While hackers tried to get rich by stealing millions of credit cards from Target, other cyber-criminals have quietly tried another method to make a quick buck: Asking companies to pay them to go away.
In recent weeks, two companies have publicly described their experiences with what has become a popular hacker tactic: cyber extortion. Cyber-criminals have threatened to disclose sensitive data or cripple websites unless their victims pay hundreds or even thousands of dollars in ransom.
Like kidnappers and terrorists, cyber-criminals have been demanding ransoms for years. But cases of digital extortion appear to have grown more frequent in recent months and involved more high-profile victims, according to Matthew Prince, chief executive of the security firm CloudFlare.
“The brazenness of the attacks has increased and they are targeting household names,” Prince said in an interview.
Last month, an unidentified hacker threatened to cripple the website of Meetup, a social networking site with 16 million members, unless the company paid $300 in ransom.
Then on Monday, employees at Basecamp, a software development firm, also got an email from an unidentified hacker who made a similar threat unless the startup paid “a relatively low amount in Bitcoin,” according to David Heinemeier Hannson, a partner at the company.
Both companies refused to pay. In response, the hackers crashed Basecamp’s service for two hours and Meetup’s site for 24 hours.
“This is like a bunch of people blocking the front door and not letting you into your house,” Hannson wrote in a blog post. “The contents of your house are safe — you just can’t get in until they get out of the way.”
There are no statistics on how often hackers try to extort their victims because few companies ever admit it. The rare victims who do go public say they refused to pay because it would have set a dangerous precedent.
Scott Heifernan, Meetup’s co-founder, said his company “made a decision not to negotiate with criminals,” partly because paying even a paltry $300 ransom could make the company a target for further extortion demands.
“We believe this lowball amount is a trick to see if we are the kind of target who would pay,” Heifernan said in a recent blog post. “We believe if we pay, the criminals would simply demand much more.”
“It was never even on the table to pay the extortionist,” Hannson said in an email to HuffPost. “We’d just be painting an even bigger target on our back for future attacks.”
But many victims do pay, albeit quietly. More than $5 million is extorted from hacking victims each year, according to Symantec, the cybersecurity firm.
Prince said his company hears “every other day” from victims needing protection from cyber-criminals threatening to bring down their websites unless they get paid. CloudFlare’s service works like a shield, deflecting the onslaught of bogus traffic while allowing legitimate visitors to access a company’s website.
In most cyber extortion cases, victims’ websites are knocked offline for about 15 minutes. Then their site comes back online and they get an email from a hacker offering to stop the attack if the victim wires money.
Often, the hacker will pose as a “white hat” security researcher who found a bug in the victims’ software, said James Aquilina, a former federal cyber crime prosecutor.
“They’ll say, ‘Hire me for $50,000, and I’ll help you fix it,” Aquilina said.
Some cyber-criminals use special tools designed for extortion. Last year, a report by Symantec highlighted the growing use of “ransomware” that can disable both individual and corporate computers until someone pays the hacker. Only about 3 percent of victims pay the ransom, but the scheme is still profitable because hackers spread ransomware across thousands of PCs, according to Symantec.
“They’re essentially holding your data hostage,” Prince said.
Symantec knows first-hand what it’s like to face a cyber extortionist. In 2012, the company said a group of hackers linked to Anonymous began publicly releasing code for one of its antivirus products, then offered to stop if the company paid them $50,000.
Some cyber-criminals ask for more than money. In 2012, a Hungarian hacker was sentenced to 30 months in prison for stealing data from Marriott’s computers then threatening to reveal it publicly unless the hotel chain gave him a $150,000-a-year job and free flights and hotel rooms of his choice.
Aquilina, who now works at the intelligence and risk management company Stroz Friedberg, said he has advised clients in at least a dozen cyber extortion cases in the past seven years. In one recent case, he said hackers locked a doctor out of his patients’ medical records unless he paid them $50,000.
“Any victim that is perceived as being able to pay is a potential target of an extortion threat,” Aquilina said.
But he said victims should contact law enforcement instead.
“I’ve never heard of a company actually surviving a cyber extortion by paying the money,” he said. “It just delays the inevitable. It doesn’t make it go away.”