Season 1: Episode 3
Stay safe online! Here’s more on how to not be a ransomware victim.
And, if you’d like to learn a bit more about the PATCH Act mentioned in our episode, go here.
Speaker 1: Hello, you need to make the bitcoin payment to unlock your files. Do you know how to purchase bitcoin?
Speaker 2: Hi. No, I do not. What happened to my files? How much do I have to pay?
Veronica: What you’re hearing is part of an online chat one of my guests actually had with a ransomware criminal.
Speaker 1: Your files are encrypted. Go and purchase 125 US dollars worth of bitcoin. Send them to the address below and we will send you the decryption password and go on the chat if you need and help you.
Veronica: Do you know what ransomware is? It’s when you turn on your computer and an image says something like, “Surprise! Your files are encrypted. Send us money.”
Speaker 2: This must be some kind of mistake.
Speaker 1: You downloaded a virus, so now you have to pay to get your files back. The ransom doubles after 24 hours.
Veronica: Well, when that happens, people freak out and they need help. And these crooks, they’re more than happy to get you sorted.
Speaker 1: Since you don’t understand what a ransom virus is, we will keep it at $125 for today.
Speaker 2: Well, that is kind of you, but it’s not right. Maybe you should get into some other business, something where you can feel good about what you do?
Speaker 1: Email us when you send the payment.
Speaker 9: Aw, didn’t that ransomware fella sound nice and helpful, if you forget about how he wants to rob and sabotage you. Have you been hacked yet or know someone who has? My friend Matt had his entire digital life stolen and destroyed in less than an hour. They changed all his passwords, took over his accounts, wiped his computers. All of his daughter’s photos were gone. He was devastated and angry with himself for being so easy to hack. Today, a look at our internet insecurity and the heroes fighting to keep us safe. I’m Veronica Belmont and this is IRL, an original podcast from Mozilla, because online life is real life. A few years ago, Alina Simone’s mom was a victim of ransomware. She popped open her computer and a note popped up on her screen.
Alina: Basically, it said, you know, “Hello, I am a ransom note and I’ve captured all of your files and they will be deleted if we don’t receive $500 in bitcoin within a week, we’re gonna delete them all and you can never get them back.” They allowed her to open one test file, you know what I mean?
Veronica: It’s like sending the finger … It’s like sending the finger in the mail.
Veronica: So this sent Alina off on a wild adventure. Suddenly she was racing, racing to find a way to buy bitcoin, racing to transfer it to the bad guys, all on the final day of the ransom deadline, down to the very last seconds on a holiday weekend.
Alina: Yeah, I think the word bitcoin is where my mom started weeping.
Veronica: If someone told me to give them $500 in bitcoin … I’m pretty tech savvy. I think I would still be like, “The what now? How do I do that?” Okay, but you did finally get the money to them, only it was after the deadline, so what happened then?
Alina: At first, they just doubled my mom’s ransom, and they said, “Now you owe us $1,000 if you want your data back.” It was also the week of Thanksgiving, and there was a major snowstorm in Massachusetts that week. She explained and just gave them the whole sob story and then an hour later or whatever it was, she had her data back. They just gave it all back.
Veronica: What a brutal week. Alina and her mom were left utterly shaken by the experience, as if the ransomers had actually broken into their homes and held them hostage. Just like in real life, ransomware victims experience feelings of fury, shame, embarrassment and self-loathing for something that happened to them online. I think for me, the weirdest part about this whole ransomware situation is that these hackers have stellar customer service. I mean, it’s like five-star Yelp reviews for hackers, and they’re incentivized to do that because they want you to have an easy time paying them money for the data that they’ve already stolen. So I really wanted to know what is that customer journey like? Well, security company F-Secure out in Helsinki wanted to find out, too, so their cybersecurity content editor, Melissa Michael, connected with various ransomware chat rooms to see who offered the most user-friendly, customer-focused help to her ransomware problem.
