One evening in April, Dave Winston stood in a convenience store in suburban Charlotte, N.C., uneasily shoving $20 bills into a slim automated-teller machine unlike any he had ever seen. He was buying bitcoin, a digital currency unknown to him a few hours earlier, before hackers took over his computer.
Mr. Winston, crew chief with the Circle Sport-Leavine Family Nascar race team, is among a growing number of victims of a pernicious type of malicious software called ransomware, which has earned millions of dollars for cybercriminals by encrypting computer files and holding them hostage.
Ransomware dates to the late 1980s, but attacks spiked this year amid the growing use of bitcoin and improved encryption software. Malicious code turned Mr. Winston’s Excel spreadsheets and Word documents into unreadable gobbledygook, and hackers instructed him to pay $500 in bitcoin to unscramble them.
Mr. Winston doesn’t know how the software infected his computer, but security experts say attacks often start with an email message containing an attachment or a link to a website that then quietly installs the software.
According to the U.S. Department of Justice, ransomware attacks have quadrupled this year from a year ago, averaging 4,000 a day, most of which go unreported. Typical ransomware payments range from $500 to $1,000, according to cyberrisk data firm Cyence Inc., but some hackers have demanded as much as $30,000. Hollywood Presbyterian Medical Center in Los Angeles paid roughly $17,000 to unlock files in February, following an attack that crippled a large portion of the hospital’s computer systems.
Including other costs, such as lost productivity and staff time to recover files, the Justice Department said ransomware attacks cost victims $209 million in the first three months of the year, an average of about $333,000 per incident, based on complaints that it has received. That is up from a total of $24 million for all of 2015, or about $10,000 per infection, the Justice Department said.
Ransomware is deviously simple. After tricking the victim into clicking on a malicious link or attachment, the software then encrypts files—often targeting Microsoft
Office files—and displays a message with instructions to recover them. A ransomware maker who calls himself “The Rainmaker” offers a $39 version of his software on hacker forums.
A Microsoft spokesman said, “We are committed to helping protect our customers, and Office includes features to help prevent macro-malware infections.”
Criminals find ransomware easier and more profitable than other scams, such as breaking into consumers’ computers and stealing money via online banking, said Juan Andres Guerrero-Saade, a researcher with Kaspersky Lab ZAO.
Another factor is the increasing use and stability of bitcoin, the digital currency. Bitcoin is now the preferred payment method of most ransomware infections because it allows users to send and receive money from anywhere in the world, often anonymously.
One university chief security officer said he purchased two bitcoin “mining” machines, which generate bitcoin on their own by performing the complex calculations that allow the bitcoin financial network to operate. Since January, he has been using these systems to stockpile bitcoin, just in case he needs to quickly recover a critical computer. He spoke on condition of anonymity to avoid making his employer a ransomware target.
In the Hollywood Presbyterian Medical Center hack, cybercriminals broke into a server in late January. After two weeks of reconnaissance, they struck on a Friday night, when the hospital’s tech staff was off, encrypting data on 850 computers and 150 servers and rendering documents unreadable, according to Steve Giles, the hospital’s technology manager.
The lab and pharmacy were unaffected, but doctors’ orders, patient transfers and payroll systems had to be logged on pen and paper.
“It was like 1970 déjà vu,” Mr. Giles said.
By 3 a.m. Saturday, the hospital declared a state of emergency.
The hackers’ warning was stark: Pay $9,000 in bitcoin within seven days or the hospital’s systems would be destroyed. Mr. Giles paid the ransom later on Saturday.
Mr. Giles felt he had no choice. “I called the CEO and said, ‘Even if they don’t send us the encryption code, this is a worthwhile bet.’”
The next day, the hackers demanded another $8,000, a common tactic according to the FBI. After the second payment, Mr. Giles received a series of about 60 letters and numbers needed to unlock the hospital’s files.
Since the Hollywood Presbyterian attack was made public, Mr. Giles has fielded calls from ransomware victims seeking advice. He has heard from a taxi company in Los Angeles, a chemical plant in Arkansas, water districts in Michigan and Nevada. None revealed if they had paid ransoms; some wouldn’t name their employers, to avoid becoming a target.
For Mr. Winston, the race-team crew chief, ransomware led to a dizzying 10-hour odyssey through a world of cryptographic keys and anonymous computers far removed from Nascar. The attack threatened his team’s ability to participate in a race just days away in Fort Worth, Texas.
The data held hostage on Mr. Winston’s computer amounted to a blueprint for controlling the car in different conditions, including data for adjusting the springs, shocks and driver controls. “Losing that information two days before you’re getting ready to go to the racetrack was pretty devastating,” he said.
As he fed bill after bill into the ATM, Mr. Winston felt he was probably throwing his money away. He wasn’t sure that paying the ransom was legal (it is). But like other victims, he had no backup of his computer’s data and felt cornered.
“I felt like it was an extreme long shot,” he said, “but it was a shot that I thought we had to take.”
His $500 bitcoin investment ultimately paid off. His files unlocked, the team finished two laps off the winning pace that Saturday in the Duck Commander 500 at Texas Motor Speedway.
— Nicole Hong contributed to this article.
Write to Robert McMillan at Robert.Mcmillan@wsj.com