The Extortionist in the Fridge

Modern hackers can do much more than steal. They can make their way into a laptop and turn on its webcam, monitor its keystrokes, or transform the device into an inanimate hunk of metal and plastic. They can even turn a machine against its owner, taking a device hostage and demanding money to return it.

Known as ransomware, the viruses that carry out these attacks are multiplying. Their methods have shifted throughout the years: Early versions threw up alarming messages, yelling that a user’s device has been overridden with malware and offering to clean it up, for a fee, with an antivirus software—all fake, of course. Today’s more sophisticated varieties take over a victim’s computer completely, locking up years of invaluable photos and sensitive documents and refusing to return them until a ransom is paid. Many strike by encrypting the contents of a computer or server, and demanding payment—usually a few hundred dollars worth of Bitcoin—to decrypt it again.

These attacks can be incredibly lucrative: One researcher found that a hacker made more than $1 million in a single day off of hapless users desperate for their data back. It’s a bit like thieves sneaking into your home, and rather than carting away the TV, stuffing your jewelry and electronics into an impenetrable trunk. Then they try to sell you the key.

These newer incarnations can be incredibly difficult to defeat, and advancements in open-source encryption mean they’ll only get trickier. A recent spate of attacks on police computer systems showed the sophistication of modern ransomware: When small police departments in Massachusetts, Tennessee, and New Hampshire were hacked, they found their vital databases encrypted and inaccessible.

The departments were hit with ransom notices for their data, and couldn’t get around the encryption even with help from private cybersecurity firms and the FBI. (An FBI official said this year that some viruses are so good that “the easiest thing may be to just pay the ransom.”) All three departments paid ransoms ranging from $500 to $750 to regain access to their data.

Those payouts are larger than usual: The average ransom ask is $300. Researchers think that prices are generally low because hackers have found an equilibrium at which they can extort a few hundred dollars from a whole lot of people.

And since anything with a computer for a brain and an Internet connection is vulnerable to a virus, hackers with lofty ambitions can go after a wide range of devices. Conjure up that laundry list of “Internet of Things” gadgets: smartphones, fitness bands, smartwatches, fridges and ovens, smart locks, thermostats.

One strain of ransomware targets Android phones, tricking users into granting it elevated privileges and then immediately changing the device’s PIN. Users find themselves unable to get into their own phones, and have to either pay a hacker hundreds of dollars to regain access, or reset the phone to factory settings and lose the contents.

Others target modern Internet-connected television sets. In late 2015, as an experiment, a researcher at the antivirus company Symantec purposely infected his own smart TV with ransomware with a “man-in-the-middle” attack: Using a device on the network that inserted itself between the TV and the Internet, the researcher was able to intercept the TV’s request for a certain app and deliver an infected version instead.

As soon as the malicious app was installed, it locked up the TV and displayed an ominous ransom note in Russian. The researcher was unable to uninstall the virus-ridden app, and the manufacturer’s tech support couldn’t help remove it, either. He finally cleared the virus using a debugging mode that he’d previously enabled as a last-resort backup measure.

The recent explosion of ransomware will only continue as more everyday objects are connected to the Internet. Newcomers to the Internet of Things are likely to have weaker security systems than computers or servers, which for decades have been designed to weather online attacks. As manufacturers crank out new connected devices, a high priority on functionality can drive them to cut security corners in the name of convenience.

Consider a scenario in which hackers gain access to household items like smart locks, light bulbs, or fridges (some of which look like they ate a small TV): They could threaten to spoil dinner, cut the lights, or lock a homeowner out (or in!) unless they get paid. When it comes to connected vehicles, the possibilities are even more frightening. And thanks to an experiment where white-hat hackers remotely hijacked a Jeep as it hurtled down a St. Louis highway, they’re not that far-fetched.

Advanced ransomware isn’t just for talented hackers, either. Some malware developers offer “ransomware as a service” to any average computer user with a vendetta, creating programs that allow a customer to download viruses and send them to a specific target. The hackers pocket 20 percent of the ransom, if it’s paid.

Between April 2014 and June 2015, the FBI received nearly 1,000 complaints about just one type of ransomware virus. “Never before in the history of humankind have people across the world been subjected to extortion on a massive scale as they are today,” wrote the authors of a recent Symantec report on ransomware.

As the Internet worms its way into more and more vital devices—items which we trust with our daily routines, safety, health, and privacy—their manufacturers must place a premium on security. But if hackers get there first, bribing a remote hacker to release hold of a phone, car, or TV could become commonplace.