Speaker 1: Do you know how to purchase bitcoin?
Veronica: You heard some of what that was like at the start of the episode.
Melissa: My colleagues in our labs had been noticing that over the years, ransomware had become a lot more sophisticated. There’s things like FAQ pages and some of these families support several languages. There is customer support forms that you can go in and contact the criminals that way and get a response.
Veronica: So you said families just now, do you mean like crime families? Is that how you refer to them?
Melissa: Well, ransomware family is like, say, CryptoLocker or Jigsaw or Cerber or Cerber, I’m not sure how it’s actually pronounced, but I’m talking about the general family of the ransomware itself.
Veronica: And so what was your plan, what did you hope to get out of this?
Melissa: I was hoping for some interesting interactions with the guys behind it and just kind of wanting to see how they helped me through the process, and what they would settle for in terms of payment, just kind of how flexible would they be?
Veronica: So as this ransomware mystery shopper that you were pretending to be, what kind of criteria of customer service were you specifically looking for?
Melissa: The thing behind the study was that we were sort of in a tongue-in-cheek way, evaluating the best customer journey, or as we put it also, the least loathsome customer journey. I think we chose the Cerber family for the best product, because they just had the most professional website you could go to and there was like a countdown clock telling you how much time you had until you had to make the payment and there was a really nice, professional support form where you just type in and then the agent would type back to you very quickly and respond very quickly. So that one we awarded for the best product.
Veronica: It’s so ridiculous to hear something like the best product from these ransomware families. Like, if you’re gonna be ransomwared, hopefully it’s gonna be by these guys, because they’ll take care of you.
Melissa: Yeah, exactly. But then the best service one was the worst in the product area. It had the worst interface and it was like the photo of a nude woman on the screen, but actually the customer service agent behind it was actually the best, in my opinion.
Veronica: And what was the weirdest thing that you experienced?
Melissa: Well, I would say the very weirdest thing was when he said, “I don’t even know how you got this ransomware because we don’t target consumers, we target businesses,” and he said-
Speaker 1: We are hired by corporations to cyber-disrupt day-to-day business of their competition. Ransom is low because you were affected by a minimal virus, the purpose was just to lock files to delay a corporation’s production time to allow our clients to introduce a similar product into the market first. Corporate hacks happen all day, every day. Please try and take care of it soon.
Melissa: That really shocked me, and I was like, “Wow. Oh my goodness, I’ve never heard of anything like this happening,” so that was a big surprise.
Veronica: My jaw literally dropped when you said that. I’ve heard of stuff like that happening. And how has this adventure made you kind of reconsider what ransomware is and why it’s seemingly so much more common these days?
Melissa: Well, of course, I think it’s a lot more common because it’s very easy. It’s easy for the criminals to just let their malware lock people’s computers up and then sit back and wait for the payment to come in.
Veronica: By the way, Melissa gives the award for best ransomware customer experience to Jigsaw, so congrats, Jigsaw, you can put that on your hacker resume or whatever. Also, that bitware, the ransomware agent said they were hired by a corporation to sabotage its competitors, pretty crazy if true, but, to date, it’s something no one seems to have been able to prove. That might just be misdirection, but we know this: ransomware gangs made off with one billion dollars in ransoms last year.
Speaker 6: WannaCry.
Speaker 7: Experts are calling the WannaCry virus the largest cyberattack in history.
Speaker 8: One of the worst and most widespread pieces of malware they’ve ever seen.
Speaker 9: The massive hack brought business to a screeching halt for companies all around the world late Friday.
Veronica: WannaCry, simultaneously the worst ransomware attack ever and the one with the best name. In May of this year, this cyberattack paralyzed over 230,000 computers in 150 countries. It raced around the world, encrypting people’s data and demanding ransom payments in bitcoin. It hit FedEx computers, took out a French car manufacturer, Spain’s largest telecom, and it really hurt the UK’s National Health Service. It was all set to blow until someone pulled the plug. That was Marcus Hutchins. He’s a 22-year-old self-taught British IT expert. He stumbled across a solution basically by accident. Looking at the code, he noticed the ransomware was trying to connect to a website, but the website wasn’t registered, so Marcus bought it. And when he did, he found a kill switch inside the software and he wasn’t even at work when this happened.
