When hackers set out to extort the town of Tewksbury, Massachusetts with "ransomware," they followed up with an FAQ explaining the attack and easy instructions for online payment.
After balking for several days, Tewksbury officials decided that paying the modest ransom of about $600 was better than struggling to unlock its own systems, said police chief Timothy Sheehan.
That case and others show how cyber-criminals have professionalized ransomware schemes, borrowing tactics from customer service or marketing, law enforcement officials and security firms say. Some players in the booming underworld employ graphic artists, call centers and technical support to streamline payment and data recovery, according to security firms that advise businesses on hacking threats.
The advancements, along with modest ransom demands, make it easier to pay than fight.
“It’s a perfect business model, as long as you overlook the fact that they are doing something awful,” said James Trombly, president of Delphi Technology Solutions, a Lawrence, Massachusetts, computer services firm that helped three clients over the past year pay ransoms in bitcoin, the virtual currency. He declined to identify the clients.
In the December 2014 attack on Tewksbury, the pressure to pay took on a special urgency because hackers disabled emergency systems. That same is true of additional attacks on police departments and hospitals since then. But all sectors of government and business are targeted, along with individuals, security firms said.
The total cost of ransomware attacks is hard to quantify. But the Cyber Threat Alliance, a group of leading cyber security firms, last year estimated that global damages from CryptoWall 3 - among the most popular of dozens of ransomware variants - totaled $325 million in the first nine months of 2015.
Some operations hire underground call centers or email-response groups to walk victims through paying and restoring their data, said Lance James, chief scientist with the cyber-intelligence firm Flashpoint.
Graphic artists and translators craft clear ransom demands and instructions in multiple languages. They use geolocation to make sure that victims in Italy get the Italian version, said Alex Holden, chief information security officer with Hold Security.
While ransomware attacks have been around longer than a decade, security experts say they've become far more threatening and prevalent in recent years because of state-of-the-art encryption, modules that infect backup systems, and the ability to infect large numbers of computers over a single network.
Law enforcement officials have long advised victims against paying ransoms. Paying ransoms is "supporting the business model," encouraging more criminals to become extortionists, said Will Bales, a supervisory special agent for the Federal Bureau of Investigation.
But Bales, who helps run ransomware investigations nationwide from the Washington, DC office, acknowledged that the payoffs make economic sense for many victims.
"It is a business decision for the victim to make," he said.
Run-of-the-mill ransomware attacks typically seek 1 bitcoin, now worth about $420, which is about the same as the hourly rate that some security consultants charge to respond to such incidents, according to security firms who investigate ransomware cases.
Some attacks seek more, as when hackers forced Hollywood Presbyterian Hospital in Los Angeles to pay $17,000 to end an outage in February.
Such publicized incidents will breed more attacks, said California State Senator Robert Hertzberg, who in February introduced legislation to make a ransomware schemes punishable by up to four years in prison. The Senate's public safety committee was scheduled to review that bill on Tuesday.
Some victims choose not to pay. The Pearland Independent School District near Houston refused to fork over about $1,600 in ransom demanded in two attacks this year, losing about three days of work from teachers and students. Instead, the district invested tens of thousands of dollars on security software, said Jonathan Block, the district's desktop support services manager.
“This threat is real and something that needs to be dealt with,” Block said.
The town of Tewksbury has also upgraded its security technology, but Sheehan says he fears more attacks.
"We are so petrified we could be put into this position again," he said. "Everybody is vulnerable."
(Reporting by Jim Finkle. Additional reporting by Dustin Volz. Editing by Jonathan Weber and Brian Thevenot.)