
The Increasing Trend of Online Extortion - fekberg
http://www.troyhunt.com/2014/11/ransom-is-new-black-increasing-trend-of.html
======
softrage
I saw Cryptolocker in action, and what surprised me about it was how
professional it was. For those not familiar, it would come as an attachment in
an email, and once run, would encrypt files locally and on any shared drives.
Particularly useful against companies, with many unsuspecting users and lots
of sensitive stuff to encrypt.

It left behind lots of text files giving you instructions and an address you
can access via Tor. When you went to that address, there was a web app to
allow you to upload an encrypted file to confirm if it was Cryptolocker. If
you pay the ransom, they would send their "decrypter tool" that had the
encryption key embedded in it.

The real criminal breakthrough, in my opinion, is that all of these utilities
worked. When people are able to do some research and find out that if they pay
up, they really will get their stuff back, often times they will pay up. It's
certainly very disturbing.

~~~
talmand
I suspect it's because criminals don't do A/B testing on whether following
through when their demands are met gets them better results.

~~~
ugexe
Why would you suspect that? Just because criminals more often commit crimes
that do not allow for easy A/B testing (or dont offer a worthwhile return on
it) does not mean smart criminals wouldn't do such testing. If you want to get
technical about it american banks have been doing A/B testing for a long time,
and often are just as big of crooks as extortion virus creators.

------
codeshaman
Due to the pseudo anonymitiy of cryptocurrencies, a whole range of perfect
crimes is possible. Say you've got a some bitcoins (as little as 3 BTC makes
you attractive, but let's say you've got 100BTC ) and you order a pizza with
bitcoins from that wallet. The pizza guy fires up blockchain.info and notices
that your address has a hefty balance, then picks up the phone and tips Oleg
and Boris, giving them your home address.

Oleg and Boris mean business: they have a hammer, clippers, a soldering iron
and an AK-47 in the trunk. Their target: your Bitcoins.

They wait patiently for your to exit your apartment or they follow you around
or they just come knocking at your door. They are ready to patiently torture
you until you transfer all your bitcoins to their address. They will enjoy the
process, you .. not so much.

After you finally give in and transfer them your bitcoins, they leave and
disappear. Now you've got absolutely nothing to show to the police: You cannot
prove that those were your bitcoins and you cannot prove that the address
you've transferred your balance to isn't yours. And you have no idea that it
was the pizza place that tipped the bad guys.

For Oleg and Boris, it's the perfect crime: They just made $30k in 20 minutes
and they didn't even have to kill anyone, a finger here, a finger there and
they are rich!

This, in my opinion, is a great risk for cryptocurrency owners, because it
offers potentially great returns for the bad guys and the risk is pretty
small, plus it's very hard to prove that the theft/extorsion did happen.

~~~
icebraining
Simple: keep multiple addresses (all clients are built for this) and diversify
your balance among them. Keeping them all on a single address makes even less
sense than keeping large savings in a checking account.

It shouldn't be very hard to design the UI to make it hard to fall into this
trap, either. Easy way: when doing a small payment from an address with a
large balance, the client can automatically add intermediate transfers to
avoid the direct link.

~~~
codeshaman
Of course, everybody should do that. But since we live in an imperfect world,
not everybody will do it. As you're saying, this should be implemented in the
BTC clients themselves and they should not let you make large transfers
without first warning of the dangers. But what if you're buying a boat or a
car or a house ?

I've lived in the ex Soviet Union in the 90's and extorsion through torture
was a common thing back then. But now we might see the 21st century version of
those guys, probably a bit more gentle - no need to shoot or kill people, just
force them to press Enter and you're done.

~~~
icebraining
If you're buying a boat or a car, you'll have to do a big transfer. But how is
that any different than buying something expensive using a bank account? It's
not a new problem with cryptocurrencies.

