“At a certain level, the alleged perfect security of the dark web becomes amenable to enquiry”
Why is that we never hear about ransomware demands totalling tens of millions of dollars? Steve says the answer lies with men in black suits
“Mr Winder and I were meeting with the men of the US Secret Service three years ago”
T here are some strange rules in techno-shock stories published in the mainstream media. Ever-larger counts of stolen data sets from ever-more-remote corporates form a constant backdrop to the self-appointed superheroes, videoing themselves laying down the actual law to some distant, bemused office of identity scammers before wiping all their machines with one click of the mouse. Altogether there’s a certain sense of predictability to the affair, a way that the whole matter can fit into our view of our societies and how they work.
One of the oddities always makes me look up when a ransomware story comes by, and it’s that there are upper limits to the amounts of money paid over in ransom scams. This is of semi-professional interest to me, because as a callow spotty lad I got to play around with a portfolio of loans totalling some £2 billion. When I say “play around”, I mean I had access to a read-only copy of the databases, and a whole boardroom of impatient, irascible banking directors had access to me. I quickly learned that there was no approximating with that amount of money and that audience: you had to be able to track what was happening to the millions, the pennies, and every other amount of money in between.
So when I see an artificial cut-off in the reporting of the scale of the ransoms being demanded, I become suspicious and want to find out why. Not an easy topic to pick, even for someone with my employment history. We know that there are incidents at all scales, but why do we only get to hear about the pay-outs in the few million bracket?
It’s pretty clear that the more we can see in public, the more inclined we will be to heed the various warnings that have escaped from the security-nerd ghetto (sorry,
Davey!) and now come from sources disinclined to hyperbole. This very morning, I have three separate notifications drawing my attention to statements issued by the NSA, the FBI and the CISA. I feel honour-bound to point out that we have been so far ahead of this curve at PC Pro, that people may not realise the breadth of our contribution: incredible as it might seem to our group of mutual friends, Mr Winder and I were meeting with the men of the US Secret Service nearly three years ago.
Not that there’s a traceable link between those meetings and any emergent products or services, mind you. One of the most difficult things to engage with is that the fightback against ransomware and cybercriminaility is a weird mixture of massive names and single individuals. Do you know who Troy Hunt is, or what he does? It’s not even immediately apparent from his own blog: Troy owns haveibeenpwned.
com, the go-to site if you think your personal data might have been stolen from your employer, supplier or government department.
Ironically enough, we’re advised by many cybersecurity resources that we should check the credentials or reputation of any newly introduced site, and yet Troy emerged for most of
us as a wildcard. The economics of a private individual running a web service in the middle of a maelstrom of crooks and cops, corporates and consultants are far from straightforward, and Troy’s provision of a database of stolen and recovered names and addresses is a Pandora’s box for both businesses and private individuals. Once you’ve realised your email or credit card number is in his list, it’s up to you to work out the best response to that news. It only takes a tiny fraction of the pool of victims to misunderstand Troy’s role and purpose, and come out with all lawyers blazing; not something they would be trying on IBM.
I mention IBM because it’s also in the anti-ransomware public service business through its participation in the Quad9 project. This is a public, free DNS server that automatically refuses to return blacklisted DNS addresses, thereby cutting off the
sine qua non of ransomware work: no prospect of remote access to your machines, if you’re using IBM’s DNS at 9.9.9.9. Again, how you achieve the level of well-researched satisfaction that either IBM or Troy Hunt genuinely own the resource you’re about to stake your financial future on, nobody seems to know – but they all think you ought to make the effort.
That strange sense of distorted scale, of one rule for the big boys and another for the small fry, becomes a primary concern when you’re trying to work out how to manage the process of recovery from a ransomware attack. Ask a business to develop a resilient IT platform and the first thing they do is go and get Gmail addresses, “just in case” the attack does bad things to their company email server (an early fad for the bad guys, now not so popular; they definitely want that email server working to discuss the payment of their demanded ransom, after all). I don’t mind the Gmail reflex move, actually, as it’s better than having your key workers admit they don’t know what to do otherwise, and it’s a great kicking-off point for ransomware training.
Actually, I hate the term “ransomware training”. Putting this subject into a straight chalk-’n’-talk, PowerPoint-driven training environment isn’t going to give you the outcome you’re looking for. I’d far rather have a ransomware brainstorm, with as much coming back from the workers themselves as anything else, and the occasional opportunity for a guest speaker with Q&A included in the session. If you just use the security jargon to make up 209 slides of dense, in-vogue security highlights presented in bright red upper-case text (as one security vendor did to myself and young Davey), then the only thing you achieve is glazed eyes and a desperate need for a comfort break. Having people feed back, asking questions about the things they don’t understand, has a genuine impact.
A real-world example
The most recent case to come to my attention might hold out an answer for us: what happens when the ransom demand is seriously impressive? Pardon me for not doing my usual in-depth description of the business in question; it will be clear as the story unfolds that this is one case study where identifying anyone involved is a serious bi t of risk-taking.
If you want something to anchor your understanding, then we can agree that the business might as well be a gold-smelting company – but only because I watched a documentary on the Brink’s-Mat heist, and the mixed fortunes of the smelter that took on the resupply and monetary switching of the massive quantity of gold stolen in the raid. Most certainly not because you can guess the real identity of the victim from that description.
The situation evolved as ransomware often does. Initially, there was a small-scale infection of one PC, which went undetected by software or humans. The infection facilitated long investigative remote control sessions. That investigation, though, wasn’t by the IT support guys, but by the bad guys. They traded instant money at low values (using the infected machine as a passthrough for gaming or videodownload purposes) for much more money, a few months down the road, by quietly wandering around the network, just reading documents here or there.
In a gold refinery, you don’t measure the value of work by the accompanying weight of paperwork. Millions of pounds of value can be handled in a few A4 schedules of bars in, weights, bars out and serial numbers. The only indications that perhaps there was a bit more money in this business than the common or garden metal trader was partly hidden away, in simple files of scanned invoices coming in, matched to payment notifications going out.
Like a lot of people in this sector, these guys had some impressive and possibly not terribly legal side-gigs going on, fitting into the cash flow of the main business.
So the bad guys took their time, looking around the file structures of the machines and servers, trying to work out what they were dealing with. Nobody detected their remotecontrol sessions. Hardly a surprise, as in lockdown, remote control of single desktop PCs had been a lifeline for this business, like many others, so they’d almost have expected to see someone backseat-driving practically any machine in their LAN.
“My question was answered when the Heavy Mob showed up”