Crime Doesn't Pay (Except when it Does)

Situation

Imagine you are a nurse in a large regional hospital. Your worn insoles make your feet ache, the crick in your neck doesn't seem to go away no matter how many pills you down, and your fourth cup of coffee keeps you alert enough to guard over dozens of lives. You shuffle over to your "workstation on wheels" (WOW) to input the time you gave a patient his fourth Warfarin. You go to swipe your badge and notice the following on your screen:

Its not just you. Other patient care faculty are looking up from their desks wondering if its some kind of prank on the resident gone awry. Soon, the floor is abuzz with doctors coming out of their offices and hurried footsteps rushing down the hall to see what can be done. Within minutes, the rude IT guy is looking at some computers at the nurses' station and gets a call from his boss's boss. The call does not go well. Panic sets in as patients realize something is amiss. Is the life-saving surgery able to go forward without the doctor being able to access the patients blood type? Is the diagnosis that a family hangs onto with bated breath able to be released today, or will the nightmare continue indefinitely?

Congratulations, you are a victim of Ransomware.

What is Ransomware?

Ransomware is a malicious software or program that infects your computer with no intention of stealing information. Instead, it purposefully removes your access to any data by encrypting the contents of the computer with encryption keys and passphrases that could never be guessed as long as the universe shall live. The way it actually works looks something like this:

This is a clever way to encrypt files and essentially throw away the key until payment is made.

Normally, a scary-looking window will appear stating that everything is encrypted and to pay the hacker to get your data decrypted. There will usually be a nuclear-countdown-style timer showing how much time you have left to pay until the files are wiped, or the hacker will delete the corresponding private key that would've decrypted the used symmetric key. So what do they expect? Payment made through a secret channel to a secret location.

Anonymity

Ransomware is interesting because you actually get to talk with your hacker! Indeed, communication between victim and attacker must be established in order to accomplish steps 7 and 9 above.

Most ransomware proprietors are fans of the "Dark Web", which I cover in other posts and have my own thoughts about. Through layered proxying and obfuscation, browsers such as "The Onion Router" (ToR)  allow individuals to anonymize their internet browsing to require nation-state level of surveillance and tracking to break. Ransomware hackers often urge their victims to set up a gateway into the ToR network in order to submit payment and exchange keys.

Payment

Notoriously, ransomware threat actors demand payment through Bitcoin, with up to 98% of ransomware payments being made through the cryptocurrency. 70% of CISOs also keep a stash of Bitcoin on hand to quickly pay ransoms should they be infected.

Bitcoin (or any cryptocurrency) makes sense as a perfect hacker direct deposit slip with its anonymity and blockchain technology.

On Reputation

If you're paying attention and have a good head on your shoulders, you are obviously thinking:

> Okay, if I do "negotiate with the terrorists" here and send payment, what are the odds they're going to actually give me the decryption key? Would they not just turn tail and run, and now I'm left with no files AND no money?

Great question, and the truth is that *most* ransomware hacker groups out there will actually cooperate with you and send you the decryption key. Why? Reputation. If they took the money and ran, the company would promptly tell every other company out there not to deal with hacker "im2cool69" and their Bitcoin wallet ending in 0047. Then when this particular denizen of society deals with another victim, they would know not to pay.

Now, you may think its extremely easy to go get another hacker nickname and Bitcoin wallet, and constantly rotate through a cycle of never-ending cash-filled accounts. This is true, but these ransomware adversaries have rating systems as well, just like an eBay seller. I'm not sure if they have client testimonials and glowing reviews, but at the same time, you're much less likely to pay a hacker who has zero successful decrypts and data recoveries compared to one who may have done several already. There's no honor among thieves, but even they have to market their (forced) services!

United Kingdom's New Law

The U.K. has come up with a new law to stop ransomware - make it illegal to pay out.

Public sector bodies and operators of critical national infrastructure, including the NHS, local councils and schools, would be banned from paying ransom demands to criminals under the measure, with nearly three quarters of consultation respondents showing support for the proposal.

The ban would target the business model that fuels cyber criminals’ activities and makes the vital services the public rely on a less attractive target for ransomware groups.    

Under the proposals, businesses not covered by the ban would be required to notify the government of any intent to pay a ransom.

Source (emphasis mine)

Proponents of this law say that without incentive, hackers will not target these institutions since it is illegal to pay hackers. Adversaries will simply target other companies that are not outright banned from paying, and leave the high-value targets alone. Makes sense, right?

Critics of the law have a couple points to raise. One, even if this campaign was successful, hackers would now target small-medium businesses (SMBs) with more ferocity, and be more successful in those intrusions since their focus is on them. They may not be critical infrastructure, but there is still money to be made.

Another criticism is that hackers already don't care about illegality, and more than likely institutions will be left with the following situation:

> hacker: Pay me.
> admin@hospital: We can't. The law says we cannot pay you.
> hacker: Not my problem. Figure it out.

which is definitely plausible. 

Finally, this law could actually lead to under-reporting, since institutions do not want to disclose that they have been breached so they are not fined or penalized for paying a ransom on their data and restoring operations.

Increase Your Security

Of course, this new law also puts pressure on the potential victims to invest in security hardening measures and training so as to not wind up staring at a crypto wallet address from "im2cool69". If they don't get hacked, they don't have to worry about the critical decision of eating the cost or paying the government.

However, critics of this law will highlight the fact that this is putting undue pressure on victims of an attack, who are already distraught and need critical operations to resume. Tying their hands and punishing them for what at the end of the day may amount to a "learn your lesson about clicking suspicious links" fee may be the wrong direction.

Reputation (Revisited)

Now we go back to reputation. If I'm a bad guy, I'm already doing bad things. I'm already hacking hospitals and schools and putting people's lives on hold for at least a few days (assuming strong backups). I'm not sure that just because my target says "it's illegal for me to pay you" that its a deterrent. Technically, the whole conversation in itself is illegal because here you are talking to a dude doing illegal stuff!

It may come down to apathy from all parties, and now ransomware victims are the ones hurting on both ends. Once from this ruthless entity holding them down and tying their hands, and the other one is the hacker (zing!).

For any semblance of a speck of a molecule of reputation that adversaries deploying ransomware try to maintain, its all around decryptions after payment. How an organization scrounges the money together, who they have to report to, and the consequences they have to deal with after the fact are not the hacker's problem.

So there you are, at your nurse's mobile workstation, already hearing rumors that patients have to start finding another place to get care and that payroll will take at least three weeks to be back online. You start wondering about your family and if you'll be able to put food on the table in the coming days. You breathe a shaky sigh of anxiety and look down to see the haunting message staring back at you:

> hacker: Figure it out.

What do you think about this new law? Is it good? Bad? I think time will tell.

Feel free to reach out on LinkedIn to discuss further or drop an email to chris@sinclairsecurity. Until next time!