We published a story today that found that a lot of the firms touting their ransomware decryption services actually end up paying the hackers (often behind the client's back) and then tacking on a fee.
Though you all would find it interesting. A great tidbit that my reporting partner Renee uncovered: a former deputy FBI director was paid to promote MonsterCloud, while knowing that they paid bitcoin to cybercriminals.
He's also a former TSA director. So of course, he partnered with their CEO on a side biz to put massage chairs in airports. ¯\_(ツ)_/¯
Anyway, thought this would be a story that HN would enjoy. Would love to hear y'all's thoughts since this is the community with the expertise & experience to comment. If you have things (ransomware or otherwise) you think we should look into, would love to hear as well. :-)
Do the chairs hack your phone or something, I've never seen anyone pay to use one, only sit on them without paying.
They have them in motorway service stations in UK as well as at airports.
That narrows it down a bit. With a name like that you'd hope he was more of a straight shooter.
> former FBI Deputy Director John Pistole
awkward finger guns
- Many average users don't want to understand cryptocurrencies, how to safely and securely buy and use it is a challenge in and of itself.
- They're on the hook and the client pays nothing if the ransomer fails to provide a working key.
- They'll also manage the ransom decryption software - if there's problems with it there are 3rd party tools that can often do a better job of decryption than the original decryption tool, again, this is something that's going to be complicated for average users to deal with.
- For some ransomware there are decryption processes available without the need to pay the ransom, figuring out which of these applies can be challenging
- Certain institutions may be unable or unwilling to work with the attacker directly - introducing a middle man to broker can help solve this.
Overall the piece seems somewhat hyperbolic.
Obviously the two companies collaborating would give benefits to eachother, and it might just be a convenient way to seperate the illegal from the legal...
“Are we paying a bribe? I’ll have to create a new line item in SAP for that” asks Alice from accounting,
“I need them to sign this form saying they haven’t tortured anyone in the past 5 years”, Bob from procurement auditing.
“Please have one of their senior directors sign this form declaring that none of their funds employees are based in any of these embargoed countries. I’ve attached the list.” Charlie from legal
I don't think that companies that offer ransomware decryption services have a problem with this incentive. More ransomware means more customers for their "decryption services". ;-)
In general, this sounds like a dangerous attitude. Asking people to do "whatever it takes" to solve an immediate problem, with no consideration of wider or longer-term effects, frequently leads to more trouble in the end.
$10k to Bob’s IT consultancy within the same state is a lot easier than $10k that ultimately leads to a country that may be embargoed.
In which case the middleman/coconspirator would add one more, completely unrelated crime to their list.
The incentive in both cases is money, specifically from people who feel vulnerable enough to pay but not so vulnerable that they give up hope.
sales vs engineering
triage vs diagnostics
collections vs billing
Sounds like a complete service being offered by two separate legal entities with the purpose to evade.
(Full disclosure since someone else was asking for it: I have nothing to do with any of this stuff.)
- It looks bad to the public if companies directly pay the ransomware creator. Decryption companies can act as a PR "buffer" in that respect.
- By funneling the western worlds contact with ransomware creators through a small number of companies, we create an incentive for ransomware creators to follow through with providing the decryption keys and not play games with the price. If they fail to hold up their end of the bargain, their reputation will immediately be ruined within the small number of companies that do this.
> The father of ransomware was Harvard-educated anthropologist Joseph L. Popp Jr. While researching the theory that AIDS originated in green monkeys in East Africa, Popp in 1989 mailed more than 20,000 floppy disks about AIDS education to people interested in public health. When recipients ran the disk, their computers froze, and a message on the screen instructed them to send up to $378 to a post office box in Panama for a second disk that would restore their access.
> ATTENTION I have been elected to inform you that throughout your process of collecting and executing files, you have accdientally ¶HÜ¢KΣ► yourself over: again, that's PHUCKED yourself over. No, it cannot be; YES, it CAN be, a √ìτûs has infected your system. Now what do you have to say about that? HAHAHAHAHA. Have ¶HÜÑ with this one and remember, there is NO cure for AIDS.
I didn’t think Bitcoin transactions were intended to be anonymous and difficult to track, why would Bitcoin use a public ledger if that was the intention? I was under the impression other cryptocurrencies are trying to solve for “anonymous and difficult to track.”
However, in practice, most people buy bitcoins via a method that requires ID, which links their ID to one of their addresses. Multiple addresses can then be linked together by cluster analysis based on usage patterns
Last I checked, there were also several operational mixing services that would gladly launder your funds for you (for a nominal fee). It's more surprising to me that they didn't end up using a system like this before performing the final payment capture. But maybe if they're overseas, they don't care?
How do we know that they (MonsterCloud) weren't also the criminals on the other side of the bitcoin transaction?
Is it possible this was all a giant payola/extortion ring?
I mean, the criminals were just that reliable, organized and scrupulous about unlocking their victims?