Marcus: I was on vacation, chilling around the house, when I saw all the reports of infections coming in at the same time. I was immediately aware it was quite a big thing going on.
Veronica: So your workaround for WannaCry, is that server under constant attack now? Is that true?
Veronica: So what’s that like?
Marcus: At first, it was pretty scary, we were actually having to handle the attacks ourselves.
Veronica: Your career tracking malware, what drives you to do that?
Marcus: I just find it interesting, you can sort of get an insight into people’s operations and see sort of what they’re thinking, all the cool ideas they’ve had. I just kind of … I’ve always been interested in malware, so tracking it was kinda the next step up.
Veronica: Do you feel a personal responsibility of any kind to stop these things?
Marcus: I’d feel pretty terrible if I saw something that big going on and then didn’t stop it, so I’m not gonna be some sort of a security Batman who’s going around fighting botnets, but if there is an opportunity to stop it, I will do it.
Veronica: No, I absolutely want you to be security Batman. There’s a theory out there that WannaCry was North Korean-sponsored, so essentially, you could have stopped a state attack.
Marcus: Well, yeah. If that theory is correct, then yes.
Veronica: Here’s a bit of crazy. So the United States NSA, the National Security Agency, they’re the ones who say the WannaCry attack links back to North Korea, but the code itself that the virus is based on, that code is linked back to the NSA. So here’s what happened. A gang of hackers called The Shadow Brokers leaked copies of NSA exploit tools on the web, and some of that code built WannaCry. And yet all of it, the whole evil henchmen plan, foiled by one young guy at home on vacation. It’s a sweet victory for the good guys, but really? That’s what’s keeping our network secure? Good timing and some lucky guesses? Feels like it’s a just a matter of time before people like Marcus won’t be there to help. For those of you keeping score at home, malware attacks have continued since WannaCry made headlines. In late June, a virus dubbed NotPetya froze computers in the Ukraine and in a handful of other countries. It crippled pharmaceutical companies, the Kiev subway, banks, an airport, even equipment used to detect radiation in Chernobyl. This malware was also linked to the NSA exploits I mentioned earlier and, unlike WannaCry, it has no kill switch. Experts say it’s much better designed. The malware even hit us here at IRL. Even as he was typing the words ransomware into the script, our writer Ken’s computer locked up and displayed the ransom note. Ken has a day job, and his parent company in London was under cyberattack. So you’ll forgive me if we take this one a little personally. This is IRL, an original podcast from Mozilla, because online life is real life. I’m Veronica Belmont. Hackers. They take our money, they take our files, they break our computers, and they make us feel like we’re just one bad virus away from seeing it all come crashing down. Cal Leeming used to be a really bad guy. Well, technically, really bad kid. He started hacking at age eight. Eight! What were you doing at eight years old? I was in my backyard playing Teenage Mutant Ninja Turtles. Cal was the UK’s youngest hacker. At age 12, he got caught using stolen credit card numbers from the web to buy stuff from grocery stores. Police kicked down his door, arrested him, and he was charged with computer misuse and fraud. By the time he was 19, he’d been to jail twice. The second time, he got caught stealing thousands of credit card numbers from his victims to buy laptops and cameras that he sold on eBay. Like I said, really bad guy. Now, he’s 29 and he remembers how it all started: with one credit card stolen from grandma.
Cal: I just used it to sign up for AOL.
Cal: Yeah, because you had to have a credit card back then and that after that, I started looking at chat rooms, started just exploring what this thing called the internet was.
Veronica: Did it feel like you were kind of invincible and faceless in this online world versus being in the real world where there’s obvious consequences? Was that part of the allure?
