Produced by: Sina Technology
Compiled by: Tours
In the public impression, hackers are evil experts. However, in fact, with ransomware, people who are not experts can also become hackers.
You may have heard that the Internet is full of gold. Of course, the question is where to find the gold. Because not everyone has the talent to become a scientific unicorn, nor can everyone become an early employee of scientific unicorns in Stanford, nor can anyone train to become a world-class player of Fortress Night at home. Some software engineering jobs are really well paid, but not everyone has such opportunities.
But if you don't mind breaking the law -- or breaking the laws of the United States -- then your choice will expand a lot. You can steal credit card numbers, or buy them directly in bulk. You can hijack your bank account and cheat others to transfer money to you. You can cheat single dogs on dating websites. However, all these illegal operations require resources of one kind or another. For example, a channel selling the goods you bought by swiping your credit card, a "mule" willing to help you cash out the funds obtained from fraud, or a slick tongue with patience to set up a long-term fraud. In addition, you often have to understand some programming skills. However, if you do not have the above conditions, then at least you have blackmail software.
Malware usually only encrypts data on computers or servers, while ransomware allows attackers to extort by using decryption keys as chips. In the United States, in the past year, hackers attacked the governments of Baltimore and New Orleans and many smaller municipal governments, paralyzing the city's e-mail servers and databases, the police affairs reporting system, and even the 911 dispatch center system. Hospitals especially rely on important data streams with strong timeliness, so these places have also become attractive targets. Also vulnerable are companies that specialize in remote management of small businesses and IT infrastructure in cities and towns - hijacking these companies means that they can efficiently launch hacker attacks on all their customers.
With the increasing number of hacker attacks, the number of victims and the scale of ransom are also rising accordingly. Herb Stapleton, chief of the network department of the Federal Bureau of Investigation (FBI), said: "At the beginning, blackmail software was only aimed at individuals. Gradually, some small companies without effective Internet security protection have also become targets. Now, large companies and municipal governments are also hard to escape." In 2019, the weather forecast channel M6, a French media group, and Pitney Bowes Inc., a transportation service company, have both been hacked. Last summer, two small towns in Florida had to pay $1.1 million to unlock data. According to the BBC, Eurofins Scientific, a European forensics company, was blackmailed by hackers, although the company did not confirm this. Travelex Ltd. would not disclose whether it paid millions of dollars in ransom to hackers, but as of the time of writing this article, the website of the global currency changer has not been restored, which is one month since the website was attacked.
To some extent, the rise of ransomware was expected. Extortion software, with its simple, scalable and low-risk characteristics, has become a clean tool for cyber crime. It is believed that some very successful ransomware variants originated in the former Soviet Union countries, because in these places, young people who are proficient in technology cannot obtain jobs of the same level although they receive good education. The nature of software itself, coupled with social factors, has created an industry - the twin brother of the "villain" of science and technology.
Nowadays, potential attackers do not have to create ransomware themselves; They can buy one. If they don't know how to use ransomware, they can subscribe to services and get customer support. In short, customer service will help them launch attacks. Software as a service (SaaS) is a huge global industry, including Salesforce . com, go to Slack Office communication platform and Dropbox cloud storage. Search for "ransomware as a service" or "RaaS" on the dark network chat room that serves as both a forum and a black market, and you will see a large number of feedback results. In the public impression, hackers are evil experts. However, in fact, with ransomware, people who are not experts can also become hackers. "You can be the general public, just pay for a tool," said Christopher Elisan, intelligence director of Flashpoint, a network security company. "Then you can start the blackmail software business."
You can be a writer with a good liberal arts education, but you know little about iPhone or the Internet. You often have to turn to the technical support staff in the office because you can't find the shared hard disk. In other words, this person is me. But is that true? When I started writing this article, I didn't intend to try ransomware myself. However, a few weeks later, I had a flash of inspiration. It occurred to me that if people like me could successfully carry out digital robbery, this could become a Turing test in the hacker world, which could prove that network crime has developed to a certain extent: ordinary people who cannot distinguish software assistance from genuine technicians. As a journalist, I have been reporting on others for many years. What they have done is beyond my power. This time, I can finally end up in person.