It certainly is not impossible that the decrypting company would be so scummy but it is in the same vein as accusing a home security company financing burglars to go on rampage.
This opens up one of those weird moral dilemmas akin to asking whether it's moral to hack someone's exposed device to patch a security hole: Would it actually be a net positive to create a ransomware variant that had no decryption key, but acted like it did?
quote 2: " It stopped dealing with the SamSam hackers after the U.S. government identified them as Iranian and took action against them, he said. Until then, he said, the company did not know they were affiliated with Iran. "
There you have it, the way of the managers, lie lie and more lies, as long as $$$ can be made.
In my experience on dealing with US managers, the longer the titles they have, the dumber the person is.
"I've been here 3 years, I want a promotion...."
"Here's a pointless fancier title with no pay bump"
Because on the surface, of course you pay the ransom! I specifically selected insurance that stated up front they would pay a ransom if they had to. I think this has to be fairly common knowledge outside of infosec.
Perhaps some CTO/CIO/CFO types would rather the peace of mind or the idea that they aren’t helping these ransom-entrepreneurs out by paying them.
The instinct to contact ransomers and say, "hey, I see you have some uncertainty in how much money you are going to collect. Do you want a guaranteed amount now, or a risk adjusted figure later? If now, I can offer you $x for a key I can use on as many customers as I can..."
Ethics aside, that's really impressive deal making.
As the probability of recovery goes down, the likelihood of being willing to pay the ransom also goes down.
Though in a way this feels a bit like going around _actually shooting_ people in order to “poison the well” for a group that goes around _threatening to shoot_ people, but not actually shooting them if they pay up.
They just provide plausible deniability to clients, who may not be able to pay the ransom for legal reasons.
Of course it’s much more plausible that they’re just scumbags looking to make an “honest” profit of a criminal act.
Maybe an altruistic individual within the company, but not as a directed managerial effort.
> In a video posted online touting MonsterCloud’s services, Pinhasi wears a dark suit and tie and rimless glasses. At lunch, the 43-year-old sported a white long-sleeve T-shirt emblazoned with the logo of teen retailer Abercrombie & Fitch.
As far as I understand, ransomware simply applies RSA on the victim's data. If the victims understood what that meant, they would understand that it is entirely unrecoverable. The data is simply gone without the private key.
If the data were recoverable that would mean RSA had been broken, and the entire world would know about that. Normal people would understand because the global financial system would need to stop entirely while they switched to a new algorithm.
If you are being sold a product which is based on a lie (let alone a lie that you won't pay criminals and skim money off the proceeds of the crime), then it is always the fault of the seller. Blaming the people who were lied to as being ignorant is a bit rich.
(Also, RSA is not really efficient for encrypting large amounts of data. I'm willing to bet that most ransomware uses secret-key crypto like AES or ChaCha20 for the actual encryption and then transmits the secret key back to the C&C server or does some form of key-exchange to generate a secret key. Which means that the attacked machine had a copy of the secret key at some point.)
There are actual cases in history of ransomers attacking fellow ransomers who don't follow through for hurting the shared business model.
"True" ransomware requires a key management infrastructure with a capacity for delivering a service. Setting up a bitcoin recipient takes next to no resources. If you were criminally minded, what would you do?
It would harm the ransomware-maker's reputation? Just pick a new name every week.
Remember, ransomware-makers aren't providing a service anyone wants. They have inserted themselves into the system and only care about getting their victim's money.
It is that way in the ransomware/game cracking/early piracy(before release) "scene"
But this is my original point. Someone hit by an attack has no way of knowing what type of attacker they are facing.
Will the attacker return my files if I pay up? They might, but there's a very reasonable possibility they can't or won't. Remember, they just want your money. They have no reputation to maintain because they're already criminals.
Can't a bitcoin (or whatever a cryptocurrency) recipient ID be used as a brand name?
But when ransomware has a name, it needs a “good” reputation to be successful. Just paying must be a well known and publicised way to get your files back - that’s what makes it easier to everyone to just pay. If the ransomware gains a reputation for not holding up their end, no one will pay.
If ransomware gets a reputation of not unlocking on payment, then it degenerates into a virus and you’ll have mainstream news media telling people not to bother paying.
That's the type of person who is a repeat offender. He could never tell me how he got the virus, but some recon between email and internet history showed otherwise. He loved clicking on EVERYTHING while "researching" cases. I get the research, but a lot of court cases probably aren't on page 20 of google on some shady half English sites either.
Lots of fun in local government.
/also I just restored from backups each time but they were ready to pay to have "all their data restored."
They can do that to you because there is no benefit to them to decrypting (and a cost/risk that these actions aid in them getting caught).
If a single company handles hundreds of ransoms then not decrypting for them removes a lot of future revenue potential.
See Some people like the idea of freedom
Somehow I bet you would, with understanding the complete ramifications of such a society