Renee Dudley - The Ransomware Hunting Team - A Band of Misfits Improbable Crusade to Save the World from Cybercrime

The author and publisher have provided this e-book to you for your personal use only. You may not make this e-book publicly available in any way. Copyright infringement is against the law. If you believe the copy of this e-book you are reading infringes on the authors copyright, please notify the publisher at: us.macmillanusa.com/piracy.

To my husband, Alket Mrtiri

R.D.

To my wife, Kathy

D.G.

if once you have paid him the Dane-geld

You never get rid of the Dane.

RUDYARD KIPLING, Dane-geld, 1911

In a central London neighborhood where affluence hides pockets of poverty, immigrant families from Pakistan, India, and Eastern Europe pin their hopes for their children on a small, publicly funded school. About 150 students ages five to ten attend the school, which was built more than a century ago in the Victorian style, with a brick facade and high arched windows. A modest playground adjoins a church. Many of the parents are on public assistanceor, as the English say, on the doleand the free lunch and midmorning snack that the school provides are often their childrens only meals. Even as the coronavirus pandemic ravaged the area in 2020, blitzing through public housing and terraced apartments where students families slept four to a room, the school stayed open, its masked teachers rearranging chairs to preserve as much social distance as possible.

On a shoestring budget, in a building thats showing its age, the school gives the children a solid education and helps them adjust to English life and culture. Teachers track the students progress by photographing them as they learn how to hold a pencil, draw a picture, or write their name. The snapshots are uploaded to a server, a powerful computer that processes data and provides services for other devices. Because teachers photograph each child in their class at least twice a week, and the system has been in place for several years, the server stored hundreds of thousands of photos.

Matthew, an affable Englishman in his early forties with dirty-blond hair and a stubble beard, has guarded this irreplaceable trove of data on every childs learning since 2016. Although the school can only afford to pay him a few thousand pounds a year as a contractor, he is devoted to its people and mission.

Around 9:00 p.m. on Monday, November 23, 2020, someone from the school emailed Matthew that its website was down. He tried logging on but couldnt. At first, he thought he had forgotten the password. After several attempts, he realized that he was locked out. Somethings gone wrong here, he told his girlfriend, Xiao, who was sitting next to him at their kitchen table.

By 2:00 a.m., he was desperate enough to contact the help desk of the company that hosted the server. He obtained a new server and connected it to the school. With the fresh setup, Matthew could see the files listed in the directories, though he still couldnt open them. They had been renamed with the file extension .encrypt. To his horror, he realized that the school had been hit by ransomware, one of the worlds most pervasive and fastest-growing cybercrimes. An unholy marriage of hacking and cryptography, ransomware penetrates computers and renders files inaccessible without the right decryption key. The hackers then demand a hefty price for the string of characters that can unlock the information.

Evading Matthews defenses, the hacker had entered the schools system through a web portal that teachers used for content management. An update was available, but Matthewwho manages information technology for a variety of clients and is so busy that he doesnt always remember to patch vulnerable softwarehadnt installed it.

I didnt follow my own advice. I was so frustrated, and so embarrassed, he said. I felt like someone punched me in the stomach.

As the English novelist and essayist George Orwell once observed, The history of civilization is largely the history of weapons. Today, digital weapons are reshaping the world, and ransomware poses what may be the greatest threat of all. Its more efficient and profitable than other cybercrimes like identity theftand what makes it even more alarming is that criminals havent fully exploited its potential for money and mayhem.

The frequency and the impact of ransomware attacks are widely understated because many victims dont make them public or inform authorities. But in recent years, hundreds of strains, with odd names like Bad Rabbit and LockerGoga, have paralyzed the computer systems of millions of companies, government offices, nonprofit organizations, and individuals. Exploiting societys near-total dependence on computers, criminal hackers demand thousands, millions, or even tens of millions of dollars to restore operations.

During the COVID-19 pandemic, a wave of cyberextortion crippled hospitals and other vital services, shuttered businesses and schools, and further isolated people from relatives, friends, and coworkers. Matthew saw a parallel between the two epidemics.

It was kind of ironic, the computer virus at the same time as the real virus, Matthew said. Both extremely contagious and virulent.

As he sifted through the digital wreckage, Matthew found a note. Titled Hack for Life, it read in part:

All Your Files Has Been Locked! The structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them. It is the same thing as losing them forever, but with our help, you can restore them.

We can decrypt all your files after paying the ransom. We have no reason to deceive you after receiving the ransom, since we are not barbarians and moreover it will harm our business. You Have 2days to Decide to Pay. after 2 Days Decryption Price will be Double. And after 1 week it will be triple Therefore, we recommend that you make payment within a few hours.

This wasnt Matthews first brush with ransomware. He had also worked for a software company that was attacked in 2018. For two days, he tried to recover the companys data without paying the hackers. Fearing that its reputation would suffer and investors would panic if the incident were to become public, the company grew tired of waiting and instructed Matthew to pay the 2-bitcoin ransom (about $10,000 at the time). He received the key to unlock the files, and the company moved on quietly.

What was a hiccup for a prosperous business was a potential catastrophe for a cash-strapped public school. It would have made the assessments for the children impossible, Matthew said. It would have cost the teachers months of work. They would have had to start from scratch. The government inspectors would have failed the school.

That night, he couldnt sleep. The next day, he alerted his superiors, who authorized him to negotiate with the attackers. The school appeared to have no choice but to reward criminals, incentivizing them to target more schools. In the meantime, Matthew and his bosses would keep the attack secret. They wouldnt report it to law enforcement, for fear of tarnishing the schools reputation. They offered an all-purpose explanation to teachers and parents who couldnt access photos or instructional materials: the system was down.

The ransom note hadnt named a price. How much to decrypt my PC? Matthew wrote to a Gmail address specified by the hackers.

You have to pay 10000 euro, came the reply. Today 10000. Tomorrow 15000. Another two days 20000.