Exclusive: Yahoo secretly scanned customer emails for U.S. intelligence – sources

Yahoo billboard

By Joseph Menn

SAN FRANCISCO (Reuters) – Yahoo Inc last year secretly built a custom software program to search all of its customers’ incoming emails for specific information provided by U.S. intelligence officials, according to people familiar with the matter.

The company complied with a classified U.S. government demand, scanning hundreds of millions of Yahoo Mail accounts at the behest of the National Security Agency or FBI, said three former employees and a fourth person apprised of the events.

Some surveillance experts said this represents the first case to surface of a U.S. Internet company agreeing to an intelligence agency’s request by searching all arriving messages, as opposed to examining stored messages or scanning a small number of accounts in real time.

It is not known what information intelligence officials were looking for, only that they wanted Yahoo to search for a set of characters. That could mean a phrase in an email or an attachment, said the sources, who did not want to be identified.

Reuters was unable to determine what data Yahoo may have handed over, if any, and if intelligence officials had approached other email providers besides Yahoo with this kind of request.

According to two of the former employees, Yahoo Chief Executive Marissa Mayer’s decision to obey the directive roiled some senior executives and led to the June 2015 departure of Chief Information Security Officer Alex Stamos, who now holds the top security job at Facebook Inc.

“Yahoo is a law abiding company, and complies with the laws of the United States,” the company said in a brief statement in response to Reuters questions about the demand. Yahoo declined any further comment.

Through a Facebook spokesman, Stamos declined a request for an interview.

The NSA referred questions to the Office of the Director of National Intelligence, which declined to comment.

The request to search Yahoo Mail accounts came in the form of a classified edict sent to the company’s legal team, according to the three people familiar with the matter.

U.S. phone and Internet companies are known to have handed over bulk customer data to intelligence agencies. But some former government officials and private surveillance experts said they had not previously seen either such a broad demand for real-time Web collection or one that required the creation of a new computer program.

“I’ve never seen that, a wiretap in real time on a ‘selector,'” said Albert Gidari, a lawyer who represented phone and Internet companies on surveillance issues for 20 years before moving to Stanford University this year. A selector refers to a type of search term used to zero in on specific information.

“It would be really difficult for a provider to do that,” he added.

Experts said it was likely that the NSA or FBI had approached other Internet companies with the same demand, since they evidently did not know what email accounts were being used by the target. The NSA usually makes requests for domestic surveillance through the FBI, so it is hard to know which agency is seeking the information.

Alphabet Inc’s Google and Microsoft Corp, two major U.S. email service providers, separately said on Tuesday that they had not conducted such email searches.

“We’ve never received such a request, but if we did, our response would be simple: ‘No way’,” a spokesman for Google said in a statement.

A Microsoft spokesperson said in a statement, “We have never engaged in the secret scanning of email traffic like what has been reported today about Yahoo.” The company declined to comment on whether it had received such a request.

CHALLENGING THE NSA

Under laws including the 2008 amendments to the Foreign Intelligence Surveillance Act, intelligence agencies can ask U.S. phone and Internet companies to provide customer data to aid foreign intelligence-gathering efforts for a variety of reasons, including prevention of terrorist attacks.

Disclosures by former NSA contractor Edward Snowden and others have exposed the extent of electronic surveillance and led U.S. authorities to modestly scale back some of the programs, in part to protect privacy rights.

Companies including Yahoo have challenged some classified surveillance before the Foreign Intelligence Surveillance Court, a secret tribunal.

Some FISA experts said Yahoo could have tried to fight last year’s demand on at least two grounds: the breadth of the directive and the necessity of writing a special program to search all customers’ emails in transit.

Apple Inc made a similar argument earlier this year when it refused to create a special program to break into an encrypted iPhone used in the 2015 San Bernardino massacre. The FBI dropped the case after it unlocked the phone with the help of a third party, so no precedent was set.

“It is deeply disappointing that Yahoo declined to challenge this sweeping surveillance order, because customers are counting on technology companies to stand up to novel spying demands in court,” Patrick Toomey, an attorney with the American Civil Liberties Union, said in a statement.

