ransomware

back to index

description: Program that locks files until a sum of money is paid

76 results

The Ransomware Hunting Team: A Band of Misfits' Improbable Crusade to Save the World From Cybercrime

by Renee Dudley and Daniel Golden  · 24 Oct 2022  · 392pp  · 114,189 words

invitation. Top cybersecurity minds from the United States and Europe were gravitating to BleepingComputer, eager to devote their skills and ingenuity to battling the growing ransomware threat. Overcoming barriers of language and geography, they were starting to work together and become familiar with one another’s unique skills. Michael threw

Twitter, Fabian and Sarah began following a secretive Hungarian researcher known online as MalwareHunterTeam. In his late twenties, MalwareHunterTeam has decrypted more than a dozen ransomware strains and helped break even more. He is distrustful of authority, from governments to banks, and extremely superstitious. “Little recommendation that is very important,”

as possible. * * * As Fabian prepared for his departure from Germany, Michael found himself in a strange situation—collaborating for the first time with a ransomware gang. An Italian computer engineer, Francesco Muroni, had contacted Michael to explain that he had discovered a vulnerability in a strain called BTCWare, which targeted

where victims sent money. Eventually, the affiliate application process became competitive. The most ambitious gangs began to prefer affiliates with the expertise to get their ransomware inside large corporate, government, education, and healthcare targets that had much deeper pockets than home users. In job ads, prospective “employers” outlined specific qualifications,

victims. The monumental payments enabled gangs to reinvest in their enterprises. They hired more specialists, and their success accelerated. Criminals raced to join the booming ransomware economy. Underworld ancillary service providers sprouted up or pivoted from other criminal work to meet developers’ demand for customized support. Partnering with gangs like GandCrab

, “cryptor” providers ensured that ransomware could not be detected by standard anti-malware scanners. “Initial access brokerages” specialized in stealing credentials and finding vulnerabilities in target networks, and sold that

access to ransomware operators and affiliates. Bitcoin “tumblers” offered discounts to gangs that used them as a preferred vendor for laundering ransom payments. Some contractors were open to

robbed tens of millions of dollars from municipalities, banks, companies, and nonprofit organizations across the United States. Still, Yakubets thought he could do better. As ransomware surged, Yakubets—whose online moniker, coincidentally, was “aqua”—became fluid. He allegedly led a group of co-conspirators who developed and deployed malware called Bugat

I can break anything.” Still, neither his exasperation with the constant badgering from victims nor his financial, marital, and medical woes deterred him from hunting ransomware. He and BloodDolly repeated their early TeslaCrypt triumph with other strains, notably WhiteRose. It hacked computers that used the Windows Server 2003 operating system,

that retrieved the key automatically when a victim uploaded a file pair. Reducing the constant demands from STOPDjvu victims freed him up to crack other ransomware strains. * * * Inevitably, as victims stopped paying, STOPDjvu’s creators would realize that yet another variant had been cracked. They finally replaced the symmetric encryption

find jobs that accommodate their needs, or they come across poorly in interviews because they avoid eye contact or miss social cues. But, as several Ransomware Hunting Team members demonstrate, neurological differences can be associated with exceptional abilities in mathematics, problem-solving, and concentration. Marijn believed that diversifying the HTCU’s

might do something embarrassing, like attempt to subpoena publicly available information “because they just didn’t know any better.” In the FBI, investigations into specific ransomware strains were organized by field office—for example, Anchorage, Alaska, investigated complaints related to Ryuk while Springfield, Illinois, investigated those involving a strain called Rapid

organizations, industrial companies, and the transportation sector were bearing the brunt of the attacks. In September of that year, the bureau convened its first-ever Ransomware Summit in an auditorium at Carnegie Mellon University in Pittsburgh. Insurers, lawyers, and employees of antivirus companies and incident response firms joined representatives from the

enforcement. Other experts, though, disputed the theory. Whatever RobbinHood’s identity or country of origin, the hacker’s cryptography was solid. As usual, the Ransomware Hunting Team scrutinized the unfamiliar strain. MalwareHunterTeam tracked down a sample of RobbinHood’s code on VirusTotal, the malware database. Vitali Kremez, who would soon

* * * While Melissa and Sheryl pushed to get Baltimore back on track, federal officials bickered about whether and how much they should help. Soon after the ransomware attack, the same assistant to Representative Ruppersberger who had discussed the city’s preparedness with Frank Johnson contacted DHS’s Cybersecurity & Infrastructure Security Agency (CISA

greatest hits: “It’s impossible to recover your files without private key and our unlocking software. You can google Baltimore city, Greenville city and RobbinHood ransomware.” In the meantime, Baltimore was digging out. Where backups were available and uncorrupted, technicians recovered encrypted files. They examined computers of ten thousand employees,

$460,000, respectively. The next month, the U.S. Conference of Mayors unanimously adopted a resolution sponsored by Jack Young against paying ransoms. “Paying ransomware attackers encourages continued attacks on other government systems, as perpetrators financially benefit,” the resolution read. It wasn’t binding, and many cities still bowed to

“party person.” At first, Proven Data specialized in recovering information from broken hard drives, cameras, and other hardware. Around 2015, its business model shifted. As ransomware proliferated and calls poured in from prospective clients seeking help releasing their encrypted files, Proven Data began promising to help victims by unlocking their data

long title,” Witherspoon said. “He seems to know a lot.” The titles on Green’s email signature—none of which are formal industry credentials—included “Ransomware Recovery Expert,” “Cyber Counterterrorism Expert,” “Cyber Crime Prevention Expert,” and “Cyber Intelligence Threat Specialist.” Actually, nobody named Zack Green worked at MonsterCloud. Zohar acknowledged

condition of coverage, the same way fire insurance companies require commercial buildings to have sprinklers. Insurers developed a streamlined system for handling the explosion in ransomware claims, coordinating cadres of lawyers, consultants, negotiators, and other vendors. They typically provided policyholders with a toll-free number to call as soon as

more,” she said. Her fears soon became reality. Hackers began targeting insured victims, demanding unprecedented eight-figure ransoms. Beazley, for one, ended 2019 with 775 ransomware incidents, up 131 percent from the prior year. Before encrypting victims’ systems, Beazley found, hackers ran keyword searches for terms such as “insurance.” Then

targets,” Nefilim messaged Lawrence. “We never target non-profits, hospitals, schools, government organizations.” Gathering the responses, Lawrence wrote an article for BleepingComputer under the headline “Ransomware Gangs to Stop Attacking Health Care Orgs During the Pandemic.” Its lead art was a rendering of a dove interlaced with an EKG readout forming

among patients and providers across the United States. The timing suggests that Ryuk was avenging one of the biggest and most damaging actions taken against ransomware. Since 2018, Microsoft’s Digital Crimes Unit—consisting of more than forty full-time investigators, analysts, data scientists, engineers, and attorneys—had been investigating

released eighteen free decryptors, saving individuals and businesses more than $100 million in ransom. Bitdefender was especially effective in countering GandCrab, a notorious and pervasive ransomware gang that liked to taunt security researchers by including their names in the code. After European law enforcement penetrated GandCrab’s command-and-control servers

global cyber insurance market, advised members of its syndicate against taking on cyber business. European cybersecurity regulators had an additional tool to bolster defenses against ransomware attacks. The 2018 General Data Protection Regulation (GDPR) required companies located in European Union countries or doing business there to improve cybersecurity, report data

from the authorities,” BlackMatter announced it was shutting down. Its affiliates shifted existing victims to another gang’s site to continue negotiating ransom payments. * * * The ransomware battle was escalating on both sides. The attackers were getting savvier. Their cryptography was improving, and they were picking targets more shrewdly and with a

-an-interview-with-revils-unknown/. Underworld ancillary: Author interviews with John Fokker. “headache to this”: Panel discussion on Day 4 of the FBI Cyber Division Ransomware Summit, September 2020. The cybercrime mastermind: “Maksim Viktorovich Yakubets,” FBI Most Wanted, fbi.gov/wanted/cyber/maksim-viktorovich-yakubets. malware spree: “Russian National Charged