Step 1: Harpoon phishing
At the end of 1989, medical researchers and computer enthusiasts around the world found a 5.25-inch floppy disk when they opened their mailbox, which was still a real post office box at that time. There is an interactive program on the floppy disk that can assess someone's risk of contracting AIDS. At that time, AIDS was still an uncontrolled and deadly epidemic. Finally, a total of 20000 floppy disks from "PC Cyberorg Corporation" were mailed from London to Europe and Africa. However, these floppy disks contain viruses themselves. They are an additional file. Once loaded on the workstation, the virus will hide the file of the workstation and encrypt the file name. Then a big red box will occupy the entire screen, prompting you to pay $189 "software usage fee". Users can send bank bills, promissory notes or international bills of exchange to a post office box in Panama to complete payment. This is the later well-known AIDS Trojan, and also the world's first ransomware software.
Within a few weeks, an American named Joseph Popp was stopped on his way home after attending an AIDS conference in Kenya. Popp is an evolutionary biologist specializing in baboons. At Amsterdam Kip Airport, his eccentric behavior attracted the attention of airport security personnel. According to the later report published by the Cleveland Truth, Pope believed that he was drugged by someone from Interpol, so he wrote "Dr. Popp Has Been Poisoned" on the luggage bag of passers-by, and then held the bag above his head. Later, the authorities found a "PC Cyberorg Corporation" seal when searching his own luggage. Later, Pope was extradited to London from his home state of Ohio, but the final verdict was that his mental state was not suitable for trial: his behavior was bizarre, such as wearing curlers on his beard to prevent radiation; When he returned home to Ohio, he published his own declaration urging people to reproduce actively; Before his death in 2006, he began to build a butterfly shelter in Oneta, New York State.
Although Popper's motivation and whether his mental state is suitable for trial are still controversial topics, the effectiveness of his blackmail software is rarely mentioned. Because most people who receive floppy disks do not actually load harmful files onto their computers. And among a small number of those who were recruited, only a very small number actually paid the ransom. On the one hand, it is too troublesome to pay the ransom. You have to go to the post office when you go to the bank. On the other hand, it is unnecessary to pay ransom. One of the victims, Eddie· Williams Belgian, a computer systems analyst for a multinational insurance company. He said: "Although I am not a cryptologist, I can see through the trick of the Trojan horse at a glance. It took me about 10 to 15 minutes to recover all the files." Then, Williams and other security researchers also used floppy disks to quickly release the free AIDS Trojan decryption program.
The AIDS Trojans proved Popp's imagination (and possible fanaticism), and he plotted a conspiracy with only the tools at hand. Selling stolen data to the highest bidder is not new, but as Mikko Hypponen, chief research officer of F-Secure, a Finnish network security company, said, Popper's innovation is an understanding of the fact that "in many cases, the original information owner is the highest bidder.".
Fifteen years later, technology caught up with Pop's vision in the form of the Internet for the first time. In 2005, security researchers began to notice the ransomware they called "Gpcode". (In the network security taxonomy, people are used to giving the same name to the same type of malware and the anonymous groups behind it, It is called "spear phishing". Subsequent versions of Gpcode also use a more powerful encryption method to kidnap file contents. The only disadvantage of this ransom software is the payment steps: ransom is settled through prepaid credit cards or gift cards, so it needs to flow through highly regulated channels in the global financial system. Over time, with the help and promotion of law enforcement officials, payment processors can identify ransom payments more efficiently and do their best to help users recover their losses.
The emergence of Bitcoin just solved the payment problem for the blackmailer. By 2013, cryptocurrency had become the mainstream, so that a blackmail software group decided to make a new attempt. The ransomware variant they used was later named "CryptoLocker". Technically, Bitcoin is not untraceable, especially when people convert it into dollars or euros or other legal currencies. Even so, it is still difficult and time-consuming to obtain evidence, not to mention the cryptocurrency mixer and other anonymous means that can cover up the transaction path of the public blockchain. In addition, there is no payment processor among them, so law enforcement agencies are unable to forcibly close the transaction. All of these make Bitcoin an ideal choice for ransomware. The only trouble is that most people still don't know much about the mechanism of buying and selling cryptocurrency. As a result, a common phenomenon is that ransomware attackers often encourage victims to ask them to help solve problems in payment.