Some FISA experts defended Yahoo’s decision to comply, saying nothing prohibited the surveillance court from ordering a search for a specific term instead of a specific account. So-called “upstream” bulk collection from phone carriers based on content was found to be legal, they said, and the same logic could apply to Web companies’ mail.

As tech companies become better at encrypting data, they are likely to face more such requests from spy agencies.

Former NSA General Counsel Stewart Baker said email providers “have the power to encrypt it all, and with that comes added responsibility to do some of the work that had been done by the intelligence agencies.”

SECRET SIPHONING PROGRAM

Mayer and other executives ultimately decided to comply with the directive last year rather than fight it, in part because they thought they would lose, said the people familiar with the matter.

Yahoo in 2007 had fought a FISA demand that it conduct searches on specific email accounts without a court-approved warrant. Details of the case remain sealed, but a partially redacted published opinion showed Yahoo’s challenge was unsuccessful.

Some Yahoo employees were upset about the decision not to contest the more recent edict and thought the company could have prevailed, the sources said.

They were also upset that Mayer and Yahoo General Counsel Ron Bell did not involve the company’s security team in the process, instead asking Yahoo’s email engineers to write a program to siphon off messages containing the character string the spies sought and store them for remote retrieval, according to the sources.

The sources said the program was discovered by Yahoo’s security team in May 2015, within weeks of its installation. The security team initially thought hackers had broken in.

When Stamos found out that Mayer had authorized the program, he resigned as chief information security officer and told his subordinates that he had been left out of a decision that hurt users’ security, the sources said. Due to a programming flaw, he told them hackers could have accessed the stored emails.

Stamos’s announcement in June 2015 that he had joined Facebook did not mention any problems with Yahoo. (http://bit.ly/2dL003k)

In a separate incident, Yahoo last month said “state-sponsored” hackers had gained access to 500 million customer accounts in 2014. The revelations have brought new scrutiny to Yahoo’s security practices as the company tries to complete a deal to sell its core business to Verizon Communications Inc for $4.8 billion.

(Reporting by Joseph Menn; Editing by Jonathan Weber and Tiffany Wu)

U.S., China cyber group holds first talks since September pact

Hands on Keyboard

WASHINGTON (Reuters) – A group of senior U.S. and China cyber officials on Wednesday held its first meeting since the two countries struck an anti-hacking agreement in September to try to ease years of acrimony over the issue.

The so-called Senior Experts Group on International Norms and Related Issues is expected to gather twice a year, the U.S. State Department said in a statement announcing the meeting.

It provided scant information about the talks, saying officials from the two nations’ foreign, defense and other ministries discussed “international norms of state behavior and other crucial issues for international security in cyberspace.”

China’s foreign ministry, in a brief statement, said the two sides had a “positive, deep and constructive” discussion about issues including international law as it relates to the Internet and trust measures.

China and the United States will hold another meeting at an appropriate time within the next six months, it added.

China withdrew in 2014 from a separate bilateral cyber working group following the U.S. indictment of five members of its military on charges it hacked six U.S. companies. The new group appears be a fresh start to grapple with cyber issues.

Cyber security has long been an irritant in relations between China and the United States, despite robust economic ties worth nearly $600 billion in two-way trade last year.

The September pact, reached during a U.S. visit by Chinese President Xi Jinping, included a pledge that neither country would knowingly carry out hacking for commercial advantage.

(Reporting by Arshad Mohammed; Additional reporting by Ben Blanchard in Beijing; Editing by Peter Cooney)

Ransomware: Extortionist hackers borrow customer-service tactics

Hollywood Presbyterian Medical Center

By Jim Finkle

TEWKSBURY, Mass (Reuters) – When hackers set out to extort the town of Tewksbury, Massachusetts with “ransomware,” they followed up with an FAQ explaining the attack and easy instructions for online payment.