T Psychologists Discover Enhanced Language Learning in Synesthetes,” University of Toronto News, May 15, 2019. $30 million in losses: “Two Iranian Men Indicted for Deploying Ransomware to Extort Hospitals, Municipalities, and Public Institutions, Causing over $30 Million in Losses,” U.S. Department of Justice, press release, November 28, 2018. “You

rRv5vTctePE. Caesar cipher: “Caesar Cipher,” Practical Cryptography, practicalcryptography.com/ciphers/caesar-cipher/. CryptoTester: For a more in-depth description, see Michael Gillespie’s video, “Analyzing Ransomware—Using CryptoTester,” YouTube, December 1, 2018, youtube.com/watch?v=vo7_ji3kd8s. prestigious Turing Prize: Eric Mankin, “Len Adleman Wins Turing Prize,” USC Viterbi School

-baltimore-mayor-jack-young-says-city-working-to-resume-services/. “I believe the federal government”: “Ruppersberger Provides Direction for New Funds to Help Cities Prevent Ransomware Attacks,” U.S. Congressman Dutch Ruppersberger, press release, June 11, 2019, ruppersberger.house.gov/newsroom/press-releases/ruppersberger-provides-direction-for-new-funds-to-

Cybersecurity & Infrastructure Security Agency, Alert (AA20-345A), December 10, 2020, cisa.gov/uscert/ncas/alerts/aa20-345a. catastrophic: McKenna Oxenden, “Baltimore County Schools Suffered a Ransomware Attack. Here’s What You Need to Know,” Baltimore Sun, November 30, 2020. servers weren’t properly isolated: “Financial Management Practices Audit Report: Baltimore County

Disrupting the Trickbot Botnet,” Krebs on Security, October 2, 2020, krebsonsecurity.com/2020/10/attacks-aimed-at-disrupting-the-trickbot-botnet/. “an increased and imminent”: “Ransomware Activity Targeting the Healthcare and Public Health Sector,” Cybersecurity & Infrastructure Security Agency, Alert (AA20-302A), October 28, 2020, cisa.gov/uscert/ncas/alerts/aa20-302a

France,” Insurance Journal, May 9, 2021, insurancejournal.com/news/international/2021/05/09/613255.htm. Asia division: Reuters staff, “AXA Division in Asia Hit by Ransomware Cyber Attack,” Reuters, May 16, 2021. “the rising threat”: Lyle Adriano, “AIG Reducing Cyber Limits as Costs Rise,” Insurance Business, August 9, 2021, insurancebusinessmag

dead/. “the most effective treatment”: “Preeclampsia: Symptoms & Causes,” Mayo Clinic, mayoclinic.org/diseases-conditions/preeclampsia/symptoms-causes/syc-20355745. ACKNOWLEDGMENTS When Renee started reporting on ransomware in 2018, neither she nor Dan, her editor, had ever heard of Michael Gillespie. Mentions of him in the news were scarce. Yet nearly every

and family histories with unflinching candor, often answering questions directed to her more reserved husband. We’re also grateful to the other members of the Ransomware Hunting Team—especially Lawrence Abrams, Fabian Wosar, and Sarah White—for their remarkable generosity with their time, their vivid recollections, and their descriptions of

, the terms that appear in the print index are listed below. Abrams, Lawrence; BleepingComputer founded by; early life of; FBI and; Maze and; in Ransomware Hunting Team formation; TeslaCrypt and; truce of; Zbot and ACCDFISA Adleman, Leonard Adrian AdvIntel Agutin, Leonid AIDS, AIDS Trojan algorithms Allied Universal Amazon Web Services

Unready European Union (EU) Europol Evans, Christopher Evil Corp EvilTwin Exotic Fabiansomware Facet Technologies FBI (Federal Bureau of Investigation); Abrams and; Gillespie and; Popp and; Ransomware Summits of; REvil and; Wosar and Federal Security Service (FSB) Federal Trade Commission (FTC) FedEx Fell, Jesse Ferrante, Anthony Feynman, Richard Fin7 Flashpoint Fokker,

see HTCU Hogan-Burney, Amy Holden, Alex Holdtman, Alex Horn, Kimberly Horst, Yvonne HTCU (High Tech Crime Unit) Huffman, Bart Hutchins, Marcus hybrid encryption ID Ransomware; launching of Informant!, The Ingraham, Al initial access brokerages insurance companies Insurance Information Institute Iran ITvitae Jackson, Ron Jackson, Sherry Jacobs, Dave Jaspers, Matthijs JBS

Jebsen, Johann-Nielsen “Johnny” Jigsaw Johnson, Frank Justice Department; Ransomware Task Force of; see also FBI Kabina, Igor (BloodDolly) Kaseya Kaspersky Lab Kennedy, John F., Jr. Kenneth Cole keys KGB Kidd, Teiranni Kidnap (Shortland) kidnapping

Data Recovery pseudorandom number generators public keys Pugh, Catherine Putin, Vladimir Quanta Computer Radamant Ragnar Locker random numbers RansomNoteCleaner ransomware ransomware-as-a-service ransomware gangs Ransomware Hunting Team; formation of ransomware insurance ransomware negotiation and payment Ransomware Summits Rapid Recorded Future Reedy River oil spill REvil Ripley, Terri Rivero López, Marc Rivest, Ron Rivlin, Geoffrey

email updates on Daniel Golden, click here. CONTENTS Title Page Copyright Notice Dedication Epigraph Introduction: “Are You Indeed a Barbarian?”   1.  The Man Who Invented Ransomware   2.  The Superhero of Normal, Illinois   3.  The Hunters Gather   4.  The Funny War   5.  The Price of Obsession   6.  Stopping STOP   7.  Ryuk

Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers

by Andy Greenberg  · 5 Nov 2019  · 363pp  · 105,039 words

them. Only once the victims forked over the ransom—within a prescribed time limit—would the extortionists send a key to decrypt their data. Some ransomware schemes had become so professional that they even included live customer support, increasing the likelihood of payment by reassuring victims that they would actually receive

certain piece of bank-fraud malware. He found a crisis unfolding. The British National Health Service was being ambushed with a ransomware outbreak. And this wasn’t the normal criminal ransomware that was increasingly targeting critical institutions like hospitals and police departments, encrypting their data and holding it hostage. This was something

hours over seven days until the hackers would delete the files’ decryption keys, leaving the computers’ data permanently, irrevocably scrambled. Researchers were calling the new ransomware WannaCry—an evocative name based on the .wncry extension it added to the file names after encrypting them. And soon it became clear exactly why

-flung as universities in China and police departments in India. The United States had, by sheer luck, largely been spared so far. But as the ransomware wave swelled, it was a matter of hours or even minutes until America would be engulfed, too. The nightmare of an uncontrolled NSA-zero-day

-propelled worm wreaking havoc across the world had come to pass. And the result was the worst ransomware outbreak anyone had ever seen. “I picked a hell of a fucking week to take off work,” Hutchins wrote on Twitter. * * * ■ A hacker friend who

code, and Hutchins quickly began trying to dissect it. First, he spun up a simulated computer on his server, complete with fake files for the ransomware to encrypt, and ran the program in that quarantined test environment. He immediately noticed that before encrypting the fake files, the malware sent out a

his kill switch worked. Hutchins reacted in a way that perhaps no one ever before in history has reacted to seeing his computer paralyzed with ransomware: He leaped up from his chair and jumped around his bedroom, overtaken with joy. * * * ■ The goal of WannaCry’s creators remains a mystery. Were they

seeking to make as much money as possible from their supercharged ransomware scheme? Or merely to inflict maximal global chaos? Either way, building a kill switch into their malware seemed like a strangely sloppy act of self

-sabotage.*1 The WannaCry programmers had been careless in other ways, too. The payment mechanism built into their code was, effectively, useless: Unlike better-designed ransomware, WannaCry had no automated system for distributing decryption keys to victims who had paid, or even keeping track of who had paid and who hadn

it’s under the researcher’s microscope, it turns off its malicious features and behaves entirely innocently. Of course, if that was in fact the ransomware programmers’ thinking, they’d been far too clever for their own good. The result was that the mechanism designed to make their feature appear harmless

’s director telling him that Oschadbank, the second-largest bank in Ukraine, was under attack. The company had told ISSP that it was facing a ransomware infection, hardly an uncommon crisis for companies around the world targeted by cybercriminals. But when Yasinsky walked into Oschadbank’s IT department at its central

