SAN FRANCISCO — New Orleans’ city government crippled. A maritime cargo facility temporarily closed. Hospitals forced to turn away patients. Small businesses shuttered.
The cause in each of these incidents: ransomware attacks. In recent years, hackers have taken to locking down entire computer networks and demanding payments to let users back into their systems.
The frequency of ransomware attacks — among the scariest and most costly online assaults — has been hard to pinpoint because many victims quietly pay off their attackers without notifying authorities.
Now, an array of new data provides perhaps the best available picture of the problem. In 2019, 205,280 organizations submitted files that had been hacked in a ransomware attack — a 41% increase from the year before, according to information provided to The New York Times by Emsisoft, a security firm that helps companies hit by ransomware.
The average payment to release files spiked to $84,116 in the last quarter of 2019, more than double what it was the previous quarter, according to data from Coveware, another security firm. In the last month of 2019, that jumped to $190,946, with several organizations facing ransom demands in the millions of dollars.
Security experts say that even these numbers underestimate the true cost of ransomware attacks, which have disrupted factories and basic infrastructure and forced businesses to shut down.
“Anything of value that is smart and connected can be compromised and held for ransom,” said Steve Grobman, chief technology officer at McAfee. “If critical infrastructure systems are held for ransom, what is our policy going to be for dealing with those?”
The data from the security companies and the number of recent ransomware incidents show a dramatic escalation for a type of attack that, just a few years ago, was mostly directed at individuals, who had to pay only a few hundred dollars to get their files back.
The Coast Guard said in December that ransomware had forced a cargo transfer facility to shut for more than 30 hours after attackers took control of “the industrial control systems that monitor and control cargo transfer and encrypted files critical to process operations.” The Coast Guard did not reveal the location of the facility.
The city of New Orleans, one of dozens of cities hit by ransomware over the last year, was attacked with similar ransomware late last year and is still conducting many operations on paper, with police officers recording incidents manually.
Cities appeared to be high on the target list because they are among the only victims who have to report the attacks. In reality, public sector organizations represented only around 10% of all victims last year, Coveware said.
Barclays and several other banks are still unable to make foreign currency conversions for customers more than a month after Travelex, the company that provides them with cash, was targeted by ransomware known as Sodinokibi, or REvil. The BBC reported that the hackers demanded $6 million.
Ransomware attacks have also caused a number of small and medium businesses to shut altogether, like Colorado Timberline, a printing company with a few hundred employees near Denver, and Brookside ENT and Hearing Services in Battle Creek, Michigan, a 10-person medical office.
“I was suddenly retired and I didn’t want to be,” said Dr. William Scalf, one of two doctors at Brookside, which closed in April after failing to recover its medical files from hackers who demanded $6,500.
U.S. authorities have not released statistics on the broad changes in ransomware attacks, but the FBI noted in its latest warning that the attacks were becoming “more targeted, sophisticated, and costly.”
The agency said an online portal for reporting incidents received 1,493 reports in 2018. But officials think that number was likely “artificially low” because it did not include reports from field offices or agents or any number of other sources.
“What we find most concerning is that it causes not just direct costs, but also indirect costs of lost operations,” said Herbert Stapleton, cybersection chief at the FBI. “We certainly view it as one of the most serious cybercriminal problems we face right now.”
Europol, the European Union’s law enforcement agency, has gone further, calling ransomware the “most widespread and financially damaging form of cyberattack.”
“We have had success stories, but to be honest, it is becoming more and more complicated,” said Fernando Ruiz, acting head of Europol’s European Cybercrime Center. “This is a garden for them, and we need to change that.”
Government authorities and security experts say the problem will get worse before it gets any better. In the last month, two security firms have identified a new form of ransomware, known as Snake or Ekans, that appears to be focused on freezing the software responsible for industrial processes at big oil and petroleum companies.
The assailants carrying out ransomware attacks have proved hard to identify because the technology they use, like bitcoin and anonymous messaging platforms, allows them to communicate and transact with victims without being easily tracked.
Many of the criminals operate from countries outside the reach of U.S. law. The Justice Department has indicted hackers in Iran, North Korea and Russia, but none appear to face any threat of extradition.
U.S. authorities have suggested that several of these attackers have operated with the protection of their governments, and have helped their governments by passing along hacked files.
Security experts said ransomware has evolved into an industry, with hundreds of gangs vying for the most lucrative victims. Some hackers have specialized in “ransomware as a service,” writing the victim-facing software and selling it to others through the so-called dark web. They have even built out customer-service centers to deal with victims and their payments.
In recent attacks, the hackers often spent months quietly scouting out the innards of the computer networks of potential victims to ensure they have every important file tied up.
They are often eager to prove to victims that they will return the files when they are paid, to ensure a prompt transaction. When victims don’t pay, some gangs have begun publicly releasing private files to ratchet up the pressure — as was the case with Southwire, one of the world’s largest electrical wire and cable manufacturers that operates out of Georgia.
Southwire filed a lawsuit against its attackers, unknown hackers, asking for the site where the company’s files had been published to be taken down. But the hackers soon moved their operations to a new site and released even more files.
Some businesses and city governments are taking out insurance to be ready for ransomware demands. Bryan Sartin, head of global security services at Verizon, said he encourages clients to create a slush fund with bitcoin.
“Almost everyone says we will never pay the ransomware, but when push comes to shove, probably two out of three will,” Sartin said.
Law enforcement officials have warned against giving attackers more confidence that they will get paid. But the attacks have become widespread enough — and the ransom payments frequent enough — that cybersecurity insurance rates are rising.
Ransom costs aside, the worst outcomes can come when dealing with gangs that wipe the files they locked down.
The medical practice that Dr. Shayla Kasel had built over 20 years in Simi Valley, California, was hit last August by ransomware. After her malpractice insurance connected her with a ransom negotiator and a forensic expert, she was told that even if she paid $50,000 for each of the digital keys that could unlock her different servers, there was only a 15% chance she would get her files back.
Kasel said she limped along for a few weeks, seeing the patients who happened to come through her door and recording everything on paper. But she ultimately decided it wasn’t worth trying to rebuild her files and business from scratch and risk facing lawsuits and fines. She shuttered her practice in December after incurring around $55,000 in expenses.
“The hardest part after 20 years was to suddenly tell patients ‘Yep, I’m quitting,’” Kasel said. “It was an agonizing decision.”