Virtual extortion a big business for cyber criminals

Robert Herjavec on "Shark Tank."
Shark Tank's Herjavec: The biggest cyber threats of 2016   

Extortion, one of the oldest tricks in the criminal bag, is wreaking havoc in the brave new digital world — and generating lots of money for cyber crooks.

Ransomware, as this latest wrinkle in malicious software, or malware, is known, stealthily infects a desktop or laptop computer, sometimes locking up the machine, but more often encrypting data and files, rendering them unusable. Then an ominous message from the attacker pops up, demanding a ransom be paid in order to unlock the computer or decrypt the data.

The latest notable casualty is a Hollywood-area hospital that had its internal hospital computer system shut down by hackers who demanded $3.7 million in ransom this week.

Participants at a hacking conference.
Getty Images
Participants at a hacking conference.

Conceivably, every business and consumer using the Internet is a potential target for ransomware perpetrators, although small and medium-size businesses (SMBs) have become particularly easy marks.

"SMBs are incredibly vulnerable to these types of attacks," warned Ed Cabrera, vice president of cybersecurity strategy at Trend Micro, an IT security company in Irving, Texas, adding that large companies' IT departments usually invest in robust cybersecurity programs. "I'd say the threat level is critical. Small businesses lack the resources, the security and the multi-layer defense programs to help protect themselves. And it's only escalating."

Early versions of ransomware have lurked for more than a decade, but the latest ones are increasingly sophisticated, as are the cyber crime gangs that assiduously update their malignant programs and find novel ways to elude cybersecurity experts and law enforcement.

"Never before in the history of humankind have people across the world been subjected to extortion on a massive scale as they are today," stated The Evolution of Ransomware, a 2015 report from Mountain View, California-based cybersecurity firm Symantec.

While ransomware is a global menace, the Symantec report said, the U.S. is the primary bull's eye.

"This is a business, and it's all about making money," said Dmitriy Ayrapetov, director of product management at Dell SonicWALL, the Round Rock, Texas-based computer company's network cybersecurity division.

Just how much these nefarious businesses are making is tough to peg. Ransom demands have reportedly been for as much as $50,000, yet the average paid is $300, and nearly 3 percent of the victims agree to pony up, according to Ayrapetov. With the cyber criminals hitting millions of users, the FBI reports.

Originally, cash cards and wire transfers were the currency of choice, but because cash can be traced, bitcoin is now the favored tender, exchanged over Tor and other anonymous online networks. "It's the perfect payment method," said Kevin Haley, director at Symantec Security Response. Many victims are unfamiliar with digital currencies including bitcoin, but like any diligent web enterprise, "these guys will walk the uninitiated through the process," Haley said. "This gives you an idea of the operations and how successful they are. They have people in technical support, for God's sake."

How they propagate their pernicious payloads reveals the technological state of this dark art. One pathway is through Internet browsers running versions of Java, Flash, Shockwave and other ubiquitous software and plug-ins that haven't been updated with the latest security patches. Ransomware creators are constantly embedding advertising, pornography, shopping and other highly trafficked online networks with their handiwork, which is programmed to ferret out those browser vulnerabilities and infect computers when the end-users click on activating links.

The other common entry point is through spam emails that contain an attachment including ransomware. The email is disguised to look like it's from a package delivery service, such as a bank, the IRS, an employment agency or even the FBI, and prompts the recipient to download the attachment, thus unleashing the ransomware.

The urgent ransom notes that appear are basically intended to freak out the victim to pay up or else. For example, a screen purportedly from the FBI, including its official logo, alerts the victim that suspicious downloads — of porn, copyrighted music or other illicit material — have been detected. Another ruse is that a user account needs to be updated by clicking on a link, or that tax returns aren't complete. The attacker threatens that unless the ransom is paid, typically within a couple of days, the encrypted files will be forever lost and legal action may follow. Payment instructions follow.

Then comes the decision of whether to pay the extortionist or not.

"Never before in the history of humankind have people across the world been subjected to extortion on a massive scale as they are today." -The Evolution of Ransomware, Symantec report

"If you're a small business, all of a sudden all your data is encrypted and you can't recover customer information, contracts, legal documents and other vital material," Ayrapetov said. "Is it worth being able to continue running your business for just $200?" Considering that the National Cyber Security Alliance has estimated that 60 percent of small businesses hit by cyber attacks end up going out of business, it's a difficult call.

Those who do pay, however, most often can recover their data. "They stick to their word," Ayrapetov said of the hackers, "because they want the business to be a sustainable model."

Indeed, the ransomware business is expanding beyond computers to target smart phones, tablets and potentially anything connected to the burgeoning Internet of Things. "Imagine your watch, your router, almost any device that has an operating system — your smart television, cable box, car, doors, thermostat," Haley said, also imagining the ransom threat. "You can heat up your house, but it will cost you a bitcoin."

How to beat the hackers: CTO
How to beat the hackers: CTO   

So how can individuals and SMBs protect themselves from ransomware? "The No. 1 thing is to make backups" of critical files, said Nate Villeneuve, a principle threat intelligence analyst at FireEye, a cybersecurity firm in Milpitas, California. Beware, however, that any servers, hard drives or other backup sources connected to a network will probably be infected, too. It may be wise, therefore, to back up onto a separate source or a cloud storage service.

"Also, keep operating systems, browsers and plug-ins, especially Flash and Java, up to date," Villeneuve said. In other words, when you see those update notices pop up on your screen, do as they say. Off-the-shelf antivirus software adds another layer of protection, and FireEye, Symantec, Trend Micro, Dell and other cybersecurity vendors offer solutions for SMBs.

Experts urge everyone to be extra vigilant for spam, even if it looks legitimate, and to never download an unknown file. Many companies run drills, sending employees fake emails to see how many get fooled. "Use it as a teaching moment, not ashaming moment," Haley said.

Meanwhile, the FBI, other law enforcement agencies and cybersecurity vendors are collaborating in the hunt for ever-evolving ransomware and "the bad guys" who scramble to stay one step ahead of the cyber cops. It's a perpetual cat-and-mouse game, but Ayrapetov, for one, is optimistic that ransomware's days are numbered, with a caveat: "In about two years, it will probably be difficult enough for the malware writers that they'll start looking for something new."

— By Bob Woods, special to CNBC.com