Show logo
Explore all episodes

Ruthless Ransomers

  |  Command Line Heroes Team  
Security
Tech history

Command Line Heroes • • Ruthless Ransomers | Command Line Heroes

Ruthless Ransomers | Command Line Heroes

About the episode

It’s a strange situation when someone can hold something hostage from halfway around the world. It’s tragic when your own pictures and files are remotely encrypted. But when it’s a hospital’s system? Ransomware becomes a problem about life or death.

Eddy Willems recounts his involvement in defeating an early ransomware attack that targeted AIDS researchers. At the time, there was a way to discover the encryption key. But as Moti Yung warned, asymmetric encryption would change everything. In the years since, ransomware attacks have become much more popular—thanks in part to the rise of cryptocurrencies. While criminals think it’s an anonymous way to collect payment, Sheila Warren tells us that the opposite is actually true.

Command Line Heroes Team Red Hat original show

Subscribe

Subscribe here:

Listen on Apple Podcasts Listen on Spotify Subscribe via RSS Feed

Transcript

Okay. Phone, wallet, keys. Elias is having a perfectly ordinary morning. He showered, threw back a cup of coffee, and now he's heading out the front door on his way to work. What the? Except when he opens that door, there's a second door made of steel behind it. Is this locked? Some kind of prank? Hey, what is this? What's going on? He starts racing around the house. The back door is the same. It's blocked. He runs to the windows. They're covered with more slabs of steel. Every exit has been sealed off. Elias is trapped inside his own house and then water begins to seep in rising from the basement. Hello. Hi there. Feeling cozy? Did you do this? Are you controlling the water? You need to let me out of here. Oh, I will. I've got the key right here in my hand and I'll let you out for a price. Now, I want you to imagine a slightly less scary scenario, less creepy, but much more likely to happen. Instead of someone being locked inside their home, imagine crucial files are locked inside your computer. They've been encrypted and you can't read them. The key that's being offered up for a price is a decryption key. If you want to set your computer free, you'll have to pay the ransom. I'm Saron Yitbarek, and this is Command Line Heroes, an original podcast from Red Hat. This season we're exploring horror stories from the world of digital security. This time, it's ransomware, those strings of malware that invade your computer, encrypt your files against your will, and keep things locked up until you pay. Encryption technologies have been keeping information safe for centuries. Even in ancient Sparta, there was a tool called a scytale for sending secret messages during wars, and levels of encryption have only been getting more and more complex since then. But ransomware turns encryption around, puts it to work for the bad guys. A whole new world of trouble arrived once criminals realized encryption tech could be used to put pressure on their victims. Should I tell you the real story about how I was confronted with the first ransomware? Eddy Willems is a security evangelist at G Data Cyber Defense. But back in the winter of 1989, he was working as a technology consultant for an insurance company in Belgium. I still remember it on a Monday morning, my manager came to me and he asked me, "Eddy, can you have a look at this floppy?" The floppy disc was labeled AIDS Information and Eddy's boss thought it might have something important on it. The AIDS pandemic was sweeping the globe and insurance companies needed to understand this devastating disease. I thought, okay, I'm just putting it in my computer and want to see what it is going to do. So I started up the program and actually it was asking me a couple of questions about AIDS. And afterwards, it was printing out some statistical information about the AIDS disease. So it seemed legit, not especially interesting though. Willems pulled out the disc and told his boss it wasn't worth much. That would've been the end of it, but. Then on a Wednesday morning, I turned on my computer again and there was a bizarre screen popping up and the only thing I could do actually was clicking on the return key, which I did. And at that moment, I got another screen. This screen was in red and it was actually asking me to send $189 in an envelope to a PO box in Panama. So I thought, what is this? And I couldn't do anything more because, it was really at that moment, I was blocked. So without knowing, I was actually confronted at that moment with the very, very first ransomware. The proposition was simple. To decrypt his computer's files, Willems should send his money to the PO box in Panama, then a code would be sent back which will be punched in to decrypt the files to unblock him. This AIDS information malware was distributed on more than 20,000 floppy discs, just like the one Eddy Willems received. Some people were handed the disc at an AIDS conference. Others were sent the disc because they were on a subscriber list for PC World Magazine. People in 90 different countries received that ransomware demand and many gave in. Many were working in the field of AIDs research or related fields. They would've felt that retrieving information on their computers might be a question of life and death. Of course, the owner of that PO box in Panama was counting on that sense of urgency. That's why he targeted AIDS researchers. But you know at that moment, we didn't know that it was ransomware. Even the term ransomware was not described. This was a pioneering attack. Ground zero for a new security threat and something we've heard more than once this season is that new kinds of malware are often the most dangerous. Back in 1989, nobody knew what this AIDS Information disc was or how to deal with it. But what really saved the day was that the encryption wasn't that sophisticated. This was a time when computers themselves weren't that sophisticated. The whole attack was based on a simple substitution cipher. Some letters would be replaced by numbers, but the pattern could be reverse engineered. Willems and other security folks got to work on it. I was trying to figure out what was going on. So I was analyzing the disc, reverse engineering the