WASHINGTON — When the Teamsters were hit by a ransomware attack over Labor Day weekend in 2019, the hackers asked for a seven-figure payment.
But unlike many of the companies hit by high-profile ransomware attacks in recent months, the union declined to pay, despite the FBI's advice to do so, three sources familiar with the previously unreported cyberattack told NBC News.
"They locked down the entire system and said if we paid them they would give us the encryption code to unlock it," said one of the sources, all of whom spoke to NBC News on the condition of anonymity because they were not authorized to discuss the hack publicly.
Until now, the major labor union had managed to keep the hack out of the public eye for nearly two years. That points to a truth that cybersecurity experts say is lurking beneath the surface of recent high-profile attacks: An unknown number of companies and organizations have been extorted without ever saying a word about it publicly.
Communicating with Teamsters officials on the dark web through a site provided in the ransom note, the attackers demanded $2.5 million in exchange for restoring the union's access to electronic files. Personal information for the millions of active and retired members was never compromised, according to a Teamsters spokesperson, who also said that only one of the union's two email systems was frozen along with other data.
Teamsters officials alerted the FBI and asked for help in identifying the source of the attack. They were told that many similar hacks were happening and that the FBI would not be able to assist in pursuing the culprit.
The FBI advised the Teamsters to "just pay it," the first source said.
"They said 'this is happening all over D.C. ... and we’re not doing anything about it,'" a second source said.
Union officials in Washington were divided over whether to pay the ransom — going so far as to bargain the number down to $1.1 million, according to the sources — but eventually sided with their insurance company, which urged them not to pony up.
"They fought tooth and nail," the first source said of the insurance company.
The Teamsters decided to rebuild their systems, and 99 percent of their data has been restored from archival material — some of it from hard copies — according to the union's spokesperson.
The FBI's communications office did not reply to repeated requests for comment. The FBI's stance is to discourage ransomware payments.
Criminal hacker gangs have in recent years embraced the use of ransomware, a type of malicious program that spreads across connected computers and steals or encrypts files. The gangs then demand a fee to unlock the files and keep them private.
But the practice of targeting specific companies and organizations in hopes of a big payout started to take off in 2019, said Allan Liska, an analyst at the cybersecurity company Recorded Future. He did not work on the Teamsters hack.
Now, most ransomware gangs keep blogs and threaten to leak victims' files if they don't pay.
In 2019, however, the process was simpler: Either the victim paid and hoped their files could be restored easily, or they didn't and tried to manage on their own. Either way, the interaction ended there.
Liska said that it used to be easier to keep ransomware attacks out of the public eye. Initially, many victims simply chose not to publicize that they had been hacked.
Ransomware has become a widely recognized issue in recent months, after hacker gangs crippled multiple hospitals, the largest U.S. fuel pipeline and the world's largest beef processor, making the problem impossible to ignore.