Weapons of mass destruction.

Photo: Patrick Lux/Getty Images

The Sony Hack and the Rise of Cyber Ransoms

Katie Benner is a Bloomberg View columnist who writes about technology, innovation, and the cult and culture of Silicon Valley. She lives in San Francisco.
Read More.
a | A

Just three days before cyber-attackers crippled Sony Pictures, the hackers sent an e-mail to executives Michael Lynton and Amy Pascal that said they would do great damage to the company if they weren’t paid off.

The note, discovered by Mashable, was simple and straightforward, though sketchy on the payment details:

We've got great damage by Sony Pictures.
The compensation for it, monetary compensation we want.
Pay the damage, or Sony Pictures will be bombarded as a whole.
You know us very well. We never wait long.
You'd better behave wisely.
From God'sApstls

The e-mail has been largely forgotten amid the blur of Sony-related cyber-attack coverage, including stories about backstabbing e-mails and North Korea’s purported role in the hack over the film “The Interview.” But security experts say it’s not unusual for companies to receive e-mails from hackers who threaten to hold data hostage, or destroy it altogether, if payment isn’t made. In some cases, the attackers do hold systems for ransom and they do get paid.

“Recently we have seen an uprising in ‘cryptolockers’ and [malware that] is referred to as ‘ransomware,’ which allow the criminal to hold assets hostage in exchange for things not attached to the Internet, like the ability to block the release of a movie or even hostage exchange,” says Ryan Wager, director of product management at the security company vArmour.

Just this month, several hospitals were infiltrated by hackers demanding payment. (Hospitals, full of sensitive patient data, have been hit in the past, too.) The criminals’ playbook was pretty much the same as what’s used in most of these attacks. The hackers got in, used a type of ransomware to encrypt files and then demanded payment in return for the key. Here’s how David Wood, co-owner of an Australian medical center that recently got hit, described how it was hacked:

“They literally got in, hijacked the server and then ran their encryption software, ” he said, adding that the data was “secure in the sense that no one's taken any of it.” A security expert told the news media that the damage was extensive enough that the hospital would probably have to pay.

Security researchers say the use of ransomware has exploded over the past year, largely because the black market for credit-card numbers and other personal data is oversupplied. As prices plummet, creative attackers have looked for other ways to make money on lax corporate security.

A few years ago, hackers typically held information on individuals’ laptops for ransom. They still do that, but now they’re targeting small and midsize companies that don’t have the money or know-how to build big security systems. They’re also using employees' personal laptops to tunnel into bigger networks.

“One of the scariest changes is that attackers are even getting better at getting to your back up data, says Marc Maiffret, the chief technology officer at the cybersecurity startup BeyondTrust. Researchers say hacking groups looking to make more money with ransomware are also selling their services to the highest bidders, essentially, as hacker mercenaries. Maiffret says that’s one reason smaller countries and terrorist groups that traditionally haven’t had a strong cybercriminal presence are showing up more frequently now.

Only an estimated 2 percent to 3 percent of targeted companies pay a ransom, says Sagie Dulce, a data security engineer at Imperva. But even that tiny percentage can mean a lot of money. Dulce says a typical cryptolocker can take in $30 million in only a few months. “As electronic currency becomes more widely used, more people will pay,” he says, noting that most criminals want to be paid in Bitcoin.

The Sony attack made clear that hackers have the ability to do more than just take sensitive data. The increasing popularity of extortion shows that big companies won’t be the only targets. As vArmour’s Wager puts it, “The days of smash and grab attacks to simply steal credit-card information and user information are far behind us.” Unless everyone starts thinking defensively, the greatest damage is yet to come.

This column does not necessarily reflect the opinion of Bloomberg View's editorial board or Bloomberg LP, its owners and investors.

To contact the editor on this story:
Stacey Shick at sshick@bloomberg.net