~~~
throwaway84356
Your bank wire doesn't leak the balance of your account to the recipient. It
is a new and unique problem with _some_ cryptocurrencies. Of course, we have
already proposed solutions to problem this with ring signatures, stealth
addresses, 'coinjoin', 'zerocash', 'TITAN', etc.

~~~
icebraining
As I wrote, you can simply move money around so that the final transfer
doesn't reveal your original balance, e.g. if I have a balance on address A of
30 and I want to pay something that costs 4, I can just create multiple
addresses where I move and subdivide the 30 until the last address only has a
little over 4.

The recipient has no sure way of knowing that the original address was mine -
I might just have withdrawn from a service like Coinbase.

------
phkahler
I keep thinking these two things are related: 1) reliable identity 2) good
security.

If you had a reliable identity - well implemented private key crypto or
signatures, or perhaps just a fixed IP address - Communications protocols
could be created that don't allow anonymous communication. You don't provide
identity and they won't accept messages. The thing is, this would also allow
private communications which neither corporations or governments want to
happen.

So the internet will remain insecure so long as companies want to read your
stuff for "ad targeting" and governments want to read your stuff to "stop
crime". Got that last part?

~~~
spindritf
There is no connection between CryptoLocker and ad targeting. What you're
proposing would do very little to thwart tracking (imho strong identities
would make it easier) and completely kill the open Internet where I can send
and receive information from people I don't know, maybe even people I wouldn't
want to know otherwise.

~~~
phkahler
Just using public key crypto allows anyone to communicate securely with anyone
else - including people you don't know. If you have end-to-end security, your
communication can't be read and you can verify who a message or threat came
from. It's all good with the exception of 3rd party listening. It's probably
easier to see that data went from one person to another (which is no change)
but that doesn't tell you what the data is (which is a big change).

I don't know why people don't seem to understand this. Or perhaps the lack of
understanding is why it's not here.

------
Rambition
Intense, if not shocking.

It's the "Nigerian Prince wants to give you $100M" email scam scaled up
another notch.

Where that was a pure numbers game, the criminal knows if they send out 1M
emails, 1% will engage, and of that 1% they will get 1% to send money, that
"scam" could easily be thwarted with a simple click of the delete button in
you inbox or the increase of spam filtering to help the unsuspecting or
unknowing not start the process at all.

This online extortion is certainly more aggressive and has an immediate effect
on your life. Criminals are always looking for the next way to get ahead, I
wonder where the "spam filter" to thwart this effort will come from and what
they will move on to next.

------
techsupporter
And this is where the thieves start getting creative. Backups, setting a PIN,
using decent passwords--all of these steps prevent the low-hanging fruit of
locking up someone's data (and can be installed by technically-savvy friends
or family). The bigger question is how to protect your reputation, especially
when directory entries can easily be modified on Google, Bing, and Yelp,
complaints can be submitted to the health or licensing agencies online, and
even cranking out some SEO can get "bad press" filtering near the top of
search results.

~~~
mjklin
These viruses can encrypt connected storage too, so your backups better not be
all on a network drive or external hard drive. I believe they can encrypt
Dropbox folders, not sure about Crashplan or similar services.

~~~
rikkus
Crashplan retains old versions of files (it's a backup service) and you can
choose to restore everything before a certain date, so you should be able to
get everything back.

I just searched and they actually have a page showing how to recover from such
an attack:
[http://support.code42.com/CrashPlan/Latest/Troubleshooting/R...](http://support.code42.com/CrashPlan/Latest/Troubleshooting/Recovering_Files_Infected_By_CryptoLocker_Or_CryptoWall)