After balking for several days, Tewksbury officials decided that paying the modest ransom of about $600 was better than struggling to unlock its own systems, said police chief Timothy Sheehan.

That case and others show how cyber-criminals have professionalized ransomware schemes, borrowing tactics from customer service or marketing, law enforcement officials and security firms say. Some players in the booming underworld employ graphic artists, call centers and technical support to streamline payment and data recovery, according to security firms that advise businesses on hacking threats.

The advancements, along with modest ransom demands, make it easier to pay than fight.

“It’s a perfect business model, as long as you overlook the fact that they are doing something awful,” said James Trombly, president of Delphi Technology Solutions, a Lawrence, Massachusetts, computer services firm that helped three clients over the past year pay ransoms in bitcoin, the virtual currency. He declined to identify the clients.

In the December 2014 attack on Tewksbury, the pressure to pay took on a special urgency because hackers disabled emergency systems. That same is true of additional attacks on police departments and hospitals since then. But all sectors of government and business are targeted, along with individuals, security firms said.

The total cost of ransomware attacks is hard to quantify. But the Cyber Threat Alliance, a group of leading cyber security firms, last year estimated that global damages from CryptoWall 3 – among the most popular of dozens of ransomware variants – totaled $325 million in the first nine months of 2015.

Some operations hire underground call centers or email-response groups to walk victims through paying and restoring their data, said Lance James, chief scientist with the cyber-intelligence firm Flashpoint.

Graphic artists and translators craft clear ransom demands and instructions in multiple languages. They use geolocation to make sure that victims in Italy get the Italian version, said Alex Holden, chief information security officer with Hold Security.

While ransomware attacks have been around longer than a decade, security experts say they’ve become far more threatening and prevalent in recent years because of state-of-the-art encryption, modules that infect backup systems, and the ability to infect large numbers of computers over a single network.

Law enforcement officials have long advised victims against paying ransoms. Paying ransoms is “supporting the business model,” encouraging more criminals to become extortionists, said Will Bales, a supervisory special agent for the Federal Bureau of Investigation.

But Bales, who helps run ransomware investigations nationwide from the Washington, DC office, acknowledged that the payoffs make economic sense for many victims.

“It is a business decision for the victim to make,” he said.

Run-of-the-mill ransomware attacks typically seek 1 bitcoin, now worth about $420, which is about the same as the hourly rate that some security consultants charge to respond to such incidents, according to security firms who investigate ransomware cases.

Some attacks seek more, as when hackers forced Hollywood Presbyterian Hospital in Los Angeles to pay $17,000 to end an outage in February.

Such publicized incidents will breed more attacks, said California State Senator Robert Hertzberg, who in February introduced legislation to make a ransomware schemes punishable by up to four years in prison. The Senate’s public safety committee was scheduled to review that bill on Tuesday.

Some victims choose not to pay. The Pearland Independent School District near Houston refused to fork over about $1,600 in ransom demanded in two attacks this year, losing about three days of work from teachers and students. Instead, the district invested tens of thousands of dollars on security software, said Jonathan Block, the district’s desktop support services manager.

“This threat is real and something that needs to be dealt with,” Block said.

The town of Tewksbury has also upgraded its security technology, but Sheehan says he fears more attacks.

“We are so petrified we could be put into this position again,” he said. “Everybody is vulnerable.”

(Reporting by Jim Finkle. Additional reporting by Dustin Volz. Editing by Jonathan Weber and Brian Thevenot.)

U.S. to charge Iranians in cyber attacks, including New York dam

WASHINGTON (Reuters) – The Obama administration is expected to blame Iranian hackers as soon as Thursday for a coordinated campaign of cyber attacks in 2012 and 2013 on a suburban New York City dam and several other targets, sources familiar with the matter have told Reuters.

In one of the largest foreign cyber attack cases since 2014 when the United States charged five Chinese military hackers, the U.S. Justice Department has prepared an indictment against about a half-dozen Iranians, said four sources, who spoke on condition of anonymity due to the sensitivity of the matter.

