Subtitles section Play video Print subtitles Ransomware is everywhere. It's happening to the biggest companies. The cyber weapon NotPetya started in Ukraine in June of 2017. It quickly spread, paralyzing major companies and causing more than $10 billion in damage. Government computers in 22 Texas towns are being held hostage by ransomware. But it's also happening at super low levels, where you have people ransoming individuals for small amounts of money. And the thing that was most interesting and the thing that sort of set us down this path is this thing called ransomware as a service. And as soon as you hear that phrase, I mean, I want to read about that. The idea that people could buy ransomware the same way they buy Salesforce software or anything else. And so then we decided to send Drake out into the dark web to procure some ransomware service. With a story like this, all the reasons not to do it are actually the reasons to do it. My name's Drake Bennett. I went on the dark web, I bought some malware and I used it to attack and extort my editor Max Chafkin. The original idea was just to do something about ransomware. The city of Baltimore was having this huge sort of battle with some hackers. Thousands of Baltimore city computers frozen by hackers demanding ransom. Baltimore's government computer systems recently faced a ransomware attack. Are you seeing these attacks become more sophisticated? The more I learned about this world, the more frustrated I got. It seems hard to know what you can trust here. There's a lot of anonymity. The more I thought about it, the more it seemed like it might make sense to try it myself. He wanted to do something participatory. It's really a cool way to explain a really difficult technical topic. And then that also has the added benefit of testing out a hypothesis I'd begun to have, which is that this stuff has gotten so easy for a variety of reasons that almost anyone could launch one of these attacks. And as it happens, I'd be a particularly good guinea pig for this because I'm particularly technologically illiterate. You got to have a hacker, and that hacker despite his, I'd say modest computing skills, is Drake and the victim was me. And our idea was that Drake could, you know, he's sending me attachments all the time, so the way we decided he was gonna do it is he was gonna pretend to send me a draft, but that draft was gonna be ransomware. - What were some of the legal concerns and how did you get around that? Okay. Legal concerns. What we figured out in consultation with a very amused and maybe slightly confused Bloomberg lawyer, was that-- All of the laws that are on the books require not only the possession of malware, but the intent to actually launch an attack against an unwitting victim. Max, my victim was complicit in the scheme, so we figured that kept us on the right side of the law. And I do think there's a really strong public interest argument for doing this kind of thing because if somebody as unsophisticated as a magazine journalist can get really dangerous ransomware without spending very much money, that's something that I think the public needs to know about. So once we kind of talked to a Bloomberg lawyer, we then got two burner laptops, we got two cheap Dell laptops. Max and I both work for a company that takes data security very seriously for obvious reasons, so we made sure that we kept all this off Bloomberg's network. Then we decided to send him onto the dark web to procure some ransomware service. So there are these dark web forums that work sort of like they're chat rooms, but they're also these kind of malware bazaars where you can go and people are hawking different forms of malware and also different ways of getting that malware onto computer systems. The market has now kind of advanced to the point where there are these services, they're called ransomware as a service, and it's a play on this idea of software as a service or SaaS, which is something you hear in Silicon Valley all the time. And so I found a couple, some of them turned out to be bogus, some of them seemed to be defunct. People just didn't get back to me. But there was one where the guy got back to me when I got in touch with him and answered the few questions I had. And it was cheap, it was just 150 bucks, so I figured it was worth a try. So the first thing I did is I reached out to the vendor and I used ProtonMail, which is an encrypted email service. And at that point I had gone ahead and set up a Bitcoin wallet, so I paid the $150 that was the subscription fee for the service and that gave me a login for this website. And it was a pretty simple looking interface. There was a series of tabs at the top of the screen. One of the tabs took me to the quote unquote dashboard, which is where I'd be able to manage the various attacks. There was another tab that took me to what was called the builder, which is a page that allowed me to input a few pieces of information about the kind of malware I wanted. Stuff like what kind of operating system would be on the target computer or what kind of encryption I wanted or what's the email address that my victims should use to contact me once they realize they've been attacked. So I input those few pieces of information and it spits out a piece of software that I could then download onto my computer. So it became obvious pretty quickly that I didn't have particularly top shelf product. And that's not surprising. A lot of the conversation on these dark web forums is about whether this or that product is reliable or how well it works. The person that we bought the ransomware from turned out to be not the most sophisticated. Almost as unsophisticated as we were. And it kind of started to become unclear whether he was trying to con us out of more money, and I kept saying to him, "We got to be really careful that there's not an additional layer to this scam, that he's not gonna ask us to wire him some more money to make the software work better," which is what he was trying to do. So there's just like so much con artistry. And there does seem to be a wide range in quality reflected partly in the wide range of price. There are other ones that are much more high end where it's not even an annual fee model it's more like you have a gang of hackers with different specialties and they just divide up the pot between them. So I wrote my email to Max, which basically said, 'Hey Max, here's the draft of my latest story. Sorry it's taken so long. The draft is attached'. Even though I had a really bad laptop, it immediately sniffed out the potential that this attachment that Drake was sending me, which looked super suspicious to me, was going to do harm, and there were a bunch of warning boxes that opened up saying, "Are you really sure you want to load up this file? Are you super sure?" And of course I said yes, yes, and infected myself. And then Max looked away for a second and looked back at his computer and there was this ghoulish image of a hand reaching out from a cloud of smoke and a message that said, "All of your files have now been encrypted." And, so I was sitting there waiting for this thing to happen. We had a photographer there. All of the documents, you know I had to load the laptop with a bunch of documents that I wasn't afraid to lose. So I didn't have anything important on there. And there's still something really scary about seeing that message on your computer that says that they own you now, that the attacker has your files and is gonna do with you what he wants. And it really makes you realize how easy it is to become a victim. The communities of people who are in this world range from the most sophisticated hackers, so like, state-supported, connected to the military or intelligence operation of some of the most powerful countries in the world, all the way down to literally a bored teenager. After all this was over I did reach out to my ransomware providers and announce myself as a journalist and you know, they consented to be interviewed and basically what they told me, they didn't say much about themselves but they did say that they were a group of 18 to 26-year-olds with different specializations working as a team to create this stuff. A lot of these chatrooms where these products are bought and sold are Russian language chatrooms. Some of them have actually been geofenced or coded in such a way that they'll work anywhere except in places like Russia, Ukraine. But I don't know where particularly my providers were located. I also think it was surprising in a good way that we really had to work to make this work in terms of me ignoring warnings that my computer was giving. In terms of Drake having to work with an expert to get the ransomware to work perfectly, but it's just kind of like a scary reminder of how all of this kind of, there are all these sort of bad actors and creeps and con artists kind of lingering just below the surface of the internet and just creepy how close they are and how you're not that far away from downloading something that can kind of mess up your digital life.
B1 ransomware malware drake dark web max computer I Used Ransomware to Sabotage My Boss 3 1 林宜悉 posted on 2020/05/13 More Share Save Report Video vocabulary