to pay the ransom. But a University of Kent survey in January found that 10% of computer owners had been hit by CryptoLocker and nearly half of those hit had paid the ransom.
HOW TO PROTECT YOUR DATA
Most computer security software can identify and block suspicious emails but the anti-virus patches must be scrupulously updated.
Sherry recommends what he calls a 3-2-1 strategy. Keep three copies of your data in two different media types and in one physically separate location.
The FBI's Savage urges victims to report any malware attacks.
"Often, it's one piece of information that someone has — one puzzle piece — that can put it all together and unlock everything for us."
At the Bennington Area Chamber of Commerce, unflappable director Joann Erenhouse sprang into action when the virus struck, following the bizarre instructions on the screen.
The note demanded $400 to be paid by an untraceable MoneyPak credit card. Such cards are outlawed in Vermont. So Erenhouse drove to a Wal-Mart in Massachusetts, purchased the card and raced back to the office to pay the ransom. The credit card didn't work.
"It was such pandemonium," Erenhouse recalls.
Squires and Erenhouse tried to e-mail the cybercrook, but got no answer.
"Apparently, the crooks don't work weekends," Erenhouse said.
Next, they tried purchasing bitcoins, a process that can take up to 48 hours for a new user. The clock continued to tick down. By the time they tried to pay the ransom, it was too late. The crook had fled without providing the key, leaving the Chamber's data inaccessible.
"CryptoLocker was nowhere to be found. They completely disappeared … There was no one to pay," Erenhouse said.
The cybercrooks wiped out the Chamber's entire database — 130,000 files — including their membership directory and years of records on the city's renowned Garlic Fest. The computers had to be replaced, costing the Chamber $4,000 and dozens of hours of aggravation.
"Everything we've been collecting for the last six months (was) gone in a flash," she said. "It's like we're starting from scratch."