Q&A: Interview with a Hacker Hunter

“Cybercrime is a very mature, well-oiled capitalist machine.”

by Alina Simone

About a year and a half ago, my mom got hacked. A virus known as CryptoWall infiltrated her computer and encrypted all of her files. In order to get them back, she had to deliver a ransom of $500 in Bitcoin within one week to the e-thieves, an odyssey that I detailed in this essay for the New York Times. Now ransomware is back in the news after a string of attacks on hospitals.

What follows is a Q&A with the expert I interviewed for the Times piece, Chester Wisniewski, Senior Security Advisor for the company Sophos, about all things ransomware. We discussed the evolution of the virus over the past few years, how ransomware is bought, sold and distributed on the dark web, and why Bitcoin operators may actually be the key to killing these viruses.

My Mom got hit with CryptoWall at the end of 2014. Is this form of ransomware still a threat? And was CryptoWall the first weapons-grade form of ransomware?

CryptoWall is still the most popular form of Ransomware, accounting for ½ to ¾ of all cases I see. Your mom got hit by version 2.0. Now we’re up to 4.0. This was all pioneered by Cryptolocker, the first form of ransomware to really get the encryption right and cause widespread disruption. Cryptolocker, between September 17 and October 31, 2014, cleared the equivalent of 33 million dollars. In 6 weeks! It became big news in the criminal underground.

The Cryptolocker guys were shut down [in June 2014, by a multi-national effort led by the FBI], and then afterwards like 6 or 7 other groups sprung up copycatting the idea. There’s CryptoWall, CryptoFence, TeslaCrypt, Locky, Maktub — in fact, two of them started calling themselves “CryptoLocker” because the brand name was so fearsome to victims! They just thought, “Maybe we’ll just call ourselves CryptoLocker. People know to be scared of that; they’ll pay.”

How is the latest ransomware virus, Locky, different from CryptoLocker? And why are the Locky hackers targeting hospitals specifically?

Locky infections generally begin when someone downloads an attachment from an email — “The invoice from your airline ticket from Delta Airlines is attached” — or something like that, and it spreads primarily by asking people to enable a macro in an MS Word doc.

If ransomware encrypts the entire drive, the system will be crippled and the computer will stop working. The CryptoWall hackers originally got around this by programming CryptoWall to only encrypt files with certain extensions — word documents, images, movies — about 40–50 file types in total, similar to how the more recent ransomware Locky works.

Cryptowall 4 works by targeting everything except those files essential to the computer working.

Maktub, another new ransomware variant, has been targeting hospitals as a way to make more money per victim. The potential for blackmail is much higher, given the sensitive nature of the information contained in medical records. The amount the criminals are demanding is also much higher. And since it’s critical doctors have immediate access to health records, there is a better chance victims will have an emotional response and pay up quickly. It’s an intimidation tactic.

How much is known about where ransomware originates and who these hackers are?

I mean, let’s be fair. When we’re talking about cybercrime in general, it doesn’t matter what country you’re from: everybody’s got cybercriminals. You see some of this stuff in major cities, but we’ve tracked many of these [viruses] to small villages where there’s probably not a lot of economic opportunity.

A lot of the primary actors are well known to all of us. Many of them are suspected to be shielded by foreign governments and they don’t hide their identities. They talk to us and taunt us as well, because they bribe local officials and don’t really have anything to worry about. In the past, they’ve even put messages inside the malware for the virus analysts.

Is there anything being done to combat ransomware?

Often when there’s a major outbreak impacting a lot of people with a particular type of malware, we create a working group in the security community. Sophos, many of our competitors and law enforcement, put our heads together and share information hoping to provide better protection and potentially lead to an arrest.

Better cooperation between nations would help shut down malware writers, but the truth is, many governments have other crises going on. Fighting cybercrime is not a priority.

How many people does it take to unleash a ransomware attack? Are we talking about entire cyber-hacking corporations with office suites and pizza Fridays, or just one evil geek sitting on his bed with a laptop and a bag of Cheetos?

I would think a single person could write something like this in a week, although likely it’s two or three. The way all the previous [malware] kits worked is you pay a fixed, one time price of some sort — usually between $1,000 and $10,000 US dollars — to buy the essential form of malware and advice and tools to assist in succeeding with it. It comes with a customization tool so you can change the look of it and change the branding on it, configure where the stolen information gets sent, or whatever it’s designed to do.

It’s a push-button operation—you don’t have to know a single line of code. The only thing you’re responsible for, as the person buying the kit, is distributing the virus to victim’s computers. But it’s a service economy, right? So, if you log into one these underground forums, you’ll see those are one of the services that offered.

You buy the kit from one criminal, and then you could go to another criminal and say, “Hey, install this on 10,000 PCs and I’ll give you 75 cents per victim machine you infect.” And then those guys subcontract out to a spammer, paying them to send out a billion emails with the virus as an attachment.

This is a very common tactic in the underground. You get infected with something designed to spew out spam messages selling pills from Canada. That criminal will then rent you out to other criminals and install additional malware for other crooks on your PC as well.

It’s a very mature, well-oiled capitalist machine.

Why is Bitcoin the currency of choice for ransomware operators and how do they turn it into cash without getting caught?

Bitcoin is not nearly as anonymous as people think it is. If you mishandle it, it can lead law enforcement to your door. In order to use Bitcoin and try to keep it somewhat anonymous, what you need to do is create a unique Bitcoin wallet for every victim. The malware self-generates the Bitcoin wallet when it infects the PC; there’s no effort for the crooks.

Usually what the crooks do is aggregate a few thousand payments from people into one bigger wallet, and that’s when they’ll begin the money laundering process. They don’t cash them out of the Bitcoin ATM, or we’d just put a cop there and wait for them to go do it. What they’ll do is put them into one of the Bitcoin tumbling businesses, basically a money laundering service.

The other way these guys launder Bitcoins is to transfer them to an online gaming account. So they’ll take Bitcoins, deposit them in a casino in Antigua, play like one hand of blackjack, and then cash out back into Bitcoins or other cash-equivalent currencies.

But the thing is all of those transactions are logged. If you apply big data analytics to that transaction log, there’s a lot of data to suggest you can track back a Bitcoin quite far back to the people who are perpetrating the crime.

And how culpable do you think Bitcoin operators are in all this?

They’re well aware that people are using them to pay these criminals, which irritates me to no end. At one point cybercriminals were taking payments via credit card, but MasterCard and Visa worked with law enforcement to shut this down.

In the Bitcoin world, I think we have a similar situation. Why would I legitimately need a Bitcoin tumbling service? I mean that service is designed to launder money basically isn’t it? Maybe, maybe not. Anonymization isn’t always used for evil, similar to Tor and other anonymization techniques, but the criminals sure do like it.

When my mom got hacked, she decided to pay the ransom to get her files back. In your opinion, morally, what is the best thing to do if your files get hijacked?

It’s perpetually the same thing. People ask, “Well what should we do?” You know the answer is you’re not supposed to pay them, but if you’re a business and you have back up tapes of all your stuff, it will cost more than $400 just to get the backup tapes. And the crooks know it. That’s why the price is $500. The criminals are businessmen.

Practically Unhackable is an Intel publication on Medium. Supercharge the security of your online life with our step-by-step guides on everything from managing passwords to beating ransomware.