The charges, related to unlawful access to computers and other alleged crimes, were expected to be announced publicly by U.S. officials as soon as Thursday morning at a news conference in Washington, the sources said.

The indictment was expected to directly link the hacking campaign to the Iranian government, one source said.

Though the breach of back-office computer systems at the Bowman Avenue Dam in Rye Brook, New York has been reported, it was only part of a hacking campaign that was broader than previously known, as the indictment will show, the sources said.

In the intrusion of the dam computers, the hackers did not gain operational control of the floodgates, and investigators believe they were attempting to test their capabilities.

The dam breach coincided roughly with attacks on U.S. financial institutions. Cyber security experts have said these, too, were perpetrated by Iranian hackers against Capital One, PNC Financial Services and SunTrust Bank. Prosecutors were considering including those breaches in the indictment, sources said.

The hackers who were expected to be named in the indictment all reside in Iran, one source said.

The Justice Department declined to comment.

The indictment would be the Obama administration’s latest step to confront foreign cyber attacks on the United States. President Barack Obama accused and publicly condemned North Korea over a 2014 hack on Sony Pictures and vowed to “respond proportionally.” No details were made public of any retaliation.

James Lewis, a cyber security expert with the Center for Strategic and International Studies think tank, said, “We need to make clear that there will be consequences for cyber-attacks and that the Wild West days are coming to an end.”

Two weeks ago, it was widely reported that U.S. prosecutors were preparing an indictment against Iranian hackers related solely to the dam attack.

The broader indictment would come at a time of reduced tensions between the United States and Iran after a landmark 2015 nuclear deal. At the same time, the Obama administration has shown a willingness to confront Tehran for bad behavior.

Charging the Iranian hackers would be the highest-profile move of its type by the Obama administration since the Justice Department in 2014 accused five members of China’s People’s Liberation Army with hacking several Pennsylvania-based companies in an alleged effort to steal trade secrets.

(Reporting by Dustin Volz in Washington and Nate Raymond in New York; additional reporting by Mark Hosenball in Washington and Jim Finkle in Boston; Editing by Kevin Drawbaugh and Jonathan Oatis)

U.S. charges three Syrian hackers, Justice Department says

WASHINGTON (Reuters) – U.S. authorities have charged three Syrian nationals who are current or former members of the Syrian Electronic Army with multiple conspiracies related to computer hacking, the U.S. Justice Department said on Tuesday.

Ahmad Umar Agha, 22, and Firas Dardar, 27, were charged with a criminal conspiracy that included “a hoax regarding a terrorist attack” and “attempting to cause mutiny of the U.S. armed forces,” the department said in a statement. Dardar and Peter Romar, 36, were separately charged with other conspiracies, it said.

The FBI announced on Tuesday it was adding Agha and Dardar to its Cyber Most Wanted list and offering a reward of $100,000 for information leading to their arrest, the statement said.

Agha and Dardar, who are believed to reside in Syria, began their criminal activities in or around 2011 under the name of the Syrian Electronic Army in support of the Syrian government, the statement said.

In June 2015, the U.S. Army said it temporarily took down its website after the Syrian Electronic Army hacked into the site and posted messages.

(Reporting by Washington Newsroom)

U.S. says it may not need Apple to open San Bernardino iPhone

(Reuters) – U.S. prosecutors said Monday that a “third party” had presented a possible method for opening an encrypted iPhone used by one of the San Bernardino shooters, a development that could bring an abrupt end to the high-stakes legal showdown between the government and Apple Inc.

A federal judge in Riverside, California, late Monday agreed to the government’s request to postpone a hearing scheduled for Tuesday so that the FBI could try the newly discovered technique. The Justice Department said it would update the court on April 5.

The government had insisted until Monday that it had no way to access the phone used by Rizwan Farook, one of the two killers in the December massacre in San Bernardino, California, except to force Apple to write new software that would disable the password protection.

The Justice Department last month obtained a court order directing Apple to create that software, but Apple has fought back, arguing that the order is an overreach by the government and would undermine computer security for everyone.

