Meet the new hostage crisis: “Ransomware,” which involves using malicious software to hold people’s computer files for ransom.
The scam has become one of cybercriminals’ favorites in recent months. The latest episode began June 27, affecting companies worldwide from Russian oil firm Rosneft to U.S. pharmaceutical company Merck.
By the Federal Bureau of Investigation’s estimate, scammers have turned this reliable racket into a multimillion-dollar business with thousands of compromises in the United States. Last year, the bureau tallied 2,673 victims and $2.9 million in losses, up from 2,453 complaints and $1.6 million in losses in 2015, an FBI spokesperson told Fortune.
NBC reported earlier this year that ransomware losses were expected to reach $1 billion in 2016. But an FBI spokesperson clarified with Fortune that this figure neglected to make a distinction between “reported losses” (what victims said they lost) and “adjusted losses” (what those victims verifiably lost), leading to a discrepancy in scale. That said, the actual number of victims and ransomware losses are likely to be higher than the FBI’s estimates because the agency counts only what has been reported to it.
The extortionists have seemingly no remorse. They target everyday Internet users, businesses, police stations, universities—even hospitals. Any organization that needs continuous access to its systems and cannot afford to suffer network downtime—say, one on which patients’ lives depend—are optimal victims.
Typically, the scammers trick people into running pernicious code on their computers that encrypts their contents—a process that is often irreversible, except by way of a special cryptographic key or string of digital bits. In exchange for the key, the thieves demand payment, usually in Bitcoin.
Get Data Sheet, Fortune’s technology newsletter.
Generally, it’s a terrible idea to pay up. Funding the criminal enterprise all but guarantees to make the problem bigger, badder, and worse for everyone (except the crooks) in time to come. Plus, there’s no guarantee that victims will get their data back, nor that the attackers won’t strike again; you could come out a poorer sucker for it.
Even so, some businesses have calculated—sometimes selfishly, other times legitimately—that the best course of action is to quickly hand over the ransom and keep quiet about it. Some companies have reportedly taken to stockpiling Bitcoins for just such a contingency. A couple of years ago, the FBI caught flak when one agent acknowledged the dilemma and said the agency often simply advised companies to pay up when they had no other recourse.
Unfortunately, many victims do supply a ransom. According to a recent report from the security research firm CyberEdge Group, 61% of the 1,100 IT pros it surveyed said their organizations had been compromised by ransomware last year. Of those, a third reported paying up to recover access to their networks.
For more on cybersecurity, watch:
A word of advice: Don’t be like them. Read on for a few tips on how to protect yourself.
Like most matters of security, the crux comes down to cyber hygiene. You’ve heard the advice before: Keep your software patched and your systems up to date. Be wary of phishing scams—don’t click on suspicious links or email attachments, for instance.
Businesses: train your employees to exercise caution online. Have your information security team send benign trick emails to workers to teach them to spot phishing attempts. Or as Stu Sjouwerman, CEO of KnowBe4, a security awareness training firm, puts it: “transform employees into a human firewall.”
Many security experts also recommend using software tools to block a portion of the attacks that will inevitably get through. In its 2016 threat report, Carbon Black, one such provider of so-called endpoint protection, recommends configuring firewalls to deny connections to known malicious IP addresses, blocking ads on websites, and segmenting computer networks to stop the spread of infections.
No one person or product is perfect though, so it’s best to have a backup plan—literally. One of the best ways to recover from a ransomware attack is to back up your data on a separate hard drive, or on a separate computer network. Make sure this backup system is not connected to the frontline network, or else you run the risk of that getting encrypted too. (This reporter has heard horror stories of well-intentioned preppers forgetting to abide by that fine print.)
Should disaster strike, and barring alternatives, shut down your system. If ransomware is turning all of your data into inaccessible gobbledegook, it’s wise to prevent the digital contagion from spreading to connected machines. Kill the power; cut the cord.
Jeremiah Grossman, chief security strategist at SentinelOne, another endpoint protection firm, advises that people should regularly test their backups—and not destroy encrypted data. In some cases, it’s even possible that researchers have found—or will find—a flaw in the cryptography, or the necessary key, used in the data lockdown, and victims can use tools later to decrypt their files.
Kidnapping has been a business model since long before squads of Mogadishu-born marauders took to the seas, before a murderer nabbed the child of acclaimed aviator Charles Lindbergh, and before a band of Cicilian pirates captured Julius Caeser in 75 BCE, Grossman notes. Through use of the latest technologies, criminals have lately found a particularly effective way to scale their shakedowns. Don’t let them win.