Cal: Yeah, I didn’t really understand the concept of ethics when I was younger and plus my motivations for getting involved in hacking were twofold. On the one hand, I was deeply curious about how technology worked and how to make it do all these cool, crazy things and building my own computers and all sorts of crazy stuff, and then on the other side, we also were from a very poor background, so I was able to use those talents to get money. Yeah, I just couldn’t, at the time, get my head around why everyone was treating it like such a big deal.
Veronica: Cal, walk me through when you were first caught.
Cal: Oh, yeah, that was a traumatic day, just after my 12th birthday. The door got kicked in and then 20 or so black boots came storming in the house and, at the time, there were these boxes everywhere of all these items I’d ordered from the internet. There was printouts all over the place, I mean, it was just a trove of evidence and that was kind of testament to my naivety. The police led me downstairs and my mum, at the time, had tried to protect me. They said, “So why have all these boxes in this house? Whose are they?”, and of course they weren’t talking to me, they were talking to my mum. And my mum said, no, it was her, it was all her, she had been doing crime on the internet and after about five minutes, I broke down in tears and admitted to the whole thing and said, “No, it wasn’t my mum, it was me.” I got locked up for … I think I was in the cell for about 12 hours and then, of course, I came back after being released from the police station along with my mum, ‘cause she was arrested as well, and we got back to this very empty house because they had taken everything. It was very bad and that was … I think was about four days before Christmas, something like that, so it was … Yeah, that was not the best year for me, or for my family.
Veronica: So now you’re a security consultant, you’ve gone legit. How has hacking changed since you were a kid?
Cal: I would say it’s been deskilled to the point that you don’t really have to even understand technology. All you have to do to go and start hacking is go onto a forum, start buying these pieces of pre-made crimeware kits and from that you can then go and hack wherever you want, and that is a very different world than what it used to be. It used to be that you had … You used to have to at least know something. Me and others were very much script kiddies back then, don’t get me wrong, we were still script kiddies, but at least we knew something, whereas now-
Veronica: I kind of feel like you’re throwing down a little bit. I kinda feel like you’re saying, “Back in my day.”
Cal: Oh, always. Always. And you’ll hear that from any good computer engineer, saying, “No, back in my day, we were real people. We had to work for our money.”
Veronica: I had to hack 10 miles uphill in the snow, kids.
Cal: Exactly, exactly. And, you know what, it will be the exact same thing another 10 years, another 20 years from now. I’m scared to almost say it, but I don’t see hacking becoming any harder, at least not in the short term. The way that the industry is going, the way that systems are being built, and the way that we’re teaching the next generation, we’re creating more problems faster than we can solve them on the security aspect, so it’s probably going to get worse before it gets better.
Veronica: All told, Cal’s hacking exploits hurt a lot of people. 10,000 stolen identities, 12,000 credit cards, and people with low incomes, too. Students, seniors, Cal stole from them all. Cal learned the hard way, but he’s one of the good guys now. His cybersecurity company is called Lyons Leeming. So, good people like Cal and Marcus are busy keeping bad people out of our computers, but these next two fellas are doing the opposite. They are trying to either break into our computers or just destroy them altogether. First, there’s Ryan Manship. He runs Red Team Security, and he might have one of the most fun jobs anywhere. Companies hire Ryan to try and hack into their networks to test their security. They basically tell him, “I dare you. Do your worst.” and the methods Ryan uses to break into companies are surprisingly old school.
Ryan: We start by doing reconnaissance. We go to a place and we just look at … What are we gonna see? What does it look like? What’s the neighborhood look like? Do I have to worry about random people showing up? We take all that information and we bring it home and we start coming up with a plan.
Veronica: So essentially they tell you what they want you to find, and then you go through the steps of trying to break into that, whether it’s their network or something they’re trying to keep secure.