The announcement on Monday that an unnamed third party had presented a way of breaking into the phone on Sunday – just two days before the hearing and after weeks of heated back-and-forth in court filings – drew skepticism from many in the tech community who have insisted that there were other ways to get into the phone.

“From a purely technical perspective, one of the most fragile parts of the government’s case is the claim that Apple’s help is required to unlock the phone,” said Matt Blaze, a professor and computer security expert at the University of Pennsylvania. “Many in the technical community have been skeptical that this is true, especially given the government’s considerable resources.”

Former prosecutors and lawyers supporting Apple said the move suggested that the Justice Department feared it would lose the legal battle, or at minimum would be forced to admit that it had not tried every other way to get into the phone.

In a statement, the Justice Department said its only interest has always been gaining access to the information on the phone and that it had continued to explore alternatives even as litigation began. It offered no details on the new technique except that it came from a non-governmental third party, but said it was “cautiously optimistic” it would work.

“That is why we asked the court to give us some time to explore this option,” a spokeswoman for the Justice Department, Melanie R. Newman, said. “If this solution works, it will allow us to search the phone and continue our investigation into the terrorist attack that killed 14 people and wounded 22 people.”

It would also likely end the case without a legal showdown that many had expected to reach the U.S. Supreme Court.

An Apple executive told reporters on a press call that the company knew nothing about the Justice Department’s possible method for getting into the phone, and that the government never gave any indication that it was continuing to search for such solutions.

The executive characterized the Justice Department’s admission Monday that it never stopped pursuing ways to open the phone as a sharp contrast with its insistence in court filings that only Apple possessed the means to do so.

Nate Cardozo, staff attorney at the Electronic Frontier Foundation, a civil liberties group backing Apple, said the San Bernardino case was the “hand-chosen test case” for the government to establish its authority to access electronic information by whatever means necessary.

In that context, he said, the last-minute discovery of a possible solution and the cancellation of the hearing is “suspicious,” and suggests the government might be worried about losing and setting a bad precedent.

But George Washington University law professor Orin Kerr, a former Justice Department computer crime prosecutor, said the government was likely only postponing the fight.

“The problem is not going away, it’s just been delayed for a year or two,” he said.

Apple said that if the government was successful in getting into the phone, which might involve taking advantage of previously undiscovered vulnerabilities, it hoped officials would share information on how they did so. But if the government drops the case it would be under no obligation to provide information to Apple.

In opposing the court order, Apple’s chief executive, Tim Cook, and his allies have argued that it would be unprecedented to force a company to develop a new product to assist a government investigation, and that other law enforcement agencies around the world would rapidly demand similar services.

Law enforcement officials, led by Federal Bureau of Investigation Director James Comey, have countered that access to phones and other devices is crucial for intelligence work and criminal investigations.

The government and the tech industry have clashed for years over similar issues, and Congress has been unable to pass legislation to address the impasse.

(Reporting by Joseph Menn, additional reporting by Mari Saito; Editing by Leslie Adler and Andrew Hay)

Number of U.S. government ‘cyber incidents’ jumps in 2015

WASHINGTON (Reuters) – The U.S. government was hit by more than 77,000 “cyber incidents” like data thefts or other security breaches in fiscal year 2015, a 10 percent increase over the previous year, according to a White House audit.

Part of the uptick stems from federal agencies improving their ability to identify and detect incidents, the annual performance review from the Office and Management and Budget said.

The report, released on Friday, defines cyber incidents broadly as “a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard computer security practices.” Only a small number of the incidents would be considered as significant data breaches.

National security and intelligence officials have long warned that cyber attacks are among the most serious threats facing the United States. President Barack Obama asked Congress last month for $19 billion for cyber security funding across the government in his annual budget request, an increase of $5 billion over the previous year.

The government’s Office of Personnel Management was victim of a massive hack that began in 2014 and was detected last year. Some 22 million current and former federal employees and contractors in addition to family members had their Social Security numbers, birthdays, addresses and other personal data pilfered in the breach.