CryptoLocker has achieved great success. Three Italian computer science researchers tracked 771 payments, pointing to the bitcoin wallet related to the ransomware variant, with a total amount of 1226 bitcoins (equivalent to $1.1 million at that time), which is still a conservative estimate. The formula of CryptoLocker - phishing, strong encryption and Bitcoin - is still the main template of ransomware today. But other types of attacks are not without: some attacks disguise themselves as law enforcement agencies and lock user equipment because of the discovery of illegal materials. (Some attacks even download child pornography on the victim's computer in advance in order to increase authenticity.) Some attackers will induce the victim to the infected website in advance. On this website, the software "vulnerability exploitation toolkit" can implant malicious software into users' devices through their browser vulnerabilities. Moreover, some attacks are actually not ransomware at all. For example, NotPetya, which caused billions of dollars of losses worldwide in 2017, cannot reverse its encryption by any means. Therefore, it is widely suspected that this is a network weapon developed by Russians. Its purpose is neither to steal information nor to kidnap information for ransom, but to simply destroy data.
The FBI's Stapleton said: "According to some of the more skilled online criminal gangs we found, ransomware is just another tool used to monetize their online activities." Ryan Olson, vice president of Palo Alto Networks Inc., a network security company, was impressed by a past event. After the customer's computer is hacked, he is responsible for helping the customer monitor the affected computer. According to Olsen's memory, hackers first looked for credit card numbers. They then search for passwords or login credentials that can be used to take over the network. Olsen said, "The last thing they did was install ransomware on their computers and encrypt all files."
Step 2: Infection
In October, when I began to buy blackmail software everywhere, the whole community was still sorry for GandCrab. The GandCrab launched in early 2018 is not the first RaaS, but its great success undoubtedly proves the commercial potential of this model. According to the estimate of Bitextender, a network security company, at some point, half of the attacks attempted by global ransomware came from GandCrab. GangCrab criminal gangs license their software to "members" - other hackers, allow them to access infected computers or e-mail address lists for phishing, and then receive some share from the gains of these hackers. In addition, according to Brian Krebs, a computer security researcher, this criminal gang is even more diligent. It always kills virus programmers first, and has released five mainstream software updates.
Then, on May 31, 2019, a post on the Russian forum "explore. in" suddenly announced GandCrab's "retirement after success". The author wrote that in the past 15 months, members of GandCrab have earned a total of $2 billion in revenue, and software developers have received a share of $150 million. Potential members kept asking each other in amazement where the "next GandCrab" was.
I certainly won't reveal where I finally found my own RaaS; I don't think most readers of this article will hope to become blackmail software entrepreneurs, but I also don't want to give anyone a chance. Like most similar websites, the place where I found RaaS is also located in the dark network. The so-called dark network is the part of the Internet that cannot be accessed by ordinary web browsers.
The logo of the forum is a DOS green skull. Although the language of the post is English, it is obviously not written by English speakers, and its style is very similar to that of most young men's forums. Send a post with "It may be a stupid question, but...", and then someone will reply, "It is really a stupid question." However, I am also very surprised by the detailed answers given by the users who follow the posts, or generous encouragement to anonymous users under various criminal mischief topics. "The following is an excellent list of resources," wrote the beginning of a post published in October, "which contains the best books, websites containing practical targets of hacker attacks, free virtual network lists, and so on."
I'm not the only rookie on the forum. "Looking for a simple and easy to use ransomware," wrote the title of a post on August 31. Another post said: "I'm browsing resources to buy blackmail software or something like that. What specific content do I need to learn to use this software?" Some forum members scorn these "fools" and "script whiteheads", while others regard these people as opportunities. In the hacker ecosystem, script Xiaobai's natural predator is a "ripper", that is, a person who sells fake goods or disappears after taking script Xiaobai's Bitcoin payment. Many discussions on the forum focus on whether a person who sells this software or that service is trustworthy.