malware, and we discovered actually that it was using a very simple encryption. And we found a way to beat it. They cracked the encryption and helped people get their files back without paying any ransom. The mastermind behind the attack, a biologist named Dr. Joseph Popp, was eventually caught and brought to trial. But that ransomware attack in 1989 was just the beginning. The criminals learned some important lessons from Dr. Popp's mistakes. The AIDS trojan was easily breakable. So, you know, the bad guys said, okay, we can do much better than this. Moti Yung is a research scientist at Google who specializes in cryptography and security. He's been watching the evolution of ransomware attacks since those early days. The next generation came with public key cryptography, which essentially makes cryptovirology, ransomware, extortion using crypto, essentially unbreakable unless you pay the ransom. Public key cryptography changed everything. With asymmetric encryption, criminals could create unbreakable ransomware. The victim would receive a public key that could only encrypt files, but the private key needed to decrypt them would be held by the attackers. There was no way to reverse engineer the decryption without paying up. What we predicted in 1996 was essentially that with public key cryptography, you can mount attacks that are essentially information theoretically secure from the attacker point of view. Yung and his colleague Adam Young published a paper in 1996 that predicted exactly this scenario. They called it cryptovirology - the use of cryptography by computer viruses to make them more dangerous. Their work was controversial at the time because they were essentially providing a roadmap for future attacks. We were a bit criticized for this because people said, well, you're helping the bad guys. But our view was that we need to understand what the bad guys can do in order to defend against it. Their predictions proved tragically accurate. By the 2000s, sophisticated ransomware attacks were becoming more common. And by the 2010s, they had exploded into a major global threat. The WannaCry attack in 2017 infected hundreds of thousands of computers worldwide, including systems at hospitals and government agencies. WannaCry was a wake-up call for the world. It showed that ransomware could cause massive disruption on a global scale. Hospitals had to cancel surgeries, government services were disrupted, and businesses lost millions of dollars. The attack highlighted how dependent we've become on digital systems and how vulnerable those systems can be. When ransomware hits a hospital, it's not just about lost data or financial costs - it's literally a matter of life and death. In the medical environment, when you have ransomware, people can die. That's the reality. When you cannot access medical records, when you cannot use medical equipment that depends on computers, lives are at stake. This is why ransomware has become such a high-priority threat for law enforcement and cybersecurity professionals. It's not just about money anymore - it's about the fabric of modern society. Ransomware attacks have become more targeted and more sophisticated. Instead of casting a wide net and hoping to catch a few victims, attackers now research their targets carefully. They look for organizations that are likely to pay large ransoms and that have inadequate security measures. These targeted attacks, sometimes called "big game hunting," can result in ransom demands in the millions of dollars. Attackers will spend weeks or even months inside a victim's network, learning about their systems and planning their attack. The attackers have become very professional. They have customer service departments to help victims pay ransoms. They have technical support to help with the decryption process. It's become a full-fledged industry. The professionalization of ransomware has made it both more dangerous and, paradoxically, sometimes more reliable. Attackers have a business reputation to maintain - if they don't provide decryption keys after payment, future victims won't trust them enough to pay. From a game theory perspective, it makes sense for the attackers to actually provide the decryption keys. If they don't, word gets out and future victims won't pay. So there's an incentive for them to be "honest" in their dishonesty. But this raises difficult ethical questions for victims. Should organizations pay ransoms, knowing that this funds criminal operations and encourages more attacks? Or should they refuse to pay and potentially face severe consequences? It's a terrible dilemma. On one hand, paying ransoms encourages more attacks and funds criminal organizations. On the other hand, when lives are at stake or when an organization faces complete destruction, the calculus becomes very difficult. This dilemma has led to intense debate among policymakers, law enforcement, and cybersecurity professionals about whether ransom payments should be banned or regulated. Some countries have banned ransom payments to certain groups, particularly those designated as terrorist organizations. But enforcement is difficult, and the definitions of which groups qualify can be complex. The rise of cryptocurrency has made ransomware attacks even more attractive to criminals. Digital currencies provide a way to collect payments that seems anonymous and difficult to trace. Cryptocurrency was a game-changer for ransomware. Before Bitcoin and other digital currencies, collecting ransom payments was one of the riskiest parts of the operation. Now attackers can demand payment in cryptocurrency and feel relatively safe from detection. But as we'll hear from our next guest, the apparent anonymity of cryptocurrency may be more illusion than reality. We've talked a bunch this season about this idea of digital hygiene, the idea that we can each stop malware in its tracks by simply being careful about how we behave online. But what if it's too late for all that? How can we respond when a ransomware attack is already underway? The answer might be that age old truth, follow the money. The movement of money across borders has interested me for a very long time in my career. Sheila Warren is an executive at the World Economic Forum, where she works on data, blockchain, and digital assets. She spends a lot of time