Trend of ransom payoffs to unlock malware from ‘electronic stickups’ troubles law enforcement

Hollywood Presbyterian Medical Center paid a ransom of $17,000 to a hacker who locked up its computer systems earlier this month.
(Ricardo DeAratanha / Los Angeles Times)
Share via

When hackers took control of a small Boston-area police department’s computer system last year, officials decided to pay $500 to get back control.

A sheriff’s department in Maine paid a $300 ransom when its system was hijacked.

But when it comes to malware ransoms, Hollywood Presbyterian Medical Center paid a much bigger price. The hospital said it paid a $17,000 ransom in bitcoin to the hacker who seized control of the hospital’s computer systems.

Law enforcement officials and cybersecurity companies say they are seeing an uptick in these cyberattacks on both private businesses and public institutions. While some like the hospital case make national headlines, many attacks occur without any publicity — and with the victims ultimately agreeing to pay.


Often, businesses conclude paying the ransom is the quickest and most efficient way to get their data back.

“People don’t like to talk about it. It’s happening across all industries, banking, small businesses and other places,” said Phil Lieberman, a cybersecurity consultant.

This troubles some in law enforcement.

“We don’t ever recommended paying a ransom in any criminal investigation,” said LAPD Capt. Andrew Neiman. “It is a personal choice. Paying a ransom doesn’t ensure anything.”

Neiman said the cyberattack at the hospital was reported Feb. 6, the day after the attack, to the Los Angeles Police Department and then the FBI became involved.

Hackers tend to target smaller companies and government agencies that are less likely to have sophisticated computer protections.

Katherine Keefe, Global Head of Breach Response Services for Beazley, a specialty risk insurer, said her clients have seen an increase in ransomware attacks targeting a variety of fields, including higher education, finance, government, hospitality, retail, real estate and law.


Join the conversation on Facebook >>

Those attacks are made when a malware program engages as soon as a victim clicks on a compromised website or opens an email sent by hackers. The malware then locks the victim’s computer to prevent access to the data, or starts to spread the virus to the institution’s computers and lock them all.

“It installs a piece of software that encrypts everything in the machine and sends the key to the server run by the hacker,” Lieberman said. “They will send you that key when you pay up.”

FBI officials say computers sometimes display a fake message purporting to be from a law enforcement agency, claiming that the user’s Internet address has been associated with child pornography sites or other illegal activity.

But more often the malware program displays a screen that tells users they can unlock their computers by making a payment through a money service. In the Hollywood hospital case, the digital extortionist demanded 40 bitcoin, a cybercurrency, be paid to an exchange. The payoff was made before the hospital notified authorities, according to two law enforcement sources who spoke on the condition of anonymity because they were not authorized to discuss the case.

The Feb. 5 attack on Hollywood Presbyterian infected the hospital’s computers and quickly locked the staff out of the communication and patient systems, said Chief Executive Allen Stefanek.


“The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key,” Stefanek said. The patient data was never compromised, he said.

The goal of these hackers, Lieberman said, is not to steal data but to merely lock it in place and take away the key.

Many of the extortionists are just franchisees, typically based in Eastern Europe. “These are a like McDonald’s or Subways. They get all the technical know-how for a price. All they have to do is get a list of targets,” Lieberman said. “They even get updates of the malware.”

Basically, it is an electronic stickup.

— State Sen. Bob Hertzberg (D-Van Nuys)

The use of ransomware escalated in 2013 with the malware program known as CryptoLocker, which infected more than half a million computers and generated millions of dollars for its operators before the FBI neutralized its command and control.

It was the CryptoLocker software that struck the Yuma Sun newspaper in 2013 and the Swansea Police Department in Massachusetts.


The Sun received a demand for $300 after the malware was downloaded.

“It was very tough,” said Lisa Reilly, the publisher. “It’s the worst of timing. We had just been bought by new owners and were installing a new computer system.”

Many corporations now have software installed in their computer systems to prevent such malware from ever running on their devices.

Lieberman said the more modern your computer, the less likely an attack will succeed. Newer operating systems like Windows 10 make it harder for programs like CryptoLocker to work.

Keefe said companies need to have backup plans to restore data so they can simple erase the infected machines and start over. Experts say that is becoming easier with the use of cloud storage.

Still, some officials believe more needs to be done. When the cybersecurity firm Symantec got access to one ransomware operation, it was bringing in $34,000 a day.

“Basically, it is an electronic stickup,” said state Sen. Bob Hertzberg (D-Van Nuys), who this week proposed legislation to make infecting a computer with ransomware a crime equivalent to extortion.


“$17,000 for the hospital, with patients who could be endangered, is something they are going to pay,” he said.


More than $1 million paid to head of L.A. County Fair Assn. as financial losses mount

Man whose felonies were reduced by Prop. 47 arraigned on attempted murder charges

Southern California Gas Co. opposes legislation to require new tests of all Aliso Canyon wells