
Ransomware gives free decryption keys to victims who infect their friends - progval
https://www.bleepingcomputer.com/news/security/new-scheme-spread-popcorn-time-ransomware-get-chance-of-free-decryption-key/
======
jpalomaki
Next step (unless it is already there) could be affiliate marketing (pay 25%
of the ransom to people who distribute the malware). If people start getting
smart with backups, the response could be to switch blackmailing (pay or we'll
distribute your files).

I find this whole thing quite scary. We all know how difficult it is to
protect yourself from a determined and skilled adversary. Now that there is
clear business model and opportunity to make hundreds of millions[1] this
thing will probably attract more and more people. Building botnets was a mass
market operation. Ransomware could become more targeted, since the value of
single infected machine can be much higher.

[1] [http://thehackernews.com/2015/10/cryptowall-
ransomware.html](http://thehackernews.com/2015/10/cryptowall-ransomware.html)

~~~
Taek
All the more reason to emphasize security over the latest in features and
upgradability.

Why doesn't Microsoft get held accountable when a 0-day in Windows is
exploited that results in loss of user funds? Without that, there's no
incentive to build secure software in the first place.

How do we get society to have more of a security-first approach when it comes
to things connected to the internet? A lot of these vulnerabilities are scary
in a systemic way. Cyber warfare would likely be as damaging as dropping
napalm on cities, and it's all preventable by having more security oriented
infrastructure.

~~~
AnthonyMouse
> Why doesn't Microsoft get held accountable when a 0-day in Windows is
> exploited that results in loss of user funds? Without that, there's no
> incentive to build secure software in the first place.

There is nothing stopping you from entering into a contract with Microsoft
that requires them to take on that liability. And there are some companies
that have contracts like that with some software vendors -- presumably in
aerospace and so on. And those companies pay $5000 or more for a piece of
software that you would pay $10 for. If you asked a normal person to pay that
much for every app in the store they would just laugh.

If you made developers liable for vulnerabilities, that's what would need to
happen. Software would have to cost enough to cover the liability. If you sell
ten million copies of some code and you have _one_ vulnerability (down from 75
before this), that vulnerability may cost 1% of your customers $20,000 each
and you're suddenly on the hook for billions of dollars. And you better hope
none of your customers are large corporations that could potentially suffer
even bigger losses, even though the software developer has no control over
that at all.

A big part of the problem here is that we keep trying to _shield_ the users
from liability, but they're the ones who make the decisions. The user won't be
willing to pay extra or suffer any inconvenience for better security if it's
the credit card company or insurance company or software vendor that sustains
the loss when they get hacked.

Security is terrible because the party who decides how much to prioritize
security is the party we give half a dozen ways to get out of suffering from
the consequences of poor security.

~~~
cm2187
But what would also happen is that for the software vendor to stay
competitive, he would spend a lot of time and effort to harden the software to
reduce the insurance premium.

Very far away from Microsoft's "let's use consumers as beta testers" approach.

~~~
AnthonyMouse
> But what would also happen is that for the software vendor to stay
> competitive, he would spend a lot of time and effort to harden the software
> to reduce the insurance premium.

That's not competitive though. When the user is at minimal risk the user wants
the cheapest software, not the most secure software. In that situation you
can't spend money improving security or buying insurance, that would make your
software cost more than the competition.

The winning competitive strategy would be to minimize the consequences of
declaring bankruptcy. Take on debt financing instead of issuing stock, to
minimize net assets. Develop the software as many pieces each owned by an
independent business entity so there is no deep pocket to attract claims and
there is a smaller loss when an owner has to write one off.

------
gpm
Interesting plan. I think people are underestimating how effective it might
be.

Suppose a kid gets their parents computer infected. There is a pretty good
chance that they will panic and take the non-monetary route. It's not like
infecting others is beyond most kids abilities. Just run the exe themselves on
school computers, post it in video game chats, send it to friends, etc. Since
they aren't sure how many people will pay before their parents notice there is
a strong incentive to send it to a lot of people, not just two.