~~~
duiker101
Doesn't dropbox also keep old versions?

~~~
rikkus
Yes, but only for 30 days unless you pay more. If you don't realise there's
been a problem quickly enough, you could be in trouble.

I'm not sure there's an easy way to restore everything from before certain
date, either, though I'm sure it'd be possible to knock something up to do it.

------
powerset
Crypto ransom is the premise for the novel Reamde by Neal Stephenson

------
bitfury
cryptocurrency encourages this type of behavior and makes online extortion
possible.

------
michaelochurch
Extortion is a weird, upsetting crime. It seems to be a waste product or high-
entropy end state in a stagnant economic system.

First, the powerful extort constantly. When VCs use their social connections
to other VCs (the culture of co-funding) to pull the "we'll turn off the whole
Valley" card, also known as "the reputation threat", and get people to sign
bad term sheets, that's extortion. Most bad reference and negative reputation
issues that exist in the Valley come from people who refused to be extorted.
But when people in power do it, they don't call it "extortion". They call it
"power".

Likewise, most people who acquire power did so by extortion. Not in the hold-
up sense, but by happening into important information on powerful people and
being able to leverage it into the investment of said powerful people in their
careers. All that said, it takes a certain social skill to pull off. You can't
just send an email saying, "I know <X> and will release it unless you provide
<Y>, <Z>, and <W>." You'll piss that person off, and it's a felony, and even
though you'll probably never do jail time (because the extortion target still
doesn't want "X" to see daylight) that person now holds the cards. You have to
be really subtle and it's best if the extortion threat is unsaid. One of the
reasons why fraternity affiliations are so powerful is the implied mutual
extortion that comes from living together for 3-4 years at a time of life in
which people tend to be impulsive and do incredibly stupid things that their
adult selves will regret.

If you're in the same frat, you're bound to have dirt on that person, and if
that person becomes powerful, you'll cash in. If you say, "I'll reveal <X>
unless you <Y>" you won't get anything, and you could end up in jail... but if
it's a tacit agreement, that person will support your career in perpetuity.
Perversely, the network effect of this tacit, mutual extortion is _positive_
for the group of people it covers because it spreads good fortune around.

Extortion seems to be a by-product of stagnation, because it's the ultimate
zero-sum activity. It's what people start doing to each other when they give
up on new contribution. Oddly, the frat culture (for all its ugliness) seems
to be an adaptation to this because, while it creates a low-level tacit
extortion field, it also prepares people to handle external extortions (from
"the proles" who "have no right") and to exercise power ( _cough_ extort
others).

What's strange about this rash of online extortions is that it seems to be
coming at a time when, objectively, there _shouldn 't_ be a sense of economic
stagnation. There are, arguably, more opportunities for positive-sum
contribution than there ever were. But the social distance between capital and
effort/talent has never been greater, especially on a global scale, so that
might explain the problem.

~~~
viggity
I was in a fraternity. Did some people do some stupid shit, sure, it was
college after all. But I have a hard time seeing how any crazy extortion
schemes would come into play as you described. I don't know how I could extort
a brother because I once saw him puke in the street or streak thru campus. For
someone as prolific on HN as you, I'm surprised to see you come off as a
conspiracy nut. Or, maybe me living in the midwest where everyone is nice and
cooperative in general has given me a warped view of the world (albeit a
positive view).

~~~
michaelochurch
So, there's a wide spectrum of organization given the name "fraternity" and
not all of them are bad. I'm talking about the abusive frats that (a) cover up
disgusting and almost invariably illegal behavior by well-connected,
privileged men, (b) disburse connections from the upper class into its next
generation, and (c) are heavily responsible for the injection of bro types
into the VC-funded founder ranks.

There's a wide spectrum of "fraternity". Just look at initiations. There are
some where initiation is being driven 5 miles off-campus and having to find
your way back, and others where it involves bodily fluids, physical abuse, and
dangerous levels of alcohol.

When people complain about "frat boys" or "bros" infesting the Valley, we're
not talking about guys who like to drink occasionally or streaked a football
game, because none of that's a big deal. No one has a problem with an
occasional game of beer pong. We're talking about entitled, well-connected
people (e.g. the Spiegels and Duplans of the world) who've lived for decades
in a world where there are absolutely no consequences for their actions.