“oops, your files are encrypted” ransom screen demanding $300 in bitcoins. After an examination of the bank’s surviving logs, Yasinsky could see that the ransomware attack was an automated worm. It looked vaguely like WannaCry, but different: It wasn’t merely scanning the internet at random and infecting any vulnerable

him that another victim had experimented with paying the worm’s ransom. As Yasinsky already guessed, the payment had no effect. This was no ordinary ransomware. “There was no silver bullet for this, no antidote,” he said. And unlike WannaCry, there was no kill switch. A thousand miles to the south

’s WannaCry outbreak. Researchers at Kaspersky noted that the new malware’s code somewhat resembled a piece of criminal ransomware called Petya that had been circulating since early 2016. Like that older ransomware, when this specimen infected a new machine, it immediately set about encrypting the computer’s so-called master file

who first puts a library’s card catalog through a shredder, then moves on to methodically pulp its books, stack by stack. But the new ransomware was distinguished from that earlier criminal code by crucial modifications—hence its name. Within twenty-four hours, a French security researcher named Matthieu Suiche would

was a massive bombing of all our systems,” Minister of Infrastructure Omelyan said. That night, the outside world was still debating whether NotPetya was criminal ransomware or a weapon of state-sponsored cyberwar. But ISSP’s Oleksii Yasinsky and Oleh Derevianko had already started referring to it as a new kind

.” To get a sense of what that $10 billion in damages means on the spectrum of cyberattacks, consider that when a nightmarish but more typical ransomware attack paralyzed the city government of Atlanta in March 2018, it cost an estimated $17 million. In other words, less than a fifth of a

had been the carrier for a different infection he’d discovered in May 2017. Five days after WannaCry, he’d found that a piece of ransomware known as XData seemed to be spreading via that ezvit executable file, using Mimikatz but not EternalBlue. At the time, he thought that victims were

perhaps being tricked into installing a malware-tainted version of M.E.Doc, the sort of spoofing that hackers often use to infect victims with ransomware and other criminal code. He’d warned M.E.Doc’s developers at Linkos Group in an email, received a brief acknowledgment, helped ESET to

that had carried NotPetya out into the world. It was now clear the same hackers had hijacked M.E.Doc’s updates to spread a ransomware worm at least twice, first XData in May, and then the vastly more virulent NotPetya in June. But then Cherepanov started to make other connections

been a Russian government operation. Vesselin Bontchev, a security researcher at the Bulgarian Academy of Sciences, has highlighted errors in the coding of NotPetya’s ransomware component that he argues must be the work of unsophisticated hackers, not Russian government agents, though he notes that the M.E.Doc backdoor does

Cherepanov was sitting in the same seat in the same Houston room of ESET’s headquarters when he once again began to receive screenshots of ransomware messages taken from the security company’s eastern European customers. This time those messages had the unexplained words “BAD RABBIT” displayed above their demand that

sites in Russia, Ukraine, Bulgaria, and Turkey and planted code on their pages that asked visitors to install a fake Flash software update containing the ransomware. That technique seemed crude and sloppy compared with the powerful, Ukraine-focused backdoor that had carried NotPetya’s payload. But there was little doubt that

the security firm CrowdStrike would find other apparent Russian fingerprints: the version of the programming language C++ the Olympic malware used matched Sandworm’s XData ransomware, for instance, as well as its mechanism for handling the credentials it stole from victim machines. But as malware analysts dug deeper, the clues became

), Dec. 13, 2016, www.welivesecurity.com, archived at bit.ly/2B6Lgc3. “We are sorry”: Chris Bing, “Early Indications Point to Sandworm Hacking Group for Global Ransomware Attack,” Cyberscoop, June 30, 2017, www.cyberscoop.com. CHAPTER 18 POLIGON “This expensive light flicking”: The Grugq, “Cyberwar via Cyberwar During War,” Risky Business, March

Shadow Brokers’ release: “DoublePulsar,” Binary Edge (blog), April 21, 2017, blog.binaryedge.io, archived at bit.ly/2RNPiAq. Researchers were calling the new ransomware WannaCry: Jakub Křoustek, “WannaCry Ransomware That Infected Telefonica and NHS Hospitals Is Spreading Aggressively, with over 50,000 Attacks So Far Today,” Avast (blog), May 12, 2017, blog

, Oct. 24, 2017, www.nao.org.uk. The Spanish telecommunications firm: Agamoni Ghosh and India Ashok, “WannaCry: List of Major Companies and Networks Hit by Ransomware Around the Globe,” International Business Times, May 16, 2017, www.ibtimes.co.uk. “I picked a hell of a fucking week”: Marcus Hutchins, Twitter post

, “WannaCry: Hackers Withdraw £108,000 of Bitcoin Ransom,” Guardian, Aug. 3, 2017, www.theguardian.com. Perhaps its creators had been testing: Andy Greenberg, “The WannaCry Ransomware Hackers Made Some Real Amateur Mistakes,” Wired, May 15, 2017, www.wired.com. Within days, security researchers at Google: Andy Greenberg, “The WannaCry

Ransomware Has a Link to North Korean Hackers,” Wired, May 15, 2017, www.wired.com. By December 2017, the Trump White House: “Press Briefing on the

Car Bomb in Kiev,” Guardian, June 27, 2017, www.theguardian.com. Instead, its extortion messages seemed: Matt Suiche, “Petya.2017 Is a Wiper Not a Ransomware,” Comae blog, June 28, 2017, blog.comae.io/, archived at bit.ly/2UjSdxI. It crippled multinational companies: Eduard Kovacs, “NotPetya Attack Costs Big Companies Millions

Ten-Day Reinstallation Bliz,” Register, Jan. 25, 2018, www.theregister.co.uk. “Without computers these days”: Hamza Shaban and Ellen Nakashima, “Pharmaceutical Giant Rocked by Ransomware Attack,” Washington Post, June 27, 2017, www.washingtonpost.com. In its financial report: “Merck & Co. (MRK) Q3 2017 Results—Earnings Call Transcript,” Seeking Alpha, Oct

NotPetya,” sidebar to “The Code That Crashed the World,” Wired, Aug. 2017, www.wired.com. To get a sense of what: Kate Fazzini, “The Landmark Ransomware Campaign That Crippled Atlanta Last March Was Created by Two Iranians, Says DoJ,” CNBC, Nov. 28, 2018, www.cnbc.com/. One woman, fifty-six-year

-old: “Heritage Valley Health, Drugmaker Merck Hit by Global Ransomware Cyberattack,” Associated Press, June 27, 2017, www.post-gazette.com. He points to a New England Journal of Medicine: Anupam B. Jena et al., “Delays

.S. Power Grid Controls,” Wired, September 6, 2017, wired.com. CHAPTER 34 BAD RABBIT, OLYMPIC DESTROYER It contained fully 67 percent: Dan Raywood, “The Rabid Ransomware Bunnies Behind #BadRabbit,” Infosecurity, Oct. 25, 2017, www.infosecurity-magazine.com. CHAPTER 35 FALSE FLAGS In the run-up to the Olympics: Andy Greenberg, “Hackers

This Is How They Tell Me the World Ends: The Cyberweapons Arms Race

by Nicole Perlroth  · 9 Feb 2021  · 651pp  · 186,130 words

and obliterated computers at the Las Vegas Sands casino after Sands CEO Sheldon Adelson publicly goaded Washington into bombing Iran, and—in a wave of ransomware attacks—Iranian cybercriminals had held American hospitals, companies, entire towns hostage with code. North Korea had torched American servers simply because Hollywood had offended

stockpiles of cyberweapons in the process. Microsoft, more than any other company, was increasingly being weaponized by nation-states and authoritarian regimes for espionage, surveillance, ransomware, and, in the case of Stuxnet, the most destructive attack the world had ever seen. Stuxnet and Aurora had been wake-up calls, but

on gurneys, told their surgeries would have to be postponed to another day. Nearly fifty British hospitals had come under assault from the most vicious ransomware attack to hit the internet. It was the middle of the night when my phone started rattling. “Are you seeing this?!” the messages read.