The other route I see is that an adult sees this and tries to infect some
company computers, on the theory that the won't be caught and there is a good
chance the company will pay up. Not many people will go for it of course, but
if it manages to spread internally then they will be in a decent position to
demand a lot of money.

------
blauditore
I wonder how Bitcoin-based scammers launder their money.

Bitcoin addresses are anonymous, but all transactions are public, right? So
while it's hard to find out who's behind an address, it's publicly visible if
they spend money, and where it goes. Thus, they're only able to spend it on
"trusted" peers to not jeopardize their own anonymosity.

For example, if they buy something from an online shop, this transaction will
be visible for all Bitcoin users. And if that shop publicly shows its Bitcoin
address, authorities might track down that shop and force it to give away
their shipment address.

Or am I missing something?

~~~
cryptarch
Bitcoin tumblers take care of this. Roughly, you set up a service that puts a
lot of people's coins in a single wallet, then you route bitcoins from that
wallet to a bunch of different wallets operating in similar fashion. Kind of
like how TOR works.

It's easy to generate many temporary wallets that can not be linked back to
your main wallet, shops can do this too and I think it's considered a good
practice to use one address per sale.

You can also convert the Bitcoins to a more anonymous coin (Monero?) and back.

------
throwaway4891a
There's a niche field of malware economics, but it makes sense that for-profit
malware is ultimately a business, albeit an usually illegal one, which has to
optimize just like any other app:

[https://cyber.harvard.edu/cybersecurity/Economics_of_Malware](https://cyber.harvard.edu/cybersecurity/Economics_of_Malware)

[https://www.coursera.org/learn/malsoftware](https://www.coursera.org/learn/malsoftware)

At some point, it would make sense anonymized malware (i2p, tor only) may go
open source similar to commercial open source but instead because of scene
cred / blackmarket consulting.

~~~
deoxxa
This is roughly what happened with several "exploit droppers" a few years ago.
It wasn't pretty GitHub sites or open source blogs, but rather "leaked"
versions of the software suites, missing nearly all of the actual exploits.
Usually there'd be a couple of very old, widely patched exploits in there so
you could see how it worked. People would download the stripped out version,
play with it, then buy the actual exploit payloads/plugins.

Pretty interesting process to watch from the sidelines!

------
maverick_iceman
I wonder why no one is looking at the obvious solution - discredit the
ransomware folks. I.e. create ransomware that doesn't free your files even
after you pay the ransom. As soon as word gets around that there are
ransomwares like that their whole business model will collapse. Sure, this
will not be nice to the (small number of) people who get screwed over but it
definitely solves the larger problem.

~~~
ThrustVectoring
An alternative solution is to make it illegal to pay ransomware.

~~~
maverick_iceman
That'll just make criminals out of ordinary people.

~~~
ThrustVectoring
Are you saying that it'll convince literally zero people to not pay the
ransom? Every ransom that does not get paid is money that doesn't contribute
to the "distributing ransomware is a viable way to make money" problem.

------
dkh
Completely evil and terrifying, yet also somehow brilliant psychologically.
Tricking people to install it thinking it's the Popcorn Time streaming app has
a bit of irony involved.

------
MichaelBurge
That's interesting how they use the sob story. Anyone wanting to pay is going
to feel conflicted, so they give the user an out by letting them feel like
they're helping poor people in Syria. They've chosen Syria because it's well-
known and in the news.

I wonder if their English is poor, or if they're trying to be endearing to
help their conversion rates. You could confirm the former by correlating it
with what common errors people in different countries make.

It doesn't look like they expect people to infect their friends, but offering
the false choice is a pretty common way of making people feel slightly more in
control. It probably helps their conversion rates, even if nobody picks the
blue option.

------
jlgaddis
Novel and innovative. This guy is disrupting the ransomware industry. ;)

------
Cyph0n
What I don't understand about ransomware in general is how the AES key is
stored on the machine. I'm assuming that it's grabbed from the server, used
only during encryption, and then scrubbed from RAM/filesystem. Otherwise, it
would be possible to recover the key post-encryption. Or am I missing
something?