I, without doubt, am a rookie among the rookies. I have nothing but a deep understanding of what I know and a narrow ambition. I worked out a plan with my editor Max Chafkin: I, blackmail a single target, and this target is Max. Of course, Max obviously doesn't want to expose his real personal information or our employer's real information. After all, the company handles sensitive data from many rich financial institutions around the world. Therefore, we each bought a cheap laptop and always remember not to connect any computer to our work network. Max stuffed a pile of documents into his computer: WikiLeaks documents; PDF file of Muller's report; Random photos of cats, boats and monkeys; And "a bunch of Romanian academic papers" - that's what he told me. Then, he will build an iron wall for himself to resist the attack that I launched - informing him in advance. Although our plan is not realistic enough, it is important to have sufficient security and hope that we will not be fired.
Or be arrested. Extortion software attacks have been listed as illegal in many states, and Maryland lawmakers recently proposed a bill to make it a crime to own only extortion software. Federal computer fraud laws are also eyeing. This regulation was cited in the lawsuit against two Iranian hackers accused of attacking Atlanta, Newark and several large hospital systems in 2018. Although prosecutions against ransomware are rare so far, I am different from most other hackers in that I am in the United States.
However, so far, the relevant laws seem to have one condition, that is, the intention to attack an unconscious, non complicit victim. Michigan's law points out: "Without the permission of others, no one can intentionally hold the blackmail software for the purpose of using the blackmail software." Of course, my victims are fully aware of it, and they are my accomplices - we are just two adults who agree to take risks on the Internet. (I also have an email to prove if Max turns against him at a critical time.) Then the Bloomberg lawyers we communicated with basically agreed. However, he also suggested that if I might need to do business with other sanctioned entities, I must contact him in a timely manner.
Step 3: Payment of ransom
Without Joe Stewart's help, all our plans could not be put into practice. Stewart lives in Mertel Beach, South Carolina, and runs his own blockchain development and security research company. Since last year, he has been working with Armor, a network security company. He was also one of the first analysts to describe the hijacked computer network used for criminal activities as a "botnet". He also wrote an early reverse engineering decoder. If the victim is just hijacked by general ransomware, they can use the decoder written by Stewart to recover files for free. A few years ago, he helped some of my colleagues find a hacker.
Stewart looked very quiet, and his face was always expressionless in conversation. It took me a lot of effort to understand that his expressionless face was due to his concentration rather than depression. Before telling him that I planned to try ransomware myself, I had communicated with Armor and Stewart on the phone for several months. He told me that once I made progress, I could go to Mertel Beach to find him and deploy software in his computer laboratory.
In the end, I chose the ransomware service I found at the beginning to practice my plan. I found this software a few minutes after logging into the first hacker chat room. Even then, there were many warning signals. There is a consensus on the forum that we should be on alert at any time. "This guy has been spreading spam for several days and pretending to be very powerful," complained one of the followers, "I don't think there is any explanation other than marketing." The programmer who wrote the software himself was also involved. After mocking the guy who complained about his ignorance of the programming language C #, he didn't forget to tell him to "shut up". However, the information I send to other sellers has either never been heard of or is false at first sight. Then according to an advertisement I saw that may have expired (I even sent a consultation message), a popular ransomware service, Ranion, costs $900 a year, while the one I found is only $150. So I think I can try it. On the morning of October 23, I contributed 0.020135666 Bitcoins, and then sent a message to the address given on the payment page through the encrypted e-mail service Protonmail. Half an hour later, I received a reply: "Hello Sir, your account has been activated!!! Sorry to keep you waiting!"
What I can now visit is a white page, and below the row of tabs is a black world map using Mercator projection. Click "Control Panel" to call up a blank form with the title "Victim". The content in each column, I guess, will be automatically filled with the name of each victim and their corresponding decryption key after I carry out multiple activities. The second tab is called "Create Tool". Click it to open a new page for creating "My Malware". Then I entered the Protonmail email address for my victim and indicated the computer operating system I intended to attack. (Most malware attacks target Microsoft Windows system; But after seeing Stuart, I used the Linux operating system to reduce the chance of being attacked.) Then click the "Create" button, and a dialog box pops up, prompting me whether to download the file. After hesitating for a moment, I clicked "OK". At this point, a malicious software is downloaded to my computer. Then, I sent it to Stewart after marking it with email.
