Tuesday 5/28 - RANSOMWARE
[THEME]
SEAN RAMESWARAM (Host): You know how the United States is in desperate need of infrastructure work? It’s got some serious work with its digital infrastructure, too.
SCORING - SOMETHING IS IN THE BOX
SEAN: Just look at Baltimore.
<CLIP> NBC: Tonight it's a huge headache to complete a home sale in Baltimore. The city's computer system that looks for property liens or debts to check for a clear title is locked up.
SEAN: For the last three weeks, city employees in Baltimore haven’t been able to get into their email accounts. Residents haven’t been able to pay water and electric bills. Home sales have been significantly delayed. And it’s all because of some hackers.
MINI-SCORING BUMP
<CLIP> NBC: Hackers demanded 13 bitcoins, worth about one hundred thousand dollars, for the code to unlock the system.
SEAN: But Baltimore’s city council president says the city won’t pay the ransom.
<CLIP> BRANDON SCOTT: People who pay ransoms they can leave something in the system and come back and shut you down again. And I just had to take the advice of the law enforcement and the professionals.
SEAN: The situation in Baltimore isn’t a one-off.
SEAN: This is something that’s been happening for a while now, all over the country. All over the world. This is ransomware.
SCORING OUT
RENEE: Ransomware is a type of malicious software. When it enters your computer your files are encrypted.
SEAN: Renee Dudley is a senior reporter at ProPublica.
RENEE DUDLEY (Reporter): A ransom note pops up on your screen and you need to pay a ransom generally speaking to get those files back.
SEAN: How often is stuff like this happening?
RENEE: Actual statistics are hard to come by but there are estimates posted by the Department of Homeland Security that estimate about one point five million attacks occur annually. The FBI does collect statistics on reports of ransomware but even the FBI itself admits that this is far below what's actually happening. So for example, in 2018 there were only something like 1,400 victims who reported ransomware incidents to the FBI. That is so far below what's actually happening. I have a Google search set up for ransomware and every day you see new attacks but these victims don't necessarily report that to law enforcement. And there are a few reasons for that. One of them is that they may be reluctant to disclose to law enforcement that they've been hit because they don't want people to know about potential vulnerabilities or gaps in their I.T. security or they may be embarrassed. And another reason of course is they may have the perception that law enforcement may not be able to help them and there's a few reasons for that. One is that they are mostly overseas and, in some cases, in countries that are hostile to the U.S. that don't have extradition treaties. So even if federal law enforcement would go after them they wouldn't necessarily be returned to the U.S.. Another reason of course is that the criminals typically request payment in Bitcoin. You know the digital online currency and that's notoriously hard to trace.
SEAN: So if this is so common, I assume it’s not just happening to cities like Baltimore? Is this something that’s happening to regular people, too?
RENEE: Anybody who's connected to the Internet is potentially vulnerable to ransomware home users. Big companies municipalities even local law enforcement anybody can be a victim of ransomware. But what we're seeing is increasingly businesses and municipalities and law enforcement agencies are being hit more so than your typical home user because those are organizations that would suffer disruption to day to day activities when they're subject to a ransomware incident. and you may be more willing to quickly pay the ransom. And also you may have deeper pockets.
SEAN: What kind of deep pockets are we talking about? What’s the average ransomware request like?
RENEE: According to cyber research firms the average ransom ask is in the several thousands of dollars range. But, as you can see from the recent news, demands to companies and municipalities have stretched into the six figure range.
SEAN: How do they get in exactly to, you know, hack our data?
RENEE: One way is that they will send out blanket spam email attachments and hope somebody clicks on an attachment that they're not supposed to. Another way is through brute force tools. You'll see oftentimes small businesses are attacked and those are organizations that may outsource their I.T. to a remote professional who uses remote desktop protocol to get onto their computer networks. And those are filled with vulnerabilities like weak passwords and unpatched software.
SEAN: So it’s all the people who made their password like password123
RENEE: Potentially, and the security vulnerabilities are an issue here as well. People who fail to upgrade to the latest software people who haven't patched the vulnerabilities that are known to exist and hackers will get through those vulnerabilities.
SEAN: So before this situation in Baltimore what were some of the biggest instances of ransomware attacks?
RENEE: Well one of the most famous ones is this SamSam attack that raged from 2015 to 2018. And this was a big deal around this time last year when the city of Atlanta was attacked.
SCORING - BASS OFF
RENEE: Atlanta suffered far ranging consequences from the attack.