~~~
DSMan195276
I've read a few articles of people managing to get the key out of the
ransomware programs, so it some cases it really is just stored on the system
and you can find it if you know what you're doing. Those articles were a
while-back though, so it's possible they've 'fixed' that issue.

Like others have said, public/private key crypto can be used to achieve this,
and fairly easy: The randomware is distributed with a public key, and after
generating the AES key and encrypting the system, it then encrypts the AES key
using the public key and removes all other copies of the AES key. Thus, nobody
with access to the system can decrypt the system now unless they have the
matching private key. If you pay to decrypt your system, the program sends off
the encrypted AES key, and then they send back the decrypted AES key which
they got by using the matching private key. And then from there you use the
AES key to decrypt the rest of the system.

~~~
Cyph0n
That makes sense. Thanks for the explanation.

------
Yhippa
This sounds like the beginnings of a future Black Mirror episode.

~~~
ant6n
There was already a ransomware episode:
[https://en.wikipedia.org/wiki/Shut_Up_and_Dance_(Black_Mirro...](https://en.wikipedia.org/wiki/Shut_Up_and_Dance_\(Black_Mirror\))

------
CodeWriter23
"Viral Marketing"

------
Pica_soO
The problem with ransomware is also, that it can infect a lot of people who
dont have that kind of money. If they would do it decently, the would allow
for partial recovery of files with rising prices per batch, and measuring how
long the user could come up with the coins.

Pricebuilding exercise combined with social engineering.

God, they could go full ponzi scheming with this and get a billion people to
get rich and accomplices..

------
meowface
Clever idea, but I doubt this would work in 99% of cases.

It's basically a link to an EXE. You could probably only convince someone to
run it if you have some acquaintance with them, so obviously they'd hate you
afterwards. And you only get the key if they not only get infected, but pay
up. And you have to do it twice.

A better method might be "get 5 people infected", regardless of payment.

~~~
Buge
Then you could just infect 5 virtual machines.

~~~
kmm
They're probably counting on the average person infected with ransomware not
being able to do this

~~~
Buge
But someone could set up a service where they charge $50 and someone gives
them their referral link and they install 5 times from that link.

------
faragon
Why is not the FBI actively targeting those criminals?

~~~
dmihal
They're still going through Hillary's emails

~~~
grzm
Let's not go there. Please stay on topic with substantive comments.

------
NoExiiT
And how they know if I infected a friend's computer ? It can be mine, right ?
I have just have to setup a new computer with a fresh install and repeat it
again and again until they give the key.

~~~
ShotgunSnipist
"Send the link below to other people. If two or more people will install this
file _and pay_ , we will decrypt your files for free."

~~~
NoExiiT
Yes, of course! Damn, I read it too fast ... sorry.

------
xg15
Someone has been watching too much "the ring"...

------
jwatte
OSes will have to start detecting processes that do a lot of disk read/write,
and perhaps network upload, and quarantine them. Also, checkpoint/log based
file systems like nilfs2 can let you roll back to any point before infection.

~~~
charonn0
I'm not sure that would be effective. A lot of legitimate software would get
caught up in the dragnet.

~~~
jwatte
Yes, and the user would have to whitelist them.

However, how much software do you really have that rewrites even 1/10th of all
your documents?

------
logicallee
Can we put quotation marks around the word "friends" to show what is really
going on more clearly?

It is, in fact, recruitment into cyber crime. The title should read:

> Ransomware gives free decryption keys to victims who infect their "friends"

------
mSparks
popcorn time software is something completely different.

this sounds more like an attempt to taint the popcorn time name rather than
real malware.

~~~
wutbrodo
It seems like a far more plausible explanation that this is real malware that
picked well-known software that people are likely to be downloading from
sources that they're not super sure about.

------
mkagenius
If it forms a binary tree, the leaves itself will be 50% of the population.
(much worse in case of 3-nary tree?)