On the morning of November 11, I came to Mertel Beach. By the time I met Stewart, he had run the software I sent him on his isolated computer, which was specially used to remove and analyze malware. High level variant software often contains a piece of code. If they find themselves in a "sandbox" - for example, Stewart's special isolation computer, they will not act rashly; Or they will be designed to have a long dormancy period, which can avoid the observation of most security researchers. My malware doesn't have these skills, which means I'm not so lucky to buy top products. Stewart told me that underground criminal gangs usually deploy software on some overseas network hosts that accept cryptocurrencies and are unfriendly to law enforcement. But my malware service is Amazon On the cloud platform of network services! If the court issues a subpoena, the name on the subpoena may be related to the Amazon account, so law enforcement officers may directly find my supplier.
But the biggest obstacle is still the decoder I got from the website. It is reasonable that after receiving the ransom, I should send the document, together with a string of letter keys, to the victim. But when Stewart and I tested, the decoder didn't work - the files in Stewart's sandbox were still encrypted. In the short term, this will not cause me trouble: when Max discovers this loophole, the ransom will already be paid. But just like traditional kidnapping, the business model of information blackmail can only work if the victims have at least a glimmer of hope that they can get the data back after paying the ransom. Therefore, blackmailers often try their best to show their sincerity and reliability. It is a common operation in the industry to encrypt some files for free for proof of concept. Some RaaS control panels do not even mention the word "victim" at all. For example, the screenshot of the Ranion variant provided by Armor analysts shows that the title of the table is "customer", not "victim". Ellison of Flashpoint forwarded a message to me, which was an email sent by the blackmail software gang to the victims, listing some security measures they can take in the future to prevent hacker attacks again.
It's a piece of cake for Stewart to find other decryption methods. In the email he sent me, he said, "I guess this author has never tested the code in a real environment." However, compared with sending Max a set of keys to input or copy and paste himself, I have to send him a few lines of code and instructions on where to insert them. This operation is really unprofessional, but I think I can guide Max to complete the task.
Mike Tyson, the boxing champion, said it well: everyone thinks he has a comprehensive plan until he is beaten by reality. Sitting in Stuart's closed computer lab on the morning of an appointment, I logged in to the specially purchased laptop, opened the anonymous browser Tor, found my favorite RaaS control panel hidden network link address, and then clicked. But instead of the familiar Mercator projection map and a row of useful tabs, an encrypted message popped up: "We will close this website so that 'LAKE OF THE USERS' can be' LAKE OF THE USERS'. 'My first reaction was to wonder whether this" lake of the users "was a programming term that I didn't know about and related to seeds. But on second thought, I think it is more appropriate to send an email to technical support.
"Hello, I saw that you closed the website," I wrote a letter to the encrypted email address, which unexpectedly included the name of Johnny Blaze, the anti hero in the cartoon. "How can I continue to visit the website?" One hour later, I received a reply: "If you want to continue using this service, please purchase the professional version. ”As far as I know, the so-called professional version will cost 500 dollars more than the 150 dollars already paid. However, when I registered two and a half weeks ago, the professional version was only $300, although my supplier tried to explain to me that the latest professional version provided Android compatible malware. After a whole morning of back and forth communication, I finally learned that my RaaS has completely stopped providing services. Its server and that website have been completely shut down. However, this also brings an opportunity: I can host the service myself. At Stewart's prompt, I asked how I could get my decryption key since the website has been closed. This Johnny Bratz apologized to me that they forgot to back up the database.
Is the whole thing a hoax? Did I meet the Ripper? If so, why do they bother to maintain a real service and then really create malware? When I think about it, I think it is my inexperienced supplier (whose product has failed) who decided to close the website in order to "attract" more gullible paying users - I can imagine that I am their only paying user.