That event prompted the government to launch a 30-day “cyber security sprint” to boost cyber security within each federal agency by encouraging adoption of multiple-factor authentication and addressing other vulnerabilities.

“Despite unprecedented improvements in securing federal information resources … malicious actors continue to gain unauthorized access to, and compromise, federal networks, information systems, and data,” the report said.

(Reporting by Dustin Volz; Editing by Alistair Bell)

FBI warns automakers, owners about vehicle hacking risks

WASHINGTON (Reuters) – The FBI and U.S. National Highway Traffic Safety Administration (NHTSA) issued a bulletin Thursday warning that motor vehicles are “increasingly vulnerable” to hacking.

“The FBI and NHTSA are warning the general public and manufacturers – of vehicles, vehicle components, and aftermarket devices – to maintain awareness of potential issues and cybersecurity threats related to connected vehicle technologies in modern vehicles,” the agencies said in the bulletin.

In July 2015, Fiat Chrysler Automobiles NV recalled 1.4 million U.S. vehicles to install software after a magazine report raised concerns about hacking, the first action of its kind for the auto industry.

Also last year, General Motors Co issued a security update for a smartphone app that could have allowed a hacker to take control of some functions of a plug-in hybrid electric Chevrolet Volt, like starting the engine and unlocking the doors.

In January 2015, BMW AG said it had fixed a security flaw that could have allowed up to 2.2 million vehicles to have doors remotely opened by hackers.

“While not all hacking incidents may result in a risk to safety – such as an attacker taking control of a vehicle – it is important that consumers take appropriate steps to minimize risk,” the FBI bulletin said Thursday.

NHTSA Administrator Mark Rosekind told reporters in July 2015 that automakers must move fast to address hacking issues.

The Fiat Chrysler recall came after Wired magazine reported hackers could remotely take control of some functions of a 2014 Jeep Cherokee, including steering, transmission and brakes. NHTSA has said there has never been a real-world example of a hacker taking control of a vehicle.

Two major U.S. auto trade associations — the Alliance of Automobile Manufacturers and Association of Global Automakers — late last year opened an Information Sharing and Analysis Center. The groups share cyber-threat information and potential vulnerabilities in vehicles.

The FBI bulletin Thursday warned that criminals could exploit online vehicle software updates by sending fake “e-mail messages to vehicle owners who are looking to obtain legitimate software updates. Instead, the recipients could be tricked into clicking links to malicious Web sites or opening attachments containing malicious software.”

(Reporting by David Shepardson; Editing by Kenneth Maxwell)

Cyber criminals snap up expired domains to serve malicious ads

(Reuters) – Expired domain names are becoming the latest route for cyber criminals to find their way into the computers of unsuspecting users.

Cyber criminals launched a malicious advertising campaign this week targeting visitors of popular news and entertainment websites after gaining ownership of an expired web domain of an advertising company.

Users visiting the websites of the New York Times, Newsweek, BBC and AOL, among others, may have installed malware on their computers if they clicked on the malicious ads.

Bresntsmedia.com, the website used by hackers to serve up malware, expired on Jan. 1 and was registered again on March 6 by a different buyer, security researchers at Trustwave SpiderLabs wrote in a blog. (http://bit.ly/1Ubu21f)

Buying the domain of a small but legitimate ad company provided the criminals with high quality traffic from popular web sites that publish their ads directly, or as affiliates of other ad networks, the researchers said.

New York Times spokesman Jordan Cohen said the company was investigating if the attack had any impact. “To be clear, this is impacting ads from third parties that are beyond our control.”

Newsweek, BBC and AOL could not be immediately reached for comment.

The researchers also found two more expired “media”-related domains – envangmedia.com and markets.shangjiamedia.com – used by the same cyber criminals.

The people behind the campaign may be on keeping a watch for expired domains with the word “media” in them, they said.

(Reporting by Supantha Mukherjee and Abhirup Roy in Bengaluru; Editing by Saumyadeb Chakrabarty)

Chinese hackers behind U.S. ransomware attacks, security firms say

(Reuters) – Hackers using tactics and tools previously associated with Chinese government-supported computer network intrusions have joined the booming cyber crime industry of ransomware, four security firms that investigated attacks on U.S. companies said.