------
codedokode
I wonder what can be changed to help find and prosecute the distributors of
malware?

By the way I think that the ones held responsible and paying for the damages
should be distributors, not malware developers especially if they did not know
exactly how it would be used. Making malware is like making a gun, it is
allowed in some countries. Maybe it will be used for good purposes.

~~~
niij
I think that's bogus. They can and should be held accountable if they're
running enterprises like this. How can malware be used for good purposes?
(Mal)icious Soft(ware) doesn't sound too "good" to me.

------
byebyetech
Sounds like a pyramid scheme!

------
mercurialshark
Reamde would have unfolded quite differently had this been the case.

------
MisterWalter
1 - Infect a few virtual machines

2 - Collect decryption keys

3 - Laugh at the hackers

Of course not many people out of the general population know how to make a
(primarily) windows VM, but I'm surprised that others aren't mentioning it in
this thread.

~~~
detaro
They require that the other people you infect _pay_ the ransom, so you'd still
have to pay for the VMs. (Also
[https://news.ycombinator.com/item?id=13147428](https://news.ycombinator.com/item?id=13147428)
and replies)

~~~
MisterWalter
Whoops, I missed that bit, that would be why. Thanks.

------
imchillyb
With airplanes, the manufacturer is on the hook until the plane is no longer
in the air.

We should require OS manufacturers to do the same. They should be on the hook
for security until the last device using their technology is no longer in use.

~~~
gpm
That doesn't really make sense. 'Security' is not a binary thing, many pieces
of malware, quite possibly including this one, don't break the OSes security
model.

The OS doesn't consider your browser downloading and running executable a
problem, if it did we would all be complaining about wall gardens. If that
executable wants to read and write files in your home directory it is allowed
to (otherwise you couldn't download and run emacs). The fact that it happens
to be encrypting them to ransom back to you isn't something the OS is really
in a position to know, or do anything about.

------
bitmapbrother
Yet another reason to avoid Windows. The only new software being released for
Windows are viruses, malware and ransomware.

~~~
charonn0
The only vulnerability in this case exists between the keyboard and the chair.

~~~
codedokode
Do you mean one has to be a computer science graduate to use a computer? And I
doubt even CS graduates can always distinguish between real software and fake
one with malware inside.

I think the problem is in PC and OS design.

~~~
charonn0
What I meant is that ransomware predominantly spreads by tricking the user
into running malicious code, as opposed to tricking the OS. There's not a
whole lot the OS can do if the user is determined to open e.g.
"kittenpic.jpg.exe" or "invoice.doc.exe".

~~~
codedokode
That is because user has a previous experience of double clicking files to run
or view them and nothing bad happened.

> There's not a whole lot the OS can do if the user is determined to open e.g.
> "kittenpic.jpg.exe" or "invoice.doc.exe".

I think there are many options:

1) do not download executable files or make them non-executable after download

2) do not run downloaded executable files

3) do not run executable files without valid signature from OS developers

4) run executable files inside a sandbox

For example, iOS uses approaches 1, 3 and 4, and Android uses 4. Only desktop
operating systems (including some Linux distrbutions) allow to trick user into
running a malware with full access to user's files by clicking a link and
pressing Ok twice. That is why I consider this is OS fault, not user's.

In many environments users are not supposed to download and run executable
files. For example, in a workplace an employee is supposed to use only
software approved by the company. And still no operating system provides an
easy way to enforce it.

Imagine if pressing a wrong button on a washing machine would cause installing
malware. Would you like to buy such device?

~~~
charonn0
> Imagine if pressing a wrong button on a washing machine would cause
> installing malware. Would you like to buy such device?

A washing machine isn't a Turing machine.

~~~
hawkice
Ah, the glorious days before the Internet of Things made everything a general
purpose washing computer.

For instance: [http://www.samsung.com/uk/consumer/home-
appliances/laundry/w...](http://www.samsung.com/uk/consumer/home-
appliances/laundry/washing-machine/WF12F9E6P4W/EU)

