The City of Lockport two years ago paid a ransom to a computer hacker who had gained access to the city’s police records and locked them down.
The Niagara County Health Department computer was hacked earlier this year, and the hacker demanded a ransom to unlock the computer.
Computer hacking is not just the work of foreign governments getting into government or political parties computers. Computers are hacked every day in Erie and Niagara counties, computer experts say.
Hackers have targeted hundreds of local businesses, hospitals, schools and other institutions, according to Jason Fickett, special agent in charge of the Buffalo FBI’s Cyber Squad.
Some local companies have paid thousands of dollars in ransom to hackers who blocked access to computerized information – like Social Security numbers and credit card data to private details about individuals’ health care. Nationally, ransomware is believed to be a billion dollar a year industry.
“The criminals will lock down a company’s computer files and make it impossible for them to access them,” Fickett said. “The victim is told to pay a ransom to get a key to unlock the data.”
And the targets are not just companies with lots of money.
A local church recently reported a computer hacking incident to his office, Fickett said.
Even grandparents have been held up by hackers, who demand payments so the grandparents can regain access to photos of their grandchildren.
“The hackers are from Russia, China, Korea, Iran and from our own country,” said Michael McCartney, a cyber crime expert based in Buffalo. “Some of the hackers work for their governments. Some of them work for organized crime syndicates. Some of them are guys sitting at their home computers in their underwear. Even those guys can do a lot of damage.”
Computer hacking and ransom demands are a growth crime industry.
“In Western New York, we’re averaging about one call a day,” said Fickett of the local FBI office. “And we know these crimes are under-reported.”
Attorney General Eric T. Schneiderman in May said his office had seen a 40 percent increase in data breach notifications involving New Yorkers compared to the same time period in 2015.
“This data breach trend is not going in the right direction. It’s getting worse,” said Clark P. Russell, deputy chief of Schneiderman’s bureau of internet and technology.
The state office received 459 data breach notices from the first of the year through May 2, 2016, as compared with 327 through the same time last year. The state said it expects to receive well over 1,000 notices for the year, a new record.
What’s more, Russell said he is sure that many victims do not report the breaches, even though they are required to do so by state business laws.
More than one-third of American consumers have experienced a computer virus, a hacking incident or some other form of cyber attack within the past year, according to a national survey that was made public in September by the HSB Insurance Company. Eighteen percent of respondents had been victims of online fraud leading to the theft of money or property. Eleven percent reported that they were victims of some kind of cyber extortion.
“Consumers rely on smartphones, personal computers and tablets for virtually every aspect of their lives,” said Timothy Zeilman, a vice president and counsel for HSB Insurance. “Their personal information is stored online and increasingly their home systems are connected to the Internet. The threat to cyber security for individuals and families is significant and growing.”
How it happens
In many cases, the hacking victims open up mail that allows the hacker into the computer.
“What typically happens is that, one day, the victim will receive an innocent-looking email with a link to a website, or an attachment that looks legitimate, such as an invoice from Fed Ex,” said McCartney, who is the owner and president of Digits LLC, a Buffalo-based digital forensics and cyber security company.
“The victim clicks on it, and that allows the hacker to install malware on the victim’s computer system,” he said.
Soon after, the victim finds that he cannot access his own computer data. The hacker has encrypted it, or locked it down, making it unavailable to the victim.
Most victims don’t realize their systems have been compromised until an average of 191 days after the breach happened, one recent cyber security study said.
And a hacker can obtain a lot of information in 191 days, McCartney said.
“When the victim tries to use his computer, he gets an extortion message, basically saying, ‘All your data has been encrypted, and if you want to have it decrypted, or unlocked, you need to send money to us, by following the following instructions,” McCartney said. “Typically, the ransom is anywhere from $400 to $4,000.”
In the cases McCartney and Fickett investigated, the hackers have been true to their word and did decrypt – or unlock – the information after the ransom was paid.