Ryan: At one place, our objective was to get inside to their server room and actually remove a large piece of equipment, so we had brought this little cart with us, and we talked our way into the server room, had this piece of equipment out and on the cart and then some other manager showed up and decided that we shouldn’t be allowed to leave with it until they can talk to somebody else and figure it out. That’s one example of we were literally minutes away from just walking out with this piece of equipment, completely under false pretenses.
Veronica: So you’ve done this a lot, I would imagine. What are some things that you see companies doing wrong over and over again when it comes to security?
Ryan: Oftentimes the folks that are in charge of the technical side, the IT stuff, the networks, the applications, all that, are not the same people that are in charge of the physical security, cameras, whatever, motion sensors, locks on doors, that kind of thing. There seems to be this disconnect between physical security and what you might call cybersecurity and so, as a result, maybe they’ve got the best firewall solution or whatever, technical solution in the world, but if they don’t do a very good job of locking or closing their doors, I might be able to stroll right in, plug into their network and achieve the same thing that someone might be able to do remotely. Likewise, maybe they have the best physical security on the planet, armed guards, towers, lights, like you could imagine, but they’re wide open to the internet.
Veronica: So that’s Ryan of Red Team Security. And then there’s Samy Kamkar.
Samy: Hi, I’m Samy.
Veronica: Samy is what we’d call an ethical hacker.
Samy: Yeah, pretty much.
Veronica: He has a very popular YouTube channel called Applied Hacking. He shows people how to hack things like electronic car keys or break into a locked computer. He does this in the hopes that the people who make the tech learn to adapt, update or rethink their product.
Samy: I think a huge problem is that an attacker really has the easy job, because as an attacker, you only need to find one way in. Someone designing that security around that system has to solve everything, if they want to actually make a foolproof system, so I feel bad for them, especially because if you’re building a product that delivers some other component or feature, it’s hard to measure what you get out of spending more time on security because up front it just looks like you’re losing time and money.
Veronica: Samy appreciates that companies struggle balancing security with the need to deliver a product, but he’s not letting them off that easy.
Samy: My point is the technology should just require people to do certain things. So, for example, if you don’t like bad passwords, then the technology shouldn’t allow bad passwords in the first place. I don’t think the user should have the choice in that security. Users are gonna try the easiest thing they can, including me, to accomplish what they want, and if you make the easiest thing secure, then that’s awesome. The only people who need to learn are the people building the technology. I think they should be taught to just implement security more effectively.
Veronica: Let’s face it, when it comes to internet security, humans are the weakest link. Humans are predictable, we’re too nice. We’re also pretty friggin’ lazy, so we’re easily fooled. But we can do better. You know you can do better. You can fight ransomware by keeping your software updated. WannaCry targeted vulnerabilities in Windows 7, so if that’s you, it’s time to update. Also, keep backups of everything. Use an external drive or use the cloud or be like me, and use both, so if you do get hit, you can tell them where they can stick that ransom demand. So before you buy, invest a little time. Find out if the company making that web gizmo you want thinks about security the same way you do. As always, find more tips and resources on how to secure your internet and your digital things by checking out this episode’s show notes at irlpodcast.org. One more thing before I let you go. Remember that vid about how the WannaCry and NotPetya attacks were built from security exploits leaked from the NSA? At the moment, the NSA has no obligation to tell us about vulnerabilities they might discover in software. Not everyone thinks that’s cool. So a new bipartisan bill has been introduced in the United States Congress. It’s called the Protecting Our Ability to Counter Hacking Act or PATCH Act. The PATCH Act would require federal guidelines on when the NSA and other security agencies have to alert the general public about software vulnerabilities. Mozilla helped craft the bill and if you think it’s a good idea, let your Congressperson know that you do. IRL is an original podcast for Mozilla. Next time, ever want to have your online troll eat their own words? Well, that’s exactly what we’re going to do. I’m Veronica Belmont. See you online until we catch up again, IRL.
Easter Egg: Well, that’s exactly what we’re going to do. I’m Veronica Belmont.