Next step (unless it is already there) could be affiliate marketing (pay 25% of the ransom to people who distribute the malware). If people start getting smart with backups, the response could be to switch blackmailing (pay or we'll distribute your files).
I find this whole thing quite scary. We all know how difficult it is to protect yourself from a determined and skilled adversary. Now that there is clear business model and opportunity to make hundreds of millions[1] this thing will probably attract more and more people. Building botnets was a mass market operation. Ransomware could become more targeted, since the value of single infected machine can be much higher.
All the more reason to emphasize security over the latest in features and upgradability.
Why doesn't Microsoft get held accountable when a 0-day in Windows is exploited that results in loss of user funds? Without that, there's no incentive to build secure software in the first place.
How do we get society to have more of a security-first approach when it comes to things connected to the internet? A lot of these vulnerabilities are scary in a systemic way. Cyber warfare would likely be as damaging as dropping napalm on cities, and it's all preventable by having more security oriented infrastructure.
>If people start getting smart with backups, the response could be to switch blackmailing (pay or we'll distribute your files).
how does that work when most home connections have terrible upload? to make matters worse, if you upload at full speed, people will notice that their internet is getting sluggish and notice something is up.
This might only be sort of related to what you're talking about, but reansomware as a service already exists. You delivery a premade executable and get a cut cut of the profits. You could install it in systems where you have physical access like your work or at a friends house or systems that you have remotely compromised.
Doesn't work. The moment someone exposes the game the affiliate marketer will have his affiliate account closed by whichever company or network they're trying to work with.
Interesting plan. I think people are underestimating how effective it might be.
Suppose a kid gets their parents computer infected. There is a pretty good chance that they will panic and take the non-monetary route. It's not like infecting others is beyond most kids abilities. Just run the exe themselves on school computers, post it in video game chats, send it to friends, etc. Since they aren't sure how many people will pay before their parents notice there is a strong incentive to send it to a lot of people, not just two.
The other route I see is that an adult sees this and tries to infect some company computers, on the theory that the won't be caught and there is a good chance the company will pay up. Not many people will go for it of course, but if it manages to spread internally then they will be in a decent position to demand a lot of money.
I wonder how Bitcoin-based scammers launder their money.
Bitcoin addresses are anonymous, but all transactions are public, right? So while it's hard to find out who's behind an address, it's publicly visible if they spend money, and where it goes. Thus, they're only able to spend it on "trusted" peers to not jeopardize their own anonymosity.
For example, if they buy something from an online shop, this transaction will be visible for all Bitcoin users. And if that shop publicly shows its Bitcoin address, authorities might track down that shop and force it to give away their shipment address.
Bitcoin tumblers take care of this. Roughly, you set up a service that puts a lot of people's coins in a single wallet, then you route bitcoins from that wallet to a bunch of different wallets operating in similar fashion. Kind of like how TOR works.
It's easy to generate many temporary wallets that can not be linked back to your main wallet, shops can do this too and I think it's considered a good practice to use one address per sale.
You can also convert the Bitcoins to a more anonymous coin (Monero?) and back.
There's a niche field of malware economics, but it makes sense that for-profit malware is ultimately a business, albeit an usually illegal one, which has to optimize just like any other app:
At some point, it would make sense anonymized malware (i2p, tor only) may go open source similar to commercial open source but instead because of scene cred / blackmarket consulting.
This is roughly what happened with several "exploit droppers" a few years ago. It wasn't pretty GitHub sites or open source blogs, but rather "leaked" versions of the software suites, missing nearly all of the actual exploits. Usually there'd be a couple of very old, widely patched exploits in there so you could see how it worked. People would download the stripped out version, play with it, then buy the actual exploit payloads/plugins.
Pretty interesting process to watch from the sidelines!
I wonder why no one is looking at the obvious solution - discredit the ransomware folks. I.e. create ransomware that doesn't free your files even after you pay the ransom. As soon as word gets around that there are ransomwares like that their whole business model will collapse. Sure, this will not be nice to the (small number of) people who get screwed over but it definitely solves the larger problem.