“Most of these hackers are not interested in the information itself. They are interested in making a quick hit, getting a ransom payment, and then moving on to the next victim,” McCartney said.
Businesses, medical facilities, school districts and other institutions across the country paid an estimated $209 million in ransom to cyber hackers in the first three months of 2016, according to a cyber crime report, based on government statistics and compiled by the IBM Corp. The report said an average of 4,000 ransomware attacks occur each day in America, and it estimated that cyber criminals will make $1 billion on ransomware attacks this year.
Local hacking incidents
In 2014, the City of Lockport paid a $500 ransom after a hacker gained access to police records and locked them down, Mayor Anne E. McCaffrey confirmed.
After the ransom was paid, the hacker decrypted the records. No sensitive information was lost, but the incident was “a shock,” the mayor said.
“I was stunned when this happened,” McCaffrey said. “We reported it to the FBI…We now have a higher level of security and better backup procedures for our files. We’re thankful it was resolved, and we’re working every day to make sure it doesn’t happen again.”
Niagara County government was luckier than many hacking victims.
In May, hackers used a ransomware virus called CryptoLocker to lock down some of the computer records of the Niagara County Health Department. When county employees tried to open the affected files, they got a message saying “Your files are locked!!!” and demanding a ransom payment.
“Because we had very good procedures in place for backing up files every day, we didn’t pay a ransom,” said William Flynn, the county’s information technology director. “We removed the encrypted information from the affected server and PCs, and then we restored all the information from our backups.”
The discussion with the hackers never got as far a specific ransom payment, according to Flynn and Lawrence Helwig, who retired earlier this year as the county’s IT director.
“We knew of a hospital in California that paid a $16,000 ransom, and some local people who paid $4,000 to $5,000 in ransoms,” Helwig said. “These guys do this because they can make money at it. If you don’t have the right backup systems, you’re out of luck.”
Niagara County will spend about $2 million on information technology this year, and $512,000 of that money – more than one-fourth of the total amount – will be spent on cyber security and other security-related issues, said Christian Peck, the county’s public information officer
Not all the victims are businesses or government agencies. Individuals are victims, too.
Grandparents’ computers have been hacked, and all the pictures they took of their grandkids were ransomed, said Fickett, the FBI agent.
“Some people would rather pay a few hundred dollars to get them back rather than losing access to their pictures,” the agent said.
Hackers seldom are caught or punished, authorities admit.
It is difficult to track down hackers, and many of the schemes originate in countries that do not have police agencies capable or willing to help American law enforcement track them down, Fickett said.
Plus many victims – especially business people -- are embarrassed, upset and reluctant to talk publicly, McCartney said, so the vast majority of such incidents stay under the radar.
One local businessman started to tell The News of how his company paid a foreign-based extortionist thousands of dollars in ransom, but he abruptly shut down the interview, fearful that the hackers might attack his company’s computer system again if the story became public.
One hacker who did get caught was a student at Iroquois School District.
The district notified hundreds of school employees and parents of students earlier this year after the district’s computer system was hacked.
Police said an 18-year-old student was able to change his own grades, change his attendance record and obtain answers to a test he was about to take.
The Erie County Sheriff’s detectives arrested the student in early February and charged him with four felonies and two misdemeanors, including computer tampering, unauthorized use of a computer, destroying computer materials and computer trespass. A town judge declared him a youthful offender and sealed all records of his criminal case.
The probe began when a teacher caught the student cheating on an exam and told a school resource officer. Capt. Greg Savage said the student was apologetic and immediately cooperated in the investigation. It was almost as if the teenager “just wanted to see how far he could go” with the scheme, Savage said.
There is no indication that the student was trying to damage the school district, said Superintendent Douglas P. Scofield.
Although there was no impact on school records or accounts, the incident worried many employees, who feared their personal information could be misused, Scofield said.
The district has since taken numerous steps to improve its cyber security.