The reliable criminal

 

Image from Pixabay

Have you ever experienced being unable to work at home or in the office because your computer wouldn’t respond? Or that your children’s school or university had to close for the same reason, or that a store couldn’t sell anything? Welcome to the world of ransomware.

As we often see with technological developments, this phenomenon also started surprisingly long ago — in 1989, with the AIDS Trojan. This malware was distributed via floppy disks to participants of an AIDS conference. Victims had to send $189 by mail to Panama — but received nothing in return. In the early 2000s, there were some amateurish attempts to hide files, but the real game began in 2013 with CryptoLocker. It spread via email attachments, used strong encryption, and demanded payment in bitcoin. That became the market standard.

In the early days, you could never be sure whether, after scraping together your savings, you would actually receive the key to decrypt your files. Law enforcement agencies around the world advised against paying ransom. This affected the criminals’ income. Thus, the “reliable criminal” emerged: increasingly, you could count on being “helped” after payment. According to an estimate by Copilot, the chance of this in 2015 was about 80% (now only 60%).

Again, law enforcement urged people not to pay. Not only was there still no guarantee of receiving the decryption key, but paying also helped sustain the criminal business model — while the goal was to make this trade less profitable.

Criminals responded with double extortion: not only were your files encrypted, but they also made a copy for themselves. If you didn’t pay, your information would be published. And since everyone has something to hide, this was a successful extra incentive to pay. Around that time, there was also a shift from individuals to businesses and governments as targets, because larger sums could be demanded. Publishing customer data or trade secrets could have serious consequences.

Beyond law enforcement’s calls not to pay, there’s also a moral question: is it ethically justifiable to pay? I instinctively lean toward “no”, but I want to explore the nuances — because not paying can have serious consequences beyond the affected organization. Consider the 2021 attack on JBS Foods, the world’s largest meat processing company. The attack led to temporary closures of factories in the U.S., Canada, and Australia and disrupted the food supply. Partly for that reason, the company decided to pay no less than $11 million.

Two years earlier, Jackson County, Georgia was a victim. Police and other government services were completely paralyzed. They paid $400,000, but never officially confirmed whether they got what they paid for. That same year, around Christmas, Maastricht University in the Netherlands was hit. The €200,000 they paid turned out to be a good investment: part of it was recovered and, due to the rise in bitcoin value, was worth €500,000 now.

Food is a basic necessity, but if you can temporarily eat something other than meat, getting that meat processor back online may not be so urgent. If the local police are digitally blind for a while, perhaps another police force can help. And a paralyzed university — we survived that in 1969 too, when the administration building of the University of Amsterdam (the ‘Maagdenhuis’) was occupied (though that wasn’t about ransom). In short: seek alternatives rather than paying ransom.

There is a collective interest in eradicating ransomware, but everyone must participate. Some countries are working on banning ransom payments or at least requiring mandatory reporting. A ban on insurance coverage can also help discourage payment. But these measures don’t help the affected companies directly. What does help are initiatives like No More Ransom, where police and the private sector collaborate to recover decryption keys and make them freely available. We also regularly see the successes of international police cooperation. And of course, organizations must increase their own resilience by investing in awareness (especially around phishing), good detection tools, and a solid backup strategy. With all these measures, this criminal business should eventually become unprofitable. And then maybe those people can do reliable and honest work instead.

And in the big bad world…

• this ransomware specifically targeted NAS devices.
• GitHub is being misused to distribute malware.
• this cybercriminal faces a longer prison sentence for failing to repay.
• you’re better off using the original Signal app.
• the open source world is beginning to feel the impact of the EU’s Cyber Resilience Act.
• Chinese authorities have a new hacking tool for mobile phones.
• three Chinese companies have been sued for violating the GDPR.
• China is helping maintain U.S. defense computers.
• China is also allowed to assist with wiretapping telecommunications in Spain.
• the U.S. will use tax data to deport people.
• emotion recognition using AI is on the rise.
• a hidden phishing message can be revealed when Gemini summarizes the email.
• American trains can be remotely brought to a halt.
• others could view your prompts to the Meta AI Chatbot.
• WeTransfer is now allowed to use and sell your files.
• the U.S. is allocating a billion dollars to offensive cyber operations.