Bloomberg Businessweek|February 10, 2020
As you may be aware, there’s money to be made on the internet. The question, of course, is how. Not everyone has the reality-distortion skills to start their own tech unicorn, or the Stanford connections to become an early employee there, or the indifference to sunlight necessary to become a world-class Fortnite gamer. Not everyone lives in the relatively few places where software engineering jobs are well-paying and plentiful.
If you’re willing to break the law—or at least the laws of the U.S., a country you may not yourself call home—your options expand. You can steal credit card numbers, or just buy them in bulk. You can hijack bank accounts and wire yourself money, or you can hijack email accounts and fool someone else into wiring you money. You can scam the lonely on dating sites. All of these ventures, though, require resources of one kind or another: a way to sell the stuff you buy with other people’s plastic, a “mule” willing to cash out your purloined funds, or a talent for persuasion and patience for the long con. And, usually, some programming skill. But if you have none of these, there’s always ransomware.
Malicious software that encrypts data on a computer or a server, ransomware allows an attacker to extort a payment in exchange for the decryption key. Over the past year in the U.S., hackers hit the governments of Baltimore, New Orleans, and a raft of smaller municipalities, taking down city email servers and databases, police incident-report systems, in some cases even 911 dispatch centers. Hospitals, dependent on the flow of vital, time-sensitive data, have proved particularly tempting targets. So have companies that specialize in remotely managing the IT infrastructure of smaller businesses and towns— hacking them means effectively hacking all their clients.
As the number of attacks has grown, so has the scale of the victims and ransoms. “Ransomware really started as something that targeted individuals,” says Herb Stapleton, a section chief in the FBI’s cyber division. “Then it started targeting smaller companies without strong internet security protections, and now it’s evolved to larger companies and municipalities.” In 2019 the Weather Channel, the French media group M6, and the shipping services firm Pitney Bowes Inc. were all hit. Last summer two small Florida towns paid $1.1 million between them to unlock their data. According to the BBC, the European forensics firm Eurofins Scientific also paid off attackers, though it hasn’t confirmed this. Travelex Ltd. also won’t say whether it paid its multi-million-dollar ransom, though as I write this the global currency exchanger’s website remains down, a month after it was attacked.
In a way, the rise of ransomware was foreordained. Simple, scalable, and low-risk, it makes for a particularly tidy cybercrime. Some of the most successful variants are thought to have emerged from the states of the former Soviet Union, where techsavvy young people can get a high-quality education but not a commensurate-quality job. That combination has helped birth an industry that, in big ways and small, is tech’s outlaw twin.
These days, prospective attackers don’t have to create their own ransomware; they can buy it. If they don’t really know how to use it, they can subscribe to services, complete with customer support, that will help coordinate attacks for them. Software as a service (SaaS in tech vernacular) is a mammoth global industry comprising everything from Salesforce.com customer-relationship management software to the Slack workplace messaging platform to Dropbox cloud storage. Search for “ransomware as a service” or “RaaS” in the darkweb chat rooms that function as both forums and bazaars, and you’ll get pages and pages of hits. In the public imagination, hackers are Mephistophelian savants. But they don’t have to be, not with ransomware. “You could be Joe Schmo, just buying this stuff up,” says Christopher Elisan, director of intelligence at the cybersecurity firm Flashpoint, “and you could start a ransomware business out of it.”
You could even be a liberal-arts-educated writer with a primitive, cargo-cult understanding of how an iPhone or the internet work, who regularly finds himself at the elbow of his office’s tech-support whiz, asking, again, how to find the shared drive. In other words, you could be me. But could you really? I didn’t start out on this article planning to try my hand at ransomware. A few weeks in, though, it occurred to me that if someone like me could pull offa digital heist, it would function as a sort of hacking Turing test, proof that cybercrime had advanced to the point where software- aided ignorance would be indistinguishable from true skill. As a journalist, I’ve spent years writing about people who do things that I, if called upon, couldn’t do myself. Here was my chance to be the man in the arena.
In late 1989 medical researchers and computer hobbyists around the world opened their mailboxes—their actual physical ones—to find a 5.25inch floppy disk containing an interactive program that evaluated someone’s risk of contracting AIDS, at the time an unchecked, fatal pandemic. In all, 20,000 disks, from the “PC Cyborg Corporation,” were mailed from London to addresses throughout Europe and Africa. But the disks had their own viral payload, an additional program that, once loaded onto a workstation, would hide files and encrypt their names, then fill the screen with a red box demanding a $189 “software lease.” A banker’s draft, cashier’s check, or international money order was to be mailed to a post office box in Panama. The AIDS Trojan, as it came to be known, was the world’s first ransomware.
Within weeks, an American named Joseph Popp was stopped on his way back to the U.S. from an AIDS conference in Kenya. An evolutionary biologist who specialized in baboons, Popp had caught the attention of security officers at Amsterdam’s Schiphol airport because of his erratic behavior. According to a story later published in the Cleveland Plain Dealer, Popp, convinced he was being drugged by Interpol agents, had written “Dr. Popp Has Been Poisoned” on someone’s duffel bag then held it over his head. When his own luggage was searched, authorities discovered a PC Cyborg Corporation seal. Popp was extradited from his native Ohio to London but eventually ruled unfit to stand trial: Among other things, he’d started wearing curlers in his beard to protect against radiation. He returned home, self-published a manifesto urging people to reproduce more, and was starting a butterfly sanctuary in Oneonta, N.Y., when he died in 2006.
While Popp’s motivations and mental fitness remain the subject of debate, the effectiveness of his ransomware does not. Most of the recipients of the disk didn’t even load the pernicious file onto their computers. Among those who did, only a tiny number paid the ransom. For one thing, it was a pain, requiring a trip to both the bank and the post office. And it was unnecessary. One victim, a Belgian named Eddy Willems, was a computer systems analyst for a multinational insurer. “I’m not a cryptologist, but I was able to easily see what it did,” he says. “And I was able to put everything back in something like 10 to 15 minutes.” Willems and other security researchers quickly circulated free AIDS Trojan decryption programs, also by floppy.
It’s a testament to Popp’s imagination (and possible mania) that he attempted the scheme at all with the tools at his disposal. The idea of selling stolen data to the highest bidder wasn’t new, but Popp’s innovation, as Mikko Hypponen, chief research officer at the Finnish cybersecurity firm F-Secure, puts it, was “the realization that in many cases the highest bidder is the original owner of the information.”
You can read up to 3 premium stories before you subscribe to Magzter GOLD
Log in, if you are already a subscriber
Get unlimited access to thousands of curated premium stories and 5,000+ magazines
READ THE ENTIRE ISSUE
February 10, 2020