“British health system down!!” By the time I was vertical, ransomware attacks were detonating across the globe. Russian railroads and banks, Germany’s railway, French automaker Renault, Indian airlines, four thousand universities in China, Spain’s

decryption service.” Across the world, people started ripping their computers out of the wall. But often it was too late. The speed of the ransomware was like nothing security researchers had ever seen. Some started live-tracking the infections on a map. Within twenty-four hours, 200,000 organizations in

officials at the state’s powerful Interior Ministry initially denied it, over a thousand Ministry computers had been roasted. As analysts started dissecting the ransomware code, they dubbed the attacks WannaCry—not because the word perfectly encapsulated the way so many victims felt—but because of a tiny snippet left

. Once that became clear, victims stopped paying. WannaCry netted less than $200,000 in payouts, a pittance compared to the millions of dollars professional ransomware cybercriminals were making a month. Secondly, and fortunately for the victims, the attackers had also unwittingly baked a kill switch into their code. Within hours

service, and media companies were all displaying a familiar ransom message. In the first hours of the campaign, researchers believed that the attack was from ransomware known as Petya—a reference to the James Bond film GoldenEye, in which top-secret Soviet satellites armed with nuclear warheads, one nicknamed Petya,

citizens around the world about the threat posed by criminal, malicious cyber activity, but the characterization that there’s an indefensible nation-state tool propagating ransomware is simply untrue,” Rob Joyce, who headed the NSA’s hacking programs, told an audience in the days after our story broke. Joyce was

wordsmithing. As investigators would soon discover, Baltimore had actually been hit by multiple attacks. One assailant locked up its systems with ransomware; another detonated EternalBlue to steal data. Joyce and others in the exploit trade placed the onus on Baltimore for not patching their systems, and seized

assistance in their elections as its own kind of interference. But in 2019, all one had to do was look at the record number of ransomware attacks crippling American counties, towns, and cities to understand just how vulnerable they were. More than six hundred American towns, cities, and counties were

held hostage by ransomware attacks between 2019 and 2020. Cybercriminals were not just hitting big cities like Albany and New Orleans, but smaller counties in swing states like Michigan

reconfigured, and tossed out; police departments were relegated to pen and paper. Officials and security experts shuddered to think about the impact a well-timed ransomware attack on voter lists, registration databases, or secretaries of state could have come November 3. “The chance of a local government not being hit while

to their extortionists, who never returned their data. At first glance, the attacks hitting American towns and cities appeared to be run-of-the-mill ransomware. But starting in the fall of 2019, it was clear many were multistage attacks. Hackers were not just locking up victims’ data, they were

targets left telling clues behind. Scattered among attackers’ code were Russian language artifacts. And perhaps most telling of all was that they specifically designed their ransomware to avoid infecting Russian computers. The code searched for Cyrillic keyboard settings and when it found them, moved right along—technical proof they were abiding

by Putin’s first rule: no hacking inside the Motherland. By 2019, ransomware attacks were generating billions of dollars for Russian cybercriminals and were becoming more lucrative. Even as cybercriminals raised their ransom demands to unlock victims’ data

local officials—and their insurers—calculated it was still cheaper to pay their digital extortionists than to rebuild their systems and data from scratch. The ransomware industry was booming and—with all that loot pouring into Russia—intelligence officials found it inconceivable that the Kremlin was not aware of, exploiting, or

we inched closer to the 2020 election. “Russia’s cybercriminals are treated as a national asset who provide the regime free access to victims of ransomware and financial crime. And in exchange, they get untouchable status. It’s a protection racket and it works both ways.” Officials furnished no proof.

But that fall, as ransomware attacks took down one American town after another, they came to fear the ransom elements were smokescreens for deeper probes of counties that might make

their worst nightmare almost realized. The week of Louisiana’s governor election, cybercriminals held Louisiana’s secretary of state’s office hostage in a ransomware attack that would have upended the election had local officials not had the foresight to separate Louisiana’s voter rolls from their broader network. Louisiana

the FBI feared, a preview for 2020. In the months that followed, the FBI sent confidential missives to field agents across the country, warning that ransomware would “likely” take out America’s election infrastructure. As to whether those attacks were the work of opportunistic profiteers, a more calculated state adversary, or

and politicians on both sides of the aisle. And while it still was not clear what, if any, role the Kremlin was playing in the ransomware attacks, the attacks were getting worse. TrickBot’s developers were now cataloging American municipalities they had access to, selling anyone who wanted it a paint

one night but would be slow-rolled over several days, weeks even, forming an ever-widening attack surface. And it made the threat of a ransomware attack on the registration systems, the post office, voter signature verification, and tabulation and reporting systems that much more chilling. In Redmond that September,

Microsoft’s Tom Burt stewed over the ransomware attacks on American towns and cities. Just that month, a Texas company that sells software that some cities and states used to display election results

to their clients systems, raising fears that their assailants were out for something more than just a quick profit. Burt had been watching the ransomware attacks with growing unease. The catalyst was seeing that TrickBot’s operators had added surveillance capabilities that allowed them to spy on infected officials and

Georgia, the Los Angeles Times, New Orleans, state agencies in Louisiana, and just that month, one of the largest medical cyberattacks in history after ransomware delivered via TrickBot hijacked more than four hundred hospitals in the middle of the pandemic. Burt had put together a team of security executives and

lashed out, shifted to new tools, and retaliated on American hospitals. They traded lists of some four hundred American hospitals they planned to target with ransomware, and slowly started hitting them one by one. This, with less than a week before the election, when hospitals were seeing a record spike

way, attacks were already surfacing: In Georgia, a database that verified voter signatures on their mailed ballots was locked up by Russian hackers in a ransomware attack that also dumped voters’ registration data online; in Louisiana, the National Guard was called in to stop cyberattacks on smaller government offices that

a human error that was quickly caught and fixed. But, miraculously perhaps, there was no evidence of outside interference, no fraud or even a single ransomware attack that day. Every three hours, CISA officials debriefed reporters on what they were witnessing, and while they stressed that “we are not out

. We’ve caught Iranian hackers rifling through our dams. Our hospitals, towns, cities, and, more recently, our gas pipelines have been held hostage with ransomware. We have caught foreign allies repeatedly using cyber means to spy on and harass innocent civilians, including Americans. And over the course of the coronavirus

mistake of assuming that because this data is public, it does not need to be protected. Voter registration databases could be locked up with ransomware or manipulated for digital disenfranchisement. All it would take is a hacker slipping into a key district’s list to remove registered voters or modify

that identify critical infrastructure, set voluntary “best practices” for operators, and encourage the sharing of threat intelligence. These are well intentioned, but so long as ransomware continues to pummel our hospitals and local governments, we must do more. We could start by passing laws with real teeth that mandate, for instance

with my Times colleague Quentin Hardy. Michael Corkery and I later reported on North Korea’s attack on the Central Bank of Bangladesh. Iran’s ransomware attacks on American hospitals, companies, and towns were detailed in a November 2018 Department of Justice indictment, though nobody has been extradited or arrested.

, “Hackers Hit Dozens of Countries Exploiting Stolen NSA Tool,” New York Times, May 12, 2017, and Perlroth, “More Evidence Points to North Korea in Ransomware Attacks,” New York Times, May 22, 2017. Homeland Security Adviser Thomas Bossert first addressed the WannaCry attacks on ABC’s Good Morning America: “Unprecedented Global

in the Baltimore attack. As it turned out, Baltimore had been hit by multiple attacks, one of which involved EternalBlue and another that involved a ransomware called Robinhood. Investigators at Microsoft, which has the best telemetry into EternalBlue’s presence on its systems and contracted with the city of Baltimore,

Acronis Security Blog, June 24, 2019, and Sam Smink, “Village of Palm Springs confirms cyberattack,” West Palm Beach TV, June 20, 2019. The details linking ransomware attacks to Russian cybercriminal outfits have been documented by various security firms over the years. For an early account, see Kaspersky, “More than 75 Percent

the leaks at the time of this writing. Among the FBI documents included in the dump, was a May 1, 2020, report detailing two specific ransomware attacks, the first in Louisiana in November 2019, the other in Tillamook County, Oregon, in January 2020, that affected election infrastructure. The FBI report

ominously concluded it was likely ransomware attacks would have an impact on American election infrastructure as the 2020 elections neared. For numbers on the rise of cyberattacks during the Covid-19