Ransomware already has a less-than-stellar reputation as far as that goes[1], but many people are willing to make that gamble in order have a chance at retrieving their data. Not to mention that making the dysfunctional ransomware would be illegal, and authors (who therefore must be in it for profit) have motivation to avoid tarnishing their 'reputation', to extract the most payment.
Completely evil and terrifying, yet also somehow brilliant psychologically. Tricking people to install it thinking it's the Popcorn Time streaming app has a bit of irony involved.
That's interesting how they use the sob story. Anyone wanting to pay is going to feel conflicted, so they give the user an out by letting them feel like they're helping poor people in Syria. They've chosen Syria because it's well-known and in the news.
I wonder if their English is poor, or if they're trying to be endearing to help their conversion rates. You could confirm the former by correlating it with what common errors people in different countries make.
It doesn't look like they expect people to infect their friends, but offering the false choice is a pretty common way of making people feel slightly more in control. It probably helps their conversion rates, even if nobody picks the blue option.
What I don't understand about ransomware in general is how the AES key is stored on the machine. I'm assuming that it's grabbed from the server, used only during encryption, and then scrubbed from RAM/filesystem. Otherwise, it would be possible to recover the key post-encryption. Or am I missing something?
The problem with ransomware is also, that it can infect a lot of people who dont have that kind of money.
If they would do it decently, the would allow for partial recovery of files with rising prices per batch, and measuring how long the user could come up with the coins.
Pricebuilding exercise combined with social engineering.
God, they could go full ponzi scheming with this and get a billion people to get rich and accomplices..
Clever idea, but I doubt this would work in 99% of cases.
It's basically a link to an EXE. You could probably only convince someone to run it if you have some acquaintance with them, so obviously they'd hate you afterwards. And you only get the key if they not only get infected, but pay up. And you have to do it twice.
A better method might be "get 5 people infected", regardless of payment.
And how they know if I infected a friend's computer ? It can be mine, right ? I have just have to setup a new computer with a fresh install and repeat it again and again until they give the key.
OSes will have to start detecting processes that do a lot of disk read/write, and perhaps network upload, and quarantine them.
Also, checkpoint/log based file systems like nilfs2 can let you roll back to any point before infection.
It seems like a far more plausible explanation that this is real malware that picked well-known software that people are likely to be downloading from sources that they're not super sure about.
[+] [-] jpalomaki|9 years ago|reply
I find this whole thing quite scary. We all know how difficult it is to protect yourself from a determined and skilled adversary. Now that there is clear business model and opportunity to make hundreds of millions[1] this thing will probably attract more and more people. Building botnets was a mass market operation. Ransomware could become more targeted, since the value of single infected machine can be much higher.
[1] http://thehackernews.com/2015/10/cryptowall-ransomware.html
[+] [-] Taek|9 years ago|reply
Why doesn't Microsoft get held accountable when a 0-day in Windows is exploited that results in loss of user funds? Without that, there's no incentive to build secure software in the first place.
How do we get society to have more of a security-first approach when it comes to things connected to the internet? A lot of these vulnerabilities are scary in a systemic way. Cyber warfare would likely be as damaging as dropping napalm on cities, and it's all preventable by having more security oriented infrastructure.
[+] [-] gruez|9 years ago|reply
how does that work when most home connections have terrible upload? to make matters worse, if you upload at full speed, people will notice that their internet is getting sluggish and notice something is up.
[+] [-] industriousthou|9 years ago|reply
[+] [-] celticninja|9 years ago|reply
[+] [-] pizza|9 years ago|reply
[+] [-] necessity|9 years ago|reply
[deleted]
[+] [-] rahrahrah|9 years ago|reply
[+] [-] gpm|9 years ago|reply
Suppose a kid gets their parents computer infected. There is a pretty good chance that they will panic and take the non-monetary route. It's not like infecting others is beyond most kids abilities. Just run the exe themselves on school computers, post it in video game chats, send it to friends, etc. Since they aren't sure how many people will pay before their parents notice there is a strong incentive to send it to a lot of people, not just two.
