In Bitcoin Era, Ransomware Attacks Surge

Dave Winston, crew chief with Circle Sport-Leavine Family Racing, fell victim to a ransomware attack. What are these attacks and how can they be stopped? Photo: Joe Chisholm for Circle Sport-Leavine Family Racing

One evening in April, Dave Winston stood in a convenience store in suburban Charlotte, N.C., uneasily shoving $ 20 bills into a slim automated-teller machine unlike any he had ever seen. He was buying bitcoin, a digital currency unknown to him a few hours earlier, before hackers took over his computer.

Mr. Winston, crew chief with the Circle Sport-Leavine Family Nascar race team, is among a growing number of victims of a pernicious type of malicious software called ransomware, which has earned millions of dollars for cybercriminals by encrypting computer files and holding them hostage.

Ransomware dates to the late 1980s, but attacks spiked this year amid the growing use of bitcoin and improved encryption software. Malicious code turned Mr. Winston’s Excel spreadsheets and Word documents into unreadable gobbledygook, and hackers told him to pay $ 500 in bitcoin to unscramble them.

Mr. Winston doesn’t know how the software infected his computer, but security experts say attacks often start with an email message containing an attachment or a link to a website that quietly installs the software.

Once considered a consumer problem, ransomware has morphed to target entire networks of computers at hospitals, universities and businesses. That has made it a far more serious and costly threat. According to the U.S. Department of Justice, ransomware attacks have quadrupled this year from a year ago, averaging 4,000 a day. Typical ransomware payments range from $ 500 to $ 1,000, according to cyberrisk data firm Cyence Inc., but some hackers have demanded as much as $ 30,000an attack that crippled a large portion of the hospital’s computer systems.

Hollywood Presbyterian Medical Center in Los Angeles paid roughly $ 17,000 to unlock files in February, following an attack that crippled a large portion of the hospital’s computer systems.

The Federal Bureau of Investigation said ransomware attacks cost victims $ 209 million in the first three months of the year, including costs, such as lost productivity and staff time to recover files, that is an average of about $ 333,000 an incident, based on complaints that it has received. The total is up from $ 24 million for all of 2015, or about $ 10,000 an infection, the FBI said.


Ransomware is deviously simple. Often after tricking the victim into clicking on a malicious link or attachment, the software then encrypts files—often targeting Microsoft MSFT 0.03 % Office documents—and displays a message with instructions to recover them. A ransomware maker who calls himself “The Rainmaker” offers a $ 39 version of his software on hacker forums. A Microsoft spokesman said, “We are committed to helping protect our customers, and Office includes features to help prevent macro-malware infections.”

Many ransomware attacks exploit known bugs in software, and attackers depend on people not installing updates. Criminals find ransomware easier and more profitable than other scams, such as breaking into consumers’ computers and stealing money via online banking, said Juan Andres Guerrero-Saade, a researcher with Kaspersky Lab ZAO.

Another factor is the increasing use and stability of bitcoin, the digital currency. Bitcoin is now the preferred payment method of most ransomware infections because it allows users to send and receive money from anywhere in the world, often anonymously.

One university chief security officer said he purchased two bitcoin “mining” machines, which generate bitcoin on their own by performing the complex calculations that allow the bitcoin financial network to operate. Since January, he has been using these systems to stockpile bitcoin, just in case he needs to quickly recover a critical computer. He spoke on condition of anonymity to avoid making his employer a ransomware target.

In the Hollywood Presbyterian Medical Center hack, cybercriminals broke into a server in late January. After two weeks of reconnaissance, they struck on a Friday night, when the hospital’s tech staff was off, encrypting data on 850 computers and 150 servers and rendering documents unreadable, according to Steve Giles, the hospital’s technology manager.

The lab and pharmacy were unaffected, but doctors’ orders, patient transfers and payroll systems had to be logged on pen and paper. By 3 a.m. Saturday, the hospital declared a state of emergency.

The hackers’ warning was stark: Pay $ 9,000 in bitcoin within seven days or the hospital’s systems would be destroyed. Mr. Giles paid the ransom later on Saturday.

Mr. Giles felt he had no choice. “I called the CEO and said, ‘Even if they don’t send us the encryption code, this is a worthwhile bet.’”

The next day, the hackers demanded another $ 8,000, a common tactic according to the FBI. After the second payment, Mr. Giles received a series of about 60 letters and numbers needed to unlock the hospital’s files.

Since the Hollywood Presbyterian attack was made public, Mr. Giles has seeking advicefielded calls from ransomware victims seeking advice. He has heard from a taxi company in Los Angeles, a chemical plant in Arkansas, water districts in Michigan and Nevada. None revealed if they had paid ransoms; some wouldn’t name their employers, to avoid becoming a target.

The data held hostage on the computer of race team crew chief Mr. Winston amounted to a blueprint for controlling the car in different conditions, including data for adjusting the springs, shocks and driver controls. The attack threatened his team’s ability to participate in a race just days away in Fort Worth, Texas.

As he fed bill after bill into the ATM, Mr. Winston felt he was probably throwing money away. “I felt like it was an extreme long shot,” he said, “but it was a shot that I thought we had to take.”

His $ 500 bitcoin investment paid off. His files unlocked, the team finished two laps off the winning pace that Saturday in the Duck Commander 500 at Texas Motor Speedway.

Write to Robert McMillan at [email protected] US Business

About The Author