NSA in, here NSA zero-day exploits, use of, here nuclear weapons policy, here surveillance technology/spyware, here targeting dissidents in, here, here, here WannaCry ransomware in, here, here zero-day hoarding, here China, cyberattacks costs of, here human rights implications, here, here limiting, here media, here outsourcing, here proving,

, here legislating protections, here, here to NSA interference, here NSA’s creation of, here nuclear plants, here the people maintaining, here preparedness planning, here to ransomware, here to Russia, here, here, here Trump era, here without protections, here Inglis, Chris, here, here Instagram, here Intel, here, here Intel chips, here

Iran. See also Natanz nuclear plant (Iran), U.S.-Israeli attack on cyber army, here cyberwar, threat of, here infrastructure, U.S. attacks on, here ransomware attacks, here Suleimani assassination, retaliation for, here U.S. cyberattacks on, retaliation for, here Iran, cyberattacks 2020 presidential election, here Aramco, here, here, here,

(Nobody But Us) (NSA), here, here, here No More Free Bugs campaign, here Nooyi, Indra, here North Korea cyber capabilities, here EternalBlue, use of, here ransomware attacks, here Trump and, here North Korea, cyberattacks banking industry, here, here costs of, here Sony Pictures, here, here, here, here, here Northrop, here Northrop

(2016) Russian interference, here, here, here, here, here, here, here, here Trump’s Ukrainian theory, here presidential elections (2020) election security, here Iranian interference, here ransomware warnings, here Russian interference, here, here Pretty Good Privacy (PGP) software, here Prigozhin, Yevgeny, here Prins, Michiel, here, here Prism (NSA), here, here, here Pritchett

, here, here, here Ukraine invasion under, here U.S., warnings to the, here Pwn2Own hacking contest, here Qatar, here Q Group (NSA), here Qualcomm, here ransomware attacks, here, here, here Ratcliffe, John, here Rather, Dan, here Raymond, Eric S., here Raytheon, here Reagan, Ronald, here, here, here, here Reckitt Benckiser,

here economy, here election interference (2016), here, here, here, here, here, here, here, here election interference (2020), here EternalBlue, use of, here kompromat, here, here ransomware attacks, here Ukraine, invasion of, here U.S. cyberattacks on, here U.S. grid, vulnerability to, here, here U.S. grid attacks in, here U

.S. sanctions, here voter registration system hacks, here, here, here WannaCry ransomware in, here Russia, cyberattacks DNC, here, here, here, here, here, here, here, here outsourcing, here range of, here State Department, here, here TrickBot, here,

Attack of the 50 Foot Blockchain: Bitcoin, Blockchain, Ethereum & Smart Contracts

by David Gerard  · 23 Jul 2017  · 309pp  · 54,839 words

Dundee. That’s not a signature. Chapter 7: Spending bitcoins in 2017 Bitcoin is full: the transaction clog Bitcoin for drugs: welcome to the darknet Ransomware Non-illegal goods and services Case study: Individual Pubs Chapter 8: Trading bitcoins in 2017: the second crypto bubble How to get bitcoins From the

what would probably happen is that everyone would just pretend everything was fine, and keep speculating, buying drugs and paying to unlock their PCs from ransomware – there are already plenty of Bitcoin “whales” with enough coins to destabilise the price if they wanted to.) Since every Bitcoin transaction is visible on

, reaching an estimated $14.2 million in the month of January 2016188 (or $170 million a year). They were overtaken by ransomware some time in 2016 – the FBI estimates ransomware payments at $1 billion in 2016.189 All use cases, licit and illicit, are severely hampered by the perennial transaction backlog. Bitcoin

Bitcoin decals as even they have decided it’s bobbins.” – Karen Boyd, 2017. Darknet markets remain the most popular Bitcoin use case after speculation and ransomware. In 2014, darknet markets were estimated to have processed more bitcoins than all legitimate payment processors put together.200 Gwern Branwen has written extensively on

. In May 2017, AlphaBay, the largest darknet market, started offering Ethereum as an option204 – because Bitcoin was failing to serve its primary consumer use case. Ransomware Ransomware combines computer malware, encryption and anonymous payment systems. Malicious software spreads through email spam or exploiting computer security holes; it encrypts the files on your

victim) to get the key to unlock your system before the deadline of a few days. Bitcoin is now the payment channel of choice, but ransomware existed for decades before Bitcoin. The first extortion malware was the “AIDS Trojan” or “PC Cyborg Trojan” in 1989, which would hide in the AUTOEXEC

” pretended to be from the local police force and demanded payment by credit card.206 The 2013 “FBI MoneyPak” ransomware demanded payment via online money transfer services MoneyPak or Ukash. CryptoLocker, the first ransomware to use Bitcoin (though you could also pay by Moneypak or Ukash), showed up in September 2013. It

, and spawned many imitators. Security professionals I spoke to say that the reason for the explosion in ransomware from about 2015 on is not Bitcoin (as media reports often claim), but the ready availability of ransomware builders in malware kits from the hacker underground since that time – so that any script-kiddie

can use a kit to make their own ransomware. The best-known ransomware of late is probably WannaCry. The WannaCry attack of 12 May 2017 knocked out several NHS hospitals in the UK and companies around the

obtaining the bitcoins to pay the ransom – most exchanges have strong identity verification requirements, and often the delay before allowing trades is longer than the ransomware’s deadline. Not to mention the frequent delays getting Bitcoin transactions through at all. Bitcoins are so hard for normal people to use that from

CryptoLocker on, ransomware operators have been known to provide technical support to victims, so they can work out how to pay them and unlock their files. F-Secure

even compiled a customer service evaluation of ransomware gangs.207 Citrix ran a promotional survey in 2016208 and again in 2017209 suggesting that some UK companies were keeping Bitcoins on hand just in

not pay the ransom – they just spent the next day reimaging thousands of PCs afresh.212 Bitcoin seems to be the only cryptocurrency used by ransomware so far – though one WannaCry imitator mined the altcoin Monero on infected PCs.213 If you do get an apparent infection, it’s worth checking

it isn’t fake ransomware, that locks your screen and demands your money, but doesn’t bother with encrypting your files.214 The WannaCry attack was sufficiently egregious that some

uses are largely illegal. One exchange, Coin.mx, had even been charged in 2015 with money laundering violations for selling bitcoins to the victims of ransomware attacks, as this enabled the criminals to get paid for them – though this was as part of a long list of other money-laundering charges

$1180 to 6 cents (due to configuration errors on Coinbase’s GDAX exchange) was courtesy 100 BTC of trades.244 As well as drugs and ransomware, non-speculative usage includes various “Republic of Bitcoin” schemes run by the infamous Russian MMM concern, who perpetrated the largest Ponzi in history in the

been sent by you: you sign them with the address’s private key, and this is verified with the address (which is the public key). Ransomware: Computer malware that locks up your Windows PC and demands bitcoins to unlock it. Roger Ver: early Bitcoin advocate and anarcho-capitalist. Satoshi Nakamoto: the

prosecution futures 52 provably fair gambling 39 Provenance, Inc. 116 pump-and-dump 30 quantum computer 96 R3 Blockchain Consortium 111, 123 R3 Corda 123 ransomware 69, 72 RationalWiki 141 Reason (magazine) 31 Rebit.ph 29 Recording Industry Association of America 45 Recovery Right Token 86 Reddit /r/bitcoin 38, 69

Dujso, Stijn Hoorens. “Internet-facilitated drugs trade: An analysis of the size, scope and the role of the Netherlands”. Rand Corporation, 2016. [189] Herb Weisbaum. “Ransomware: Now a Billion Dollar a Year Crime and Growing”. NBC News, 9 January 2017. [190] “Frequently Asked Questions: Find answers to recurring questions and myths