Ransomware, which involves encrypting a target’s computer files and then demanding payment to unlock them, has generally been considered the domain of run-of-the-mill cyber criminals.

But executives of the security firms have seen a level of sophistication in at least a half dozen cases over the last three months akin to those used in state-sponsored attacks, including techniques to gain entry and move around the networks, as well as the software used to manage intrusions.

“It is obviously a group of skilled of operators that have some amount of experience conducting intrusions,” said Phil Burdette, who heads an incident response team at Dell SecureWorks.

Burdette said his team was called in on three cases in as many months where hackers spread ransomware after exploiting known vulnerabilities in application servers. From there, the hackers tricked more than 100 computers in each of the companies into installing the malicious programs.

The victims included a transportation company and a technology firm that had 30 percent of its machines captured.

Security firms Attack Research, InGuardians and G-C Partners, said they had separately investigated three other similar ransomware attacks since December.

Although they cannot be positive, the companies concluded that all were the work of a known advanced threat group from China, Attack Research Chief Executive Val Smith told Reuters.

The ransomware attacks have not previously been reported. None of the companies that were victims of the hackers agreed to be identified publicly.

Asked about the allegations, China’s Foreign Ministry said on Tuesday that if they were made with a “serious attitude” and reliable proof, China would treat the matter seriously.

But ministry spokesman Lu Kang said China did not have time to respond to what he called “rumors and speculation” about the country’s online activities.

The security companies investigating the advanced ransomware intrusions have various theories about what is behind them, but they do not have proof and they have not come to any firm conclusions.

Most of the theories flow from the possibility that the Chinese government has reduced its support for economic espionage, which it pledged to oppose in an agreement with the United States late last year. Some U.S. companies have reported a decline in Chinese hacking since the agreement.

Smith said some government hackers or contractors could be out of work or with reduced work and looking to supplement their income via ransomware.

It is also possible, Burdette said, that companies which had been penetrated for trade secrets or other reasons in the past were now being abandoned as China backs away, and that spies or their associates were taking as much as they could on the way out. In one of Dell’s cases, the means of access by the team spreading ransomware was established in 2013.

The cyber security experts could not completely rule out more prosaic explanations, such as the possibility that ordinary criminals had improved their skills and bought tools previously used only by governments.

Dell said that some of the malicious software had been associated by other security firms with a group dubbed Codoso, which has a record of years of attacks of interest to the Chinese government, including those on U.S. defense companies and sites that draw Chinese minorities.

PAYMENT IN BITCOIN

Ransomware has been around for years, spread by some of the same people that previously installed fake antivirus programs on home computers and badgered the victims into paying to remove imaginary threats.

In the past two years, better encryption techniques have often made it impossible for victims to regain access to their files without cooperation from the hackers. Many ransomware payments are made in the virtual currency Bitcoin and remain secret, but institutions including a Los Angeles hospital have gone public about ransomware attacks.

Ransomware operators generally set modest prices that many victims are willing to pay, and they usually do decrypt the files, which ensures that victims will post positively online about the transaction, making the next victims who research their predicament more willing to pay.

Security software companies have warned that because the aggregate payoffs for ransomware gangs are increasing, more criminals will shift to it from credit card theft and other complicated scams.

The involvement of more sophisticated hackers also promises to intensify the threat.

InGuardians CEO Jimmy Alderson said one of the cases his company investigated appeared to have been launched with online credentials stolen six months earlier in a suspected espionage hack of the sort typically called an Advanced Persistent Threat, or APT.

“The tactics of getting access to these networks are APT tactics, but instead of going further in to sit and listen stealthily, they are used for smash-and-grab,” Alderson said.

(Reporting by Joseph Menn in San Francisco; Additional reporting by Megha Rajagopalan in Beijing; Editing by Jonathan Weber and Clarence Fernandez)