thinking about cryptocurrency and the way it's shaping our world. Cryptocurrencies in their purest form are a way for anybody to exchange value with anybody else online. It's meant to be easy and efficient and independent. Cryptocurrency is really a critical tool in creating a more user-focused and user-oriented internet. It's basically internet money. And the fact that cryptocurrencies aren't tied to any particular government might make some criminals think it's a good option for ransomware payments, but Warren has news for them. Because it's actually more traceable than cash. Many forms of crypto, the whole point is there's a record of a transaction. I wouldn't say that it's a brilliant criminal move to engage in crypto and to ask for it with ransomware. But I think it's actually easier for internet criminals to do that and that's part of the reason I think that they do it. On the one hand, cryptocurrency accounts can be set up anonymously and law enforcement can't just freeze these accounts. But as Warren says, every transaction is recorded in a public ledger, a blockchain. The whole point of crypto is that it is traceable. What that means is cryptography may be back on the side of the good guys. When asymmetric cryptography made online commerce possible, criminals learned how to use the same tech from ransomware attacks. But now if they're trying to collect their ransom via cryptocurrency thinking it keeps them anonymous, no such luck. I remember the movie Goodfellas. And then when they were like, okay, don't spend, don't go buy jewels for your wives and cars and whatever, right? Because like don't be an idiot with this money. I mean, people are kind of, they're sometimes really stupid. And so they make a ton and then they start doing all kinds of consumer activity that's really unusual. And like, again, it's not that hard to figure out who some of these people are and what they're doing. It's the moment when you try to cash out that people get busted. Remember Dr. Popp and his AIDS ransomware? It was the PO box where ransom payments were sent that allowed authorities to track him down. It's all about following the money. Today, criminals make the same mistake when they ask for crypto ransoms and then try to turn that crypto into traditional cash. That's when the anonymous cloak drops away and people get caught. And yet a lot of people engaged in ransomware attacks keep using crypto for their payments. So if you're a person that's capable of creating ransomware, you are pretty sophisticated probably in internet currency and digital money as well. That's your area of expertise. You're maybe not as skilled at negotiating a drop of a bag of cash in some place. That may not be your area of expertise. I'm speculating here. Right? But, I would imagine that you're like, well, this I know how to do and I could bounce the thing 15 different ways and IP addresses and whatever. Whereas am I really that person who's going to, like I don't know, hoverboard over past this drop and grab this thing and skate off into the sunset? Right. Online criminals don't want to venture into the offline world. And the security, the traceability of cryptocurrency then becomes the Achilles heel of ransomware attacks. That said, you can't track these people down by simply looking them up. It takes money and effort. They're looking at the record that you can view of when wallet transfers to wallet. They know which wallet gets the value. What they're trying to figure out is where is that wallet and who owns that wallet. The crime is global and the law enforcement effort is global as well. It isn't just law enforcement that's working to beat ransomware attackers, though. There's a lot of support from the developer community. Like how can we put in safeguards? There's support from the exchanges. They don't want criminals using their exchanges to launder this crypto. So there's a tremendous amount of support from the private sector and crypto industry to assist with these activities, 100%. There's no question. Time and time again, we learn that the tech itself isn't good or evil. It's all about how it's used, how it gets governed and how many command line heroes are willing to use that tech to keep us safe. Today, ransomware attacks are growing more common. They threaten every industry. Files get locked, hundreds of gigabytes of client records get taken, ransomers demand millions in cryptocurrency or cash. It's become a profound example of the ways a supposedly defensive technology, encryption, can also be used offensively, and it reminds us that both sides have access to the same tools. So if we are in danger of getting locked up, we need to be prepared with a key of our own. I'm Saron Yitbarek, and this is Command Line Heroes, an original podcast from Red Hat. Next time on Command Line Heroes, we're telling the totally wild story of a man who invented a brand new intrusion detection system to catch a crook. You won't believe what he got up to. It's the tale of Clifford Stoll. Until then, keep on coding.

More about security

Security for modern systems is defined by its adaptability to newer attacks, and its integration into infrastructure and product lifecycles.

Blog post

Red Hat’s response to OpenPrinting CUPS vulnerabilities: CVE-2024-47076, CVE-2024-47175, CVE-2024-47176 and CVE-2024-47177

September 26, 2024  |  Blog posts from Red Hat

...

Linux
Security

Blog post

Red Hat’s path to post-quantum cryptography

July 15, 2024  |  Emily Fox, Simo Sorce

...

Security
Technically Speaking, an original podcast from Red Hat

Original shows

A new software supply chain security recipe | Technically Speaking

DevOps
Security
Technically Speaking, an original podcast from Red Hat

Original shows

WebAssembly breaks away from the browser | Technically Speaking

Edge computing
Security
Technically Speaking, an original podcast from Red Hat

Original shows

Compute confidential: In hardware we trust | Technically Speaking

Edge computing
Security

About the show

Command Line Heroes

During its run from 2018 to 2022, Command Line Heroes shared the epic true stories of developers, programmers, hackers, geeks, and open source rebels, and how they revolutionized the technology landscape. Relive our journey through tech history, and use #CommandLinePod to share your favorite episodes.