Harvard researcher: Ransomware attacks are $350 million global industry

BOSTON — They hit your computer screen like a timebomb, complete with a countdown clock, threatening language and instructions on how to buy back your own data.

Ransomware attacks cripple systems, compromise data and leave victims completely vulnerable. They’re also on the rise.

“We’ve seen a huge uptick in this activity and I think the answer is really obvious: all of us are working remotely now,” said David O’Brien, assistant research director for Privacy and Security at Harvard University’s Berkman Klein Center for Internet & Society.

O’Brien said it’s estimated as much as $350 million was paid out to ransomware gangs in the last year. A decade ago, cyber-criminals started targeting individuals, but soon realized they could extort more money out of schools, cities and large corporations.

“They figured out over time it’s actually much more profitable to target larger organizations,” O’Brien said. “Don’t extort them for just a few hundred dollars like you might see in the case of a personal attack, but actually a few million or a few hundred thousand.”

Haverhill Public Schools was forced to close Thursday after the district was hit by a ransomware attack. Hackers also disabled major computer systems in the City of Lawrence. Sources told 25 Investigates reporter Ted Daniel the city is “arranging payment” to regain control.

“It’s become a rather lucrative business,” O’Brien said. “They have a whole business model. There’s an entire ecosystem set up to support ransomware criminal gangs.”

How do they get in?

O’Brien said most hackers are able to breach systems by tricking someone into letting them in.

“Usually the simplest way it starts is in an email, a phishing attack,” O’Brien said. “It’s an email that’s been spoofed to make it look like something you’re expecting.”

Should victims pay?

According to O’Brien, the Justice Department and FBI say no.

“The answer is pretty clear to me from a public policy perspective. I think we don’t want to see these things actually being paid out because, again, it just sort of furthers this activity in a way we really don’t want in the long term,” O’Brien said.

But O’Brien understands the conundrum. No business, school district or government wants to risk losing all that data.

“In a lot of cases, if they’re not set up to defend or rebuild the system, if they haven’t backed up all of that data, it’s not coming back; and so their only option may be to pay or give it up entirely,” he said.

If they don’t pay, the stolen data will be posted online

According to O’Brien, ransomware gangs are using this new tactic to gain leverage over their victims. In this scenario, the threat is not losing the data forever, but having it released online where anyone can access it.

“If you don’t pay this ransom, what we’re going to do is we’re actually going to dump it online,” he said.

This is especially troubling when personal or sensitive information is involved, O’Brien said.

Ransomware gangs know how much organizations are willing to pay

Cyber-criminals do their homework and often know how much their stolen data is worth. But it’s a double-edged sword for institutions that have to pay top dollar for robust cyber-security systems. O’Brien said it’s a cost-benefit analysis: how much is the data worth to protect and how much is it worth to lose?

“They actually know the price points at which various organizations are likely to pay and that’s how they price the ransom. It’s really clever and it’s one of the things that led to a lot of these payouts,” O’Brien said.

And if the criminals are ever identified, it’s almost impossible to bring them to justice. According to O’Brien, most ransomware gangs operate overseas in countries like Russia and North Korea.