<CLIP> FOX 5 NEWS: A cyber attack brought city services there to a virtual standstill.
RENEE: Court proceedings were slowed down. The city couldn't process court payments. Online billing systems went down. People actually faced things like delayed and canceled doctor's appointments and delayed medical treatments.
<CLIP> FOX 5 NEWS: It was one of the most crippling cyber attacks ever unleashed in the United States wreaking havoc across a swath of American companies and major city agencies for nearly three years.
RENEE: Other victims of the SamSam attacks included the city of Newark, the Port of San Diego, the Colorado Department of Transportation, which called in the National Guard, across the country, people's lives were disrupted because of the SamSam strain.
SCORING BUMP
SEAN: Were any of the people behind SamSam ever caught?
RENEE: They were never caught, but they were indicted. In November of 2018, the U.S. Justice Department indicted two Iranian men accused of operating and distributing SamSam ransomware.
<CLIP> FORMER DEPUTY ATTORNEY GENERAL ROD ROSENSTEIN: The conspirators collected more than six million dollars in extortion payments and caused more than 30 million dollars in losses.
RENEE: But they have not been returned to the U.S. They've remained fugitives.
SCORING BUMP
SEAN: How about all the people and companies that SamSam affected or who were targeted in this attack? Did they get their files back?
RENEE: It's unclear what exactly happened with all of them. The Justice Department declined to answer questions about specific victims but in general Ransom where victims can only get their data back by paying the ransom.
SEAN: For a city like Balitomore, paying the ransom might be the only option, but it’s not as easy as it seems. Because there’s a whole industry of companies trying to take a cut. That’s in a minute.
[MIDROLL]
SEAN: Renee when people get attacked with ransomware what is the process of getting their data back. Could you sort of walk us through it?
RENEE: Typically when you are hit with ransomware a ransom note will pop up on your computer screen and there will be instructions of how to pay.
SEAN: Like straight up pop up like interrupt whatever you're doing something will just pop up?
RENEE: Yup . And the two main ways that I've seen the instructions go down are number one there will be some email addresses on how to contact the hacker for further instruction including the amount of bitcoin they want and how they would like it to be transacted. They'll send you a bitcoin wallet number to send it to and things like that. The other way is that some of them will set up sites on the dark web, and you'll have to download a dark web browser. You'll have to log on to their site and there's typically a portal where they'll instruct you how much they want.
SEAN: And then if you do that everything goes back to normal and everything's great?
RENEE: It depends if everything goes well. Then you'll send the bitcoin and they'll send the decryptor and the key that you can use to decrypt your files. And from what I understand sources told me that while sometimes hackers failed to live up to their end of the bargain they usually don’t because they need to have a reliable product if you will to stay in business. They need people to believe that they're going to get something if you pay them.
SEAN: So does everyone just pay the ransom then? Or is there another way? Law enforcement? Good hackers?
RENEE: You know some organizations find this particularly unpalatable. They don't want to deal with criminals. They don't want to use taxpayer money to pay ransom. And in some cases they've been allured by data recovery firms who've promised to recover their files using their own technology.
SEAN: What kind of firms are those? Is that like a whole business?
RENEE: Yeah. This is the industry that is at the center of our reporting. On one end of the spectrum there are firms that are completely transparent with their clients. They know that there's usually only one way to decrypt ransomware stricken files and that's to pay the hacker. Their business model is we can help people who are uncomfortable dealing with hackers directly. People who don't know how to use bitcoin and our service is to handle that for them. On the other side of the spectrum there are firms that claim to use their own quote unquote trade secrets and their own technology to decrypt ransomware. But as we found they're just paying the ransom.
SCORING - UNLOCKING
SEAN: What do you mean? They’re lying?
RENEE: The main issue is that clients believe that these firms are using their own technology to decrypt files without having to deal with hackers when, in reality, they are dealing with the hackers and adding a fee.
MINI-SCORING BUMP
SEAN: So, these third party firms are just, like, charging you an extra fee to pay the hackers their ransom?
RENEE: Correct. One example is with the SamSam ransomware strain. Proven data, one of the firms had what became a mutually beneficial relationship with the SamSam attackers to the point that the SamSam attackers actually started recommending that victims work with Proven Data. The SamSam attackers knew that Proven Data was a recovery firm and that their business model is to pay ransoms on behalf of clients. And they had a relationship in which once a victim came in with SamSam ransomware Proven Data could go to the portal where the SamSam hackers corresponded and say we've got a client we'd like you to suspend the timer for payment because usually they had a timer of seven days or else your files would be permanently deleted. And the SamSam attackers would suspend the timer and allowed the client whatever time they needed to get the payment to them.