June 2006. [206] “Why the police virus was so effective”. PC Advisor, 26 February 2013. [207] “New Ransomware Study Explores ‘Customer Journey’ of Getting Your Files Back”. F-Secure, 18 July 2016. [208] “Ransomware risk could cripple British businesses with many not ready, while others stockpiling bitcoins to pay up”. Citrix (press

release), June 2016. [209] Chris Mayers. “Ransomware in the UK: One year on”. Citrix blog, 6 June 2017. Citrix give

the questions and sample selection criteria in the comments. [210] “Incidents of Ransomware on the Rise: Protect Yourself and Your Organization”. FBI, 29 April 2016. [211] “Telstra Cyber Security Report 2017”. Telstra, 30 March 2017. [212] According to

up to displace it as cybercriminals’ favourite”. Reuters, 18 May 2017. [214] Fahmida Y. Rashid. “How to tell if you’ve been hit by fake ransomware”. InfoWorld, 29 April 2016. [215] “Manhattan U.S. Attorney Announces Charges Against Two Florida Men for Operating an Underground Bitcoin Exchange”. FBI (press release), 21

Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency

by Andy Greenberg  · 15 Nov 2022  · 494pp  · 121,217 words

paid a staggering $40 million to another cybercriminal group called Phoenix CryptoLocker that was holding its IT systems hostage. Chainalysis, too, was tracking the ransomware economy as it exploded beyond a silent, digital epidemic into a full-blown—if sporadic and unevenly distributed—societal crisis. In 2020, Chainalysis’s staff

had tracked no less than $350 million in total ransomware payments. Ransomware payouts in 2021 looked to be on pace to break that record. And even as companies like Chainalysis and Elliptic followed the path of those

. Even as bitcoin tracing’s investigative power reached its zenith, the tracers had found a form of crime they couldn’t control. * * * · · · How were ransomware gangs defying law enforcement’s efforts at tracing cryptocurrency transactions? Had the cleverest cyber extortionists somehow finally figured out how to skirt blockchain analysis somewhere

sometimes referred to as “privacy coins,” expressly designed to thwart blockchain analysis. As bitcoin tracing had become a standard tool within law enforcement agencies, ransomware operators had by 2021 increasingly begun demanding that victims pay not in that decade-old cryptocurrency but in another digital coin called Monero. Designed by

Breached Colonial Pipeline Using Compromised Password.” GO TO NOTE REFERENCE IN TEXT DarkSide’s extortion messages: Trend Micro Research, “What We Know About the DarkSide Ransomware and the US Pipeline Attack,” Trend Micro, May 12, 2021, trendmicro.com. GO TO NOTE REFERENCE IN TEXT Before encrypting the hard drives: Turton

. GO TO NOTE REFERENCE IN TEXT The blockchain analysis firm Elliptic: Tom Robinson, “Elliptic Follows the Bitcoin Ransoms Paid by Colonial Pipeline and Other DarkSide Ransomware Victims,” Elliptic, May 14, 2021, elliptic.co. GO TO NOTE REFERENCE IN TEXT CNA Financial had paid a staggering: Kartikay Mehrotra and William Turton,

NOTE REFERENCE IN TEXT It had recovered 63.7 of the 75 bitcoins: “Department of Justice Seizes $2.3 Million in Cryptocurrency Paid to the Ransomware Extortionists Darkside,” Justice Department, June 7, 2021, justice.gov. GO TO NOTE REFERENCE IN TEXT In June 2021, The New York Times: Nicole Perlroth,

, nytimes.com. GO TO NOTE REFERENCE IN TEXT President Joe Biden himself brought up: Steve Holland and Andrea Shalal, “Biden Presses Putin to Act on Ransomware Attacks, Hints at Retaliation,” Reuters, July 10, 2021, reuters.com. GO TO NOTE REFERENCE IN TEXT The U.S. State Department announced: Ned Price,

“Reward Offers for Information to Bring DarkSide Ransomware Variant Co-conspirators to Justice,” State Department, Nov. 4, 2021, state.gov. GO TO NOTE REFERENCE IN TEXT DarkSide, for its part, had posted:

REvil Unplugged,” Europol, Nov. 18, 2021, europa.eu. GO TO NOTE REFERENCE IN TEXT The FBI recovered $6.1 million: “Ukrainian Arrested and Charged with Ransomware Attack on Kaseya,” Justice Department, Nov. 8, 2021, justice.gov. GO TO NOTE REFERENCE IN TEXT “Today, and now for the second time”: “Attorney

General Merrick B. Garland, Deputy Attorney General Lisa O. Monaco, and FBI Director Christopher Wray Deliver Remarks on Sodinokibi/REvil Ransomware Arrest,” Justice Department, Nov. 8, 2021, justice.gov. GO TO NOTE REFERENCE IN TEXT In an even more shocking turn: Dustin Volz and Robert

McMillan, “Russia Arrests Hackers Tied to Major U.S. Ransomware Attacks, Including Colonial Pipeline Disruption,” Wall Street Journal, Jan. 14, 2022, wsj.com. GO TO NOTE REFERENCE IN TEXT CHAPTER 49: GRAY ZONES By

, 248 Son Jong-woo arrest and, 269, 272 Welcome to Video case and, 246, 265–6, 275, 278, 281 Biden, Joe: cryptocurrency regulation by, 308 ransomware crackdown by, 302 Twitter hack of, 288 Binance (cryptocurrency exchange), 323–4 bin Laden, Osama, 149 Bilton, Nick, 331 Bitcoin: address system of, 9–

5, 43, 59, 96–7, 100 popularity of, 34 privacy issues of, 47, 59, 61, 106–9, 309, 323 proof-of-work system of, 46 ransomware and, 296–7 as tool against authoritarianism, 306–7 traceability of, 4, 9–10, 34, 124, 301, 309–10. See also blockchain analysis users

85–6, 279 Mt. Gox theft and, 117–19, 130 privacy advocates’ criticism of, 305–7, 309–12, 321–3 privacy coins and, 298–300 ransomware and, 297–301 Silk Road case and, 84–5, 111–16 as surveillance, 321–2 tools to optimize, 101, 105 Welcome to Video case and

Joseph, 296 B-Money, 29 Boekelo, Marinus, 196, 234 Bonakdar, Roger: Cazes, Alexandre, death and, 225–7 as lawyer for Cazes, Alexandre, 219–20 Brenntag: ransomware attack on, 297 Bridges, Shaun: arrests of, 115, 136–7 attempted flight of, 136–7 Bitcoin accounts of, 136, 326 Force, Carl, and, 112, 326

292–4 law enforcement use of database of, 249, 265, 291–3 location of servers of, 127–8 Mt. Gox theft and, 119, 129–30 ransomware groups and, 292 Russia and, 128–30, 292 secrecy of, 119, 122–3 See also Vinnik, Alexander Bureau of Narcotics and Dangerous Drugs (U.S

, 107–8, 203, 317–18 blockchain analysis tools of, 106, 173, 316–18 BTC-e study by, 292 cluster audit technique of, 258 Colonial Pipeline ransomware attack and, 301 cryptocurrency exchange use of, 137 customers of, 310–11 DarkLeaks document stolen from, 316–18 founding of, 100–2 Gladstein, Alex,

110–12, 137 Links annual conference of, 304 Mt. Gox theft and, 92 Orlando tool of, 317 privacy advocates’ criticism of, 305–7, 309–10 ransomware cases and, 297–300 Reactor software by. See Reactor Rumker tool of, 200–3, 238, 287, 317–18 success of, 137–9, 169, 305 tracing

Circle (cryptocurrency exchange), 245 Clark, Graham Ivan, 289n Clockwork Orange, A (1971 film), 258 Cloud 9 (dark web market), 123 Cloudflare, 127–8 CNA Financial: ransomware attack on, 297 Coinbase (cryptocurrency exchange), 42, 59–60, 245, 324 CoinJoin, 173 CoinLab, 93 CoinMKT (cryptocurrency exchange), 81n Coinometrics, 138 Coinone (cryptocurrency exchange), 244

, 252 Colonial Pipeline: ransomware attack on, 295–6, 303 recovery of ransom paid by, 301 shutdown of, 296 Comment Ça Marche (online forum), 159–60 Cox, Joseph, 147 Cross

trust in, 99–100 criminal use of, 305 development of, 29–30 mixer services for, 172–3, 289–90 peer-to-peer exchangers of, 152 ransomware and, 295–7 skyrocketing value of, 304–5 thefts of, 54–5. See also cryptocurrency theft as tool against authoritarianism, 306–7 U.S.