But now the problem is not just the decryption key. Extortion software without servers is almost useless. As Stewart patiently explained, before encrypting any file, the program will first form a string of decryption keys, and then send them back to the RaaS server, after which I can check the keys in the control panel. However, if the server does not answer, the program cannot continue to run. When I was discouraged, I wrote an email to Johnny Bratz asking him if he could get a refund. The reply received was quite concise: No.
Stewart said, "I think there should be other solutions." Sitting in the black leather sofa at the other end of the room, he stared at the laptop in front of him with a blank face. A few minutes later, he sent me a piece of code and instructions to forward to Max. Now Max is in New York, facing him Dell Notebook, send a text message to urge me to hurry up. Stewart's solution was to replace some code in Max's computer operating system. In this way, when the malware sends an instruction to the computer to access the Amazon web server that does not exist at present, the computer will redirect to Stewart's server, which will confirm the receipt of the key and allow encryption to begin. In other words, my blackmail software service provider is now Stewart.
In this way, the basic work is ready. I then started my reverse engineering puppet ransomware. Soon, Max received an email from a reliable colleague: "Hi, Max, I'm sorry to bother you so late, but here is a very large document, my draft (attached). I look forward to your comments!" Max clicked the "draft", the antivirus software marked the attachment, and warned Max not to open the document. (What a carefully designed computer virus, just like a real virus, hides its payload in layers of code.) As a hero died, Max decisively opened the file.
At first, nothing happened. A few minutes later, we can't wait to send a text message to communicate and say whether we want to try again. "Then, I took a look at something outside the screen," Max recalled. "In a flash, the news popped up." Although ransomware designers generally prefer simple information aesthetics, our designers are really wonderful. When Max looked back, a smoke filled picture appeared on the whole computer screen, with a pale greedy hand stretched out in the middle and a few words scrawled on the side: "Your file has been encrypted." WikiLeaks files, cat photos and Romanian masterpieces downloaded by Max could not be opened. (But Mueller's report was mysteriously unaffected.)
Max wrote me an email full of dramatic betrayal, in which the anger could be felt across the screen. In response, I replied to him in a calm professional tone, with a ransom of $100 and the address of my Bitcoin wallet attached. If I think he is suspected of procrastinating, I can also give him a deadline. If the deadline is exceeded, either the ransom will rise or the decryption key will be destroyed. Once my cryptocurrency application reminds me that the payment is being processed, I can send the key temporarily prepared by the decryptor and Stewart to Max. Max followed the instructions, and then watched his files one by one return to normal. He got the data back, and I got the money. (As agreed in advance, I finally returned the money to Max.) But that greedy hand never disappeared!
Finally, it's hard to say that my ransomware and I really passed the Turing Test. The singularity of cyber crime seems far away. When I returned from Myrtle Beach, I contacted a knowledgeable and helpful poster in the Dark Web forum. After asking for a series of basic rules and taking various steps to verify my identity, he (or she) agreed to be interviewed. He said: "As for the type of malware, I have written and used all kinds of things you can think of: backdoors, remote access trojans (RATs), encryptors, releasers, data destruction tools, cross site request forgery attacks (CSRF), phishing pages, ransomware, etc." He was very dismissive of most ransomware you can buy. According to his description, the recent rise of ransomware attacks is more like a bubble: "Many ransomware software projects are just a pile of garbage." Amateur programmers use code copied from the software development platform GitHub, modify it slightly, and pretend to be their own works. "In the end, RaaS does allow more inexperienced people to access ransomware, but most successful hackers I know are still accustomed to using more private code."
Of course, the software extortion attack launched by an inexperienced group may still cause huge losses. What's more, every big shot has come from the script Xiaobai step by step. When I sent an email to my RaaS supplier to ask them if they would like to be interviewed for this article, they seemed very happy, but what they said was too profound. "Our team is basically young people aged 18 to 26," Johnny Bratz replied. In addition, in the email, they repeatedly stressed that the RaaS I tried before was an outdated product. The team has now planned to launch a new product, which is said to be "much better" than the original one.
Author: Drake Bennett
Original link: https://www.bloomberg.com/features/2020-dark-web-ransomware/
