Pay up or else: Ransomware is the hot hacking trend of 2016

There are steps you can take before forking over cash for vital files held hostage. Your results may vary.

Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce | Amazon | Earned wage access | Online marketplaces | Direct to consumer | Unions | Labor and employment | Supply chain | Cybersecurity | Privacy | Stalkerware | Hacking Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
4 min read

Getting locked out of your computer, phone or smart TV is a vexing situation with no easy solution.

William Whitehurst/Corbis

Hackers struck Hollywood Presbyterian Medical Center last month. They encrypted files critical to running the hospital's systems. And then they asked for money.

After three weeks of operating without crucial computer programs, the Los Angeles hospital paid a $17,000 ransom to restore its systems.

The attackers followed the pattern of other "ransomware" hacks by sneaking onto the victim's computer system, scrambling the files with an unbreakable code and refusing to release them until a ransom is paid. Around the same time, two German hospitals and the Los Angeles County Health Department saw their files seized in the same maddening way.

While you may not be responsible for keeping sick people alive, you could face a demand for ransom, too. Consumer computers running Microsoft Windows software have already been frequent targets for ransomware. It had long seemed that Apple computers were immune, but news broke this week of the first ransomware targeting Macs.

Because people report only a fraction of ransomware attacks to federal authorities, it's hard to say exactly how big the problem is. But the bad guys writing this code are getting more creative and sophisticated, and a crop of frightening ransomware tools with names like Locky and CryptoWall have plagued businesses and consumers alike over the past year.

A report published Thursday by the Institute for Critical Infrastructure Technology, a Washington, DC-based cybersecurity think tank, looks at how the growing network of Internet-connected household devices, from Samsung refrigerators to Nest thermostats, could make you even more vulnerable to ransomware attacks. Market forecaster Gartner expects 6.4 billion connected devices will surround us in the home and workplace this year.

"As more devices are connected to the threat landscape referred to as the Internet of Things, ransomware will have greater power over victims," the report's authors wrote.

That's right. Prepare to see your smart TV held hostage.

But wait, there's good news too. The report's authors point out several ways you can avoid becoming a victim of ransomware. None is guaranteed to work, but at least you'll know you tried.

Back up your files

The two German hospitals struck by ransomware had backups of their critical files, so they could laugh off the demand for money. Wouldn't you love to be in that position?

With all the cloud services out there and the availability of easy-to-use external hard drives, you have plenty of options for backing up your files.

The catch: This isn't a guarantee that you'll be safe from ransom demands. You might get hit right before you need to turn in an important term paper or work project that you didn't back up yet. Or you might be the victim of ransomware that also seeks out backup copies. (Yep, that exists.)

Don't panic

If you can stop the screaming in your head for a moment, you may be able to find a solution. Some attacks rely on malicious software that has known fixes, which you can find with some quick online searching.

"Many users pay the ransom without exploring alternative options simply because accepting the lost revenue is easier than applying effort," the report's authors wrote.

What's more, many attackers download their malicious software onto your computer from piracy and porn websites. They've gone so far as to create fake alerts claiming to be from the police, saying that if you pay a fine you won't be arrested for downloading pirated software or files. Shame and fear get people to pay without looking for alternatives.

"It's more psychological than it is technical," said James Scott, senior fellow at the Institute for Critical Infrastructure Technology.

The catch: Some ransomware is quite technically advanced. If you don't have backups and your files are truly irretrievable, you might have to pay if you want them back.

Pay up

When you face the real deal, even the FBI says you should pay.

"The ransomware is that good," Joseph Bonavolonta, the Boston-based assistant special agent in charge of the FBI's Cyber and Counterintelligence Program, said at a 2015 cybersecurity event, according to cybersecurity publication Security Ledger.

The average ransom demand is $300, according to the Institute for Critical Infrastructure Technology, but attackers will pick a number based on how much money you might have. Big companies might see demands for millions of dollars, and regular people might only have to pay a tiny amount.

The really big catch: You might not get your files back! Seriously. Cryptolocker, which is ransomware spread by a crime ring before it was taken offline by law enforcement in 2014, extorted $3 million from users but didn't decrypt the files of everyone who paid, according to the institute's study.

This really sucks, right? If you're so unlucky that you've followed all these rules, paid a ransom, and still didn't get your files back, my final tip would be...

Remember all physical objects eventually turn to dust.

For perspective, I like to think of how biologist Jan Zalasiewicz told a Radiolab reporter that objects like books will eventually become fossils over hundreds of millions of years. Computer files may be ethereal strings of ones and zeros, but they're not permanent, either.

If nihilism isn't your cup of tea, I suggest hugging a puppy.