S.), 261–3, 290–1 CyberBunker, 287 cypherpunks, 27–30, 37 Cypherpunks Mailing List, 28–9 D DarkLeaks, 316 Dark Scandals (CSAM website), 281 DarkSide (ransomware group), 295–7, 301–3 dark web: child sexual abuse materials and, 247 definition of, 32 dark web markets: Bitcoin and, 25, 34, 40, 124

Europol: conference on virtual currency investigations at, 199–201 Hansa case and, 186, 198, 229, 235 Operation Bayonet meeting at, 190 Operation Onymous and, 123 ransomware investigations by, 302 Evolution (dark web market), 123–4 Excygent, 246 exit scams, 161, 171–2, 228 F Falder, Matthew, 243–4 Falkvinge, Rick, 

S.), 17 AlphaBay case and, 160 Bitcoin report by, 73–4 Cazes, Alexandre, arrest and, 204 child sexual abuse materials cases and, 247 Colonial Pipeline ransomware attack and, 301 Dutch National Police and, 186 Gambaryan, Tigran, and, 238 Joint Criminal Opioid and Darknet Enforcement group and, 235 NetWalker case and, 300

New York field office of, 64 North Korean cryptocurrency theft cases and, 288 Operation Onymous and, 123 ransomware cases and, 301–2 Sacramento field office of, 160, 167, 194 Silk Road takedown by, 64–5, 84 Ulbricht, Ross, case and, 12–13, 

and, 238–9, 292 Monero and, 324 at National Cyber Investigative Joint Task Force, 124–5 Operation Bayonet and, 199–203 parents of, 20, 23 ransomware cases and, 301–3 retirement from IRS of, 323 Silk Road case and, 13–15 Twitter hacking case and, 289 Vinnik, Alexander, case and, 132

Wall Street Market case and, 287 Welcome to Video case and, 245–8, 250–5, 262, 269, 280 Yuki (wife), and, 75–6, 280 GandCrab (ransomware group), 302 Garland, Merrick, 303 Garzik, Jeff, 34 Gates, Bill: Twitter hack of, 288 Ghostbin (anonymous message service), 313 Gladstein, Alex, 305–10 Golden

S.), 61 NCIJTF. See National Cyber Investigative Joint Task Force Netherlands: drug interdiction laws of, 198 Netherlands Organisation for Applied Scientific Research, The, 236 NetWalker (ransomware group), 300 Newman, Lily Hay, 344, 345 New York Times, 301 New York University: BTC-e study by, 292 Nilsson, Kim, 129, 137 Nob. See

 Force, Carl Mark, IV North Korea: cryptocurrency thefts by, 288 cryptocurrency use in, 306 as inaccessible to U.S. law enforcement, 301 ransomware groups and, 300–1 NSO (spyware contractor), 310 Nueng (pseud.): Cazes, Alexandre, arrest and, 210–12 O Obama, Barack: Twitter hack of, 288 OGUsers (

127, 248, 287 Peña, Javier, 164 Perlroth, Nicole, 345 PGP (encryption program), 70–1, 78, 198 Philippines: as sex tourism destination, 260–1 Phoenix CryptoLocker (ransomware group), 297 Pirate Party (Sweden), 97 Pisal Erb-Arb, Colonel: Cazes, Alexandre, case and, 164–5, 205, 207–10, 213–14 Point Nine Capital, 138

235 Powell, Jesse, 91, 94, 96 Price, Matt, 287, 289–91, 324 Princess Bride, The (1987 film), 36 privacy coins: blockchain analysis and, 298–300 ransomware and, 298–300 traceability of, 299–301 See also Monero; Zcash Private House Buddhamonthon, 208 proxy servers, 28 Putin, Vladimir, 302 R Rabenn, Grant: AlphaBay

Meiklejohn, Sarah, and, 319 origin of name of, 138 Welcome to Video case and, 244, 246, 258 redandwhite (pseud.), 85 Rettig, Charles, 282–3 REvil (ransomware group), 302–3 Rhysider, Jack, 340 Ripple (cryptocurrency startup), 11 Rivest, Ron, 45 RonSwanson (pseud.), 187–8 Roosh V (online forum), 178–9, 194, 209

inaccessible to U.S. law enforcement, 133–4, 301–3 interference of in 2016 U.S. presidential election, 300 Mt. Gox theft and, 120–1 ransomware groups and, 300–1, 303 sanctions against, 308 treatment of Armenian immigrants in, 21 Ukraine invasion by, 303, 306, 308 S Sanchez, Jen: AlphaBay case

Click Here to Kill Everybody: Security and Survival in a Hyper-Connected World

by Bruce Schneier  · 3 Sep 2018  · 448pp  · 117,325 words

on the Internet that he was able to remotely hijack the Heatmiser smart thermostat—not the brand I have. Separately, a group of researchers demonstrated ransomware against two popular American thermostat brands—again, not mine—demanding payment in bitcoin to relinquish control. And if they could plant

ransomware, they could also have recruited that thermostat into a bot network and used it to attack other sites on the Internet. This was a research

installed a backdoor. We’ll talk more about these in Chapter 11. All computers can be infected with malware. All computers can be commandeered with ransomware. All computers can be dragooned into a botnet—a network of malware-infected devices that is controlled remotely. All computers can be remotely wiped clean

call malware: worms and viruses and rootkits that give even unskilled attackers enormous capabilities. Hackers can buy rootkits on the black market. They can hire ransomware-as-a-service. European companies like HackingTeam and Gamma Group sell attack tools to smaller governments around the globe. The Russian Federal Security Service had

our identity information and use that. They also lock up our data and then try to coerce us into paying for its return—that’s ransomware. In early 2018, the Indiana hospital Hancock Health was the victim of a cyberattack. Criminals—we have no idea who—encrypted its computers and demanded

medical records. Even though they had backups, they feared that the time required to restore the data would put patients at risk. They paid up. Ransomware is increasingly common and lucrative. Victims range from organizations, as in the preceding story, to individuals. Kaspersky Lab reported that attacks on business tripled, and

the number of different ransomware variants increased 11-fold, during nine months in 2016. Symantec found that average ransom amounts jumped from $294 in 2015 to $679 in 2016 to

over $1,077 in 2017. Carbon Black reported that total sales of ransomware software on the black market increased 25 times from 2016 to 2017, to $6.5 million. Ransomware now comes with detailed instructions on how to pay, and some of the criminals behind the

ransomware even have telephone help lines to assist victims. (If you’re thinking that a help line is risky for

seizure in an epileptic recipient. Also in 2017, WikiLeaks published information about the CIA’s work on hacking cars remotely. Ransomware is also coming to the Internet of Things. Our embedded computers are no more resistant to ransomware than your laptop is, and criminals already understand that one obvious defense against computer

the data from backup—won’t work when lives are at immediate risk. Hackers have demonstrated ransomware against smart thermostats. In 2017, an Austrian hotel had its electronic door locks hacked and held for ransom. Cars, medical devices, home appliances, and everything

of bitcoin is an expensive inconvenience; a similar demand at speed is life-threatening. It’s the same with medical devices. In 2017, the NotPetya ransomware shut down hospitals across the US and the UK. In some cases, UK hospitals were so incapacitated that they had to delay surgeries, route incoming

botnet in 2016. It corralled a wide variety of IoT devices into the world’s largest botnet, and while it was not used to spread ransomware, it could easily have done so. 5 Risks Are Becoming Catastrophic The trends in the previous four chapters are not new—not the technical realities

-948e554e5e8b. 15Separately, a group of researchers: Lorenzo Franceschi-Bicchierai (7 Aug 2016), “Hackers make the first-ever ransomware for smart thermostats,” Vice Motherboard, https://motherboard.vice.com/en_us/article/aekj9j/internet-of-things-ransomware-smart-thermostat. 15But next time might be my brand: No, I’m not telling you what brand