SCORING BUMP
RENEE: Now it raises some interesting legal questions because you know as one lawyer I talked to put it the SamSam hackers are recommending that the client work with Proven Data because they know that Proven Data will pay the ransom in the manner that they prescribed. It raises the question of whether that relationship between Proven Data and the SamSam attackers is too close.
SEAN: Because they know Proven Data is like, a surefire way to get their ransom money quickly?
RENEE: Yes exactly. They know that Proven Data is a data recovery firm and that their business is to pay the ransom.
SCORING OUT
SEAN: It's just so funny because I feel like most people's notion of data recovery is like, “I pay someone who knows the hard drives and computers better than I do to rescue my information.” And this is, “I pay you, like, a third party to like broker a cash transaction or a Bitcoin transaction.”
RENEE: Exactly. We looked at a case in Safford Arizona that was interesting and because it's a public entity of course we were able to get the email correspondence between the city and Proven Data. So what had happened there was the city of Safford was hit by a string of ransomware that was not decrypted all at the time their files were down. It was affecting operations. They needed to get back on their feet. So they called Proven Data. Proven Data, according to the e-mails we have said that they would be able to recover the data using their own technology. The city paid four thousand dollars and the data was recovered. Safford was a fairly satisfied client until they realized about a month later that not all of the files had been recovered. Their network administrator began to get a little suspicious because when he went back to Proven Data, Proven Data wanted to charge another four thousand dollars to decrypt the rest of the data. And he asked the question in an interview with me if their algorithms could decrypt the first set of files why wouldn't it work on the second set. So he began to believe that they might have just been working with the hackers and adding their own fee on top. And his hunch was correct. I spoke with two security researchers who are some of the foremost specialists in ransomware. And they said that the strain that affected the city of Safford at that time was not decrypted all except by paying a hacker.
SEAN: So if cities are attacked and then these firms paid ransoms to these hackers does that mean that taxpayer money was used to, like, pay off a ransom?
RENEE: Theoretically, yes. The example of Safford highlights that. They unknowingly paid the hackers because of course they believe that Proven Data was using its own technology, but on the other side Proven Data was paying the ransom. And while Sanford's costs were mostly covered by their insurer, at the end of it taxpayer dollars indeed were used to pay a ransom.
SEAN: Is it legal to pay a ransom using taxpayer money or are normal people who get hacked allowed to be paying ransoms? I'm not really sure about the legality there.
RENEE: So there are no U.S. laws that prohibit the payment of ransom. Publicly, the FBI says ransom payment, quote, encourages continued criminal activity leads to other victimization and can be used to facilitate serious crimes. But in 2015 an FBI special agent in charge of the FBI said cyber program in Boston told people at a cybersecurity conference that the FBI will often advise people just to pay the ransom.
SEAN: If not illegal, is it a bad idea? Isn’t it just giving the hackers exactly what they want?
RENEE: Well, it is what keeps the ransomware hackers in business.
SEAN: So if the FBI is admitting that even they often pay ransoms, whose job is it to make these things go away? Individuals? Cities? Someone else?
RENEE: Well, it's an interesting question. Law enforcement hasn't been entirely effective. On the federal level. You have the FBI and the issue with the FBI is it has limited resources and the average ransom is only a few thousand dollars. But at the local level meanwhile the issue of ransomware is too complex of an area for local law enforcement to do anything about. So as one attorney I talked to said it's sort of a legal gray area where there's no great remedy for ransomware victims.
SCORING - EDGE TO EDGE
RENEE: As long as people will pay ransoms ransomware is profitable for the people who are deploying it.
SEAN: Renee Dudley is a senior reporter at ProPublica. She reported her story on ransomware with Jeff Kao. Baltimore still hasn’t solve its ransomware problem. And to add another wrinkle to the situation… reporting from the New York Times suggests the malware used to hack the city may have come from… the NSA.
SCORING BUMP
SEAN: The NSA develops stuff like this as tools for the United States government. And this particular stuff leaked.
MINI-SCORING BUMP
SEAN: Which is to say, taxpayer dollars may have funded a government agency to create malware that was then used by some hackers to hijack a city. And taxpayers may end up being the ones who have to fix it, too. I’m Sean Rameswaram. This is Today, Explained.