The other route I see is that an adult sees this and tries to infect some company computers, on the theory that the won't be caught and there is a good chance the company will pay up. Not many people will go for it of course, but if it manages to spread internally then they will be in a decent position to demand a lot of money.
[+] [-] blauditore|9 years ago|reply
Bitcoin addresses are anonymous, but all transactions are public, right? So while it's hard to find out who's behind an address, it's publicly visible if they spend money, and where it goes. Thus, they're only able to spend it on "trusted" peers to not jeopardize their own anonymosity.
For example, if they buy something from an online shop, this transaction will be visible for all Bitcoin users. And if that shop publicly shows its Bitcoin address, authorities might track down that shop and force it to give away their shipment address.
Or am I missing something?
[+] [-] cryptarch|9 years ago|reply
It's easy to generate many temporary wallets that can not be linked back to your main wallet, shops can do this too and I think it's considered a good practice to use one address per sale.
You can also convert the Bitcoins to a more anonymous coin (Monero?) and back.
[+] [-] chipperyman573|9 years ago|reply
https://en.bitcoin.it/wiki/Mixing_service
[+] [-] throwaway4891a|9 years ago|reply
https://cyber.harvard.edu/cybersecurity/Economics_of_Malware
https://www.coursera.org/learn/malsoftware
At some point, it would make sense anonymized malware (i2p, tor only) may go open source similar to commercial open source but instead because of scene cred / blackmarket consulting.
[+] [-] deoxxa|9 years ago|reply
Pretty interesting process to watch from the sidelines!
[+] [-] maverick_iceman|9 years ago|reply
[+] [-] connor4312|9 years ago|reply
[1] https://www.google.com/search?q=does+paying+ransomware+work
[+] [-] ThrustVectoring|9 years ago|reply
[+] [-] dkh|9 years ago|reply
[+] [-] MichaelBurge|9 years ago|reply
I wonder if their English is poor, or if they're trying to be endearing to help their conversion rates. You could confirm the former by correlating it with what common errors people in different countries make.
It doesn't look like they expect people to infect their friends, but offering the false choice is a pretty common way of making people feel slightly more in control. It probably helps their conversion rates, even if nobody picks the blue option.
[+] [-] jlgaddis|9 years ago|reply
[+] [-] Cyph0n|9 years ago|reply
[+] [-] Yhippa|9 years ago|reply
[+] [-] CodeWriter23|9 years ago|reply
[+] [-] Pica_soO|9 years ago|reply
Pricebuilding exercise combined with social engineering.
God, they could go full ponzi scheming with this and get a billion people to get rich and accomplices..
[+] [-] meowface|9 years ago|reply
It's basically a link to an EXE. You could probably only convince someone to run it if you have some acquaintance with them, so obviously they'd hate you afterwards. And you only get the key if they not only get infected, but pay up. And you have to do it twice.
A better method might be "get 5 people infected", regardless of payment.
[+] [-] faragon|9 years ago|reply
[+] [-] NoExiiT|9 years ago|reply
[+] [-] ShotgunSnipist|9 years ago|reply
[+] [-] xg15|9 years ago|reply
[+] [-] jwatte|9 years ago|reply
[+] [-] charonn0|9 years ago|reply
[+] [-] mattstreet|9 years ago|reply
[+] [-] logicallee|9 years ago|reply
It is, in fact, recruitment into cyber crime. The title should read:
> Ransomware gives free decryption keys to victims who infect their "friends"
[+] [-] mSparks|9 years ago|reply
this sounds more like an attempt to taint the popcorn time name rather than real malware.
[+] [-] wutbrodo|9 years ago|reply
[+] [-] mkagenius|9 years ago|reply