.bleepingcomputer.com/news/security/new-mirai-botnet-slams-us-college-with-54-hour-ddos-attack. 30They can hire ransomware-as-a-service: Tara Seals (18 May 2016), “Enormous malware as a service infrastructure fuels ransomware epidemic,” Infosecurity Magazine, https://www.infosecurity-magazine.com/news/enormous-malware-as-a-service. 30European companies like

trashing PCs worldwide,” Register, https://www.theregister.co.uk/2017/06/28/petya_notpetya_ransomware. Josh Fruhlinger (17 Oct 2017), “Petya ransomware and NotPetya: What you need to know now,” CSO, https://www.csoonline.com/article/3233210/ransomware/petya-ransomware-and-notpetya-malware-what-you-need-to-know-now.html. Nicholas Weaver (28 Jun

2017), “Thoughts on the NotPetya ransomware attack,” Lawfare, https://lawfareblog.com/thoughts-notpetya-ransomware-attack. Ellen Nakashima (12 Jan 2018), “Russian military was behind ‘Notpetya’ cyberattack in Ukraine, CIA concludes,” Washington Post, https://www.washingtonpost.com/world/national-security

hospital Hancock Health: Charlie Osborne (17 Jan 2018), “US hospital pays $55,000 to hackers after ransomware attack,” ZDNet, http://www.zdnet.com/article/us-hospital-pays-55000-to-ransomware-operators. 74Ransomware is increasingly common: Brian Krebs (16 Sep 2016), “Ransomware getting more targeted, expensive,” Krebs on Security, https://krebsonsecurity.com/2016/09

/ransomware-getting-more-targeted-expensive. 74Kaspersky Lab reported: Kaspersky Lab (28 Nov 2016), “Story of the year: The

ransomware revolution,” Kaspersky Security Bulletin 2016, https://media.kaspersky.com/en/business-security

/kaspersky-story-of-the-year-ransomware-revolution.pdf. 74Symantec found that average ransom amounts

: Symantec Corporation (19 Jul 2016), “Ransomware and businesses 2016,” https://www.symantec.com/content/en/us

/enterprise/media/security_response/whitepapers/ISTR2016_Ransomware_and_Businesses.pdf. Symantec Corporation (26 Apr 2017), “Alarming increase in targeted attacks aimed at politically motivated sabotage and subversion,” https://www.symantec.com/about/

newsroom/press-releases/2017/symantec_0426_01. 74Carbon Black reported that total sales: Carbon Black (9 Oct 2017), “The ransomware economy,” https://cdn.www.carbonblack.com/wp-content/uploads/2017/10/Carbon-Black-Ransomware-Economy-Report-101117.pdf. 75All in all, it’s a billion-dollar business: Herb Weisman (9 Jan 2017

), “Ransomware: Now a billion dollar a year crime and growing,” NBC News, https://www.nbcnews.com/tech/security/ransomware-now-billion-dollar-year-crime-growing-n704646

. Symantec Corporation (19 Jul 2016), “Ransomware and businesses 2016,” http://www.symantec.com/content/en/us/enterprise

/media/security_response/whitepapers/ISTR2016_Ransomware_and_Businesses.pdf. 75$500 billion: Luke Graham (7 Feb 2017

.washingtonpost.com/news/innovations/wp/2017/03/08/what-we-know-about-car-hacking-the-cia-and-those-wikileaks-claims. 77Hackers have demonstrated ransomware: Lorenzo Franceschi-Bicchierai (7 Aug 2016), “Hackers make the first-ever ransomware for smart thermostats,” Vice Motherboard, https://motherboard.vice.com/en_us/article/aekj9j/Internet-of-things

-ransomware-smart-thermostat. 77In 2017, an Austrian hotel: David Z. Morris (29 Jan 2017), “Hackers hijack hotel’s smart locks, demand ransom,” Fortune, http://fortune.com/

2017/01/29/hackers-hijack-hotels-smart-locks. 77In 2017, the NotPetya ransomware: Russell Brandom (12 May 2017), “UK hospitals hit with massive ransomware attack,” Verge, https://www.theverge.com/2017/5/12/15630354/nhs-hospitals-ransomware-hack-wannacry-bitcoin. April Glaser (27 Jun 2017), “U.S. hospitals have been hit

by the global ransomware attack,” Recode, https://www.recode.net/2017/6/27/15881666/global-eu-cyberattack-us-hackers-nsa-hospitals. 77delay surgeries: Denis Campbell and Haroon Siddique (15

-to-plugging-gulf-oil. 94The shipping giant Maersk was hit: Iain Thomson (16 Aug 2017), “NotPetya ransomware attack cost us $300m—shipping giant Maersk,” Register, https://www.theregister.co.uk/2017/08/16/notpetya_ransomware_attack_cost_us_300m_says_shipping_giant_maersk. 95To this we can add mass murder: Elton Hobson

, 137, 138–41 public-interest law, 224 Qatar, hacking into, 80 quality standards, 20–21, 34, 107–9 radio spectrum, regulation of, 204–5, 206 ransomware, 26, 74, 77 regulation: EU promotion of, 184–88 smart vs. stupid, 192 regulatory capture, 155 resilience, 210–12 Review Group on Intelligence and Communications

The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics

by Ben Buchanan  · 25 Feb 2020  · 443pp  · 116,832 words

, was funding itself in part through hacking. It was yet another way in which statecraft and cyber operations had intersected. Far more was to come. Ransomware and Beyond In 2016 and 2017, the ambitions and capabilities of the North Korean hackers were apparent. The technical reports from BAE Systems and Kaspersky

data stored within big organizations, like many modern profit-motivated criminals, the North Koreans were not after secrets. They instead deployed a technique known as ransomware, in which hackers encrypt the hard drive of their target computer and delete any backups. The decryption key remains unknown to the target. If the

of the data, institutions are often willing to do this. In February of 2017, North Korean hackers started testing the early stages of their new ransomware. They infected a single organization, still unknown, in which the code spread quickly to around a hundred computers. In the scheme of global cybersecurity, this

code. This one had an innovative twist: rather than rely on socially engineered emails or other manual methods of spreading from computer to computer, this ransomware would propagate itself automatically. Each computer the code infected would go on to infect more, which would go on to infect still more. Exponential growth

same vulnerability that the NSA had long exploited, the North Koreans could build a worm of their own. They deployed this new version of their ransomware on May 12, 2017, with the new propagation code tucked inside.23 Immediately, the entire cybersecurity world knew about it. Supercharged by the power of

hacking victims quickly paid the ransom.25 But word soon got out: don’t pay. Those who paid did not get their files back. The ransomware code contained no mechanism to determine who had coughed up the cryptocurrency demanded by the hackers. This omission was either a sign of remarkably amateurish

, Hutchins had activated a secret and likely unintentional kill switch that stopped the worm’s spread.28 As a result, the North Koreans’ first major ransomware experiment—from premature spread to ignominious end—inflicted at least $4 billion in damages but ultimately brought in only a pittance for the regime.29

This initial failure did not keep the North Koreans down for long or deter them from using ransomware in the future. By October 2017, they were ready to try again. This time, their plan was different: they would deploy

ransomware not to get money directly, but instead as cover for an operation like the one they performed in Bangladesh. By causing a lot of disruption

Korean hackers, permitting them to dictate the malicious code’s activities from afar. While the bank was, at least in theory, distracted by the apparent ransomware attack, the North Korean hackers initiated a series of financial transactions. Their commands to the SWIFT system authorized transfers to Cambodia, the United States, and

powerful piece of code, which soon acquired the name NotPetya. The Russian hackers had fashioned it as a variant of an already known piece of ransomware for criminal use known as Petya.5 Once the malicious server loaded NotPetya onto a corporate computer that ran MeDoc and downloaded the poisoned update

, once it had obtained passwords and done its best to spread itself to other computers, often started attacking the host computer.9 Like the Petya ransomware from which it drew inspiration, NotPetya displayed a screen to the user saying that a necessary hard drive repair was underway. This was nonsense. Instead

wanted to decrypt files for a victim, they could not do so. It quickly became clear that, though the hackers disguised NotPetya as money-making ransomware, it was really a disruption operation, designed to erase vital files from a gigantic range of targets in a way that all could see. The

of its computers to the attack. At least twenty other banks were affected, too. In one city after the next, ATMs displayed NotPetya’s fake ransomware messages. Four hospitals in Kiev found themselves in the digital line of fire. Other medical clinics shut down or chose to turn off their computers

. 20. David Sanger and Michael Schmidt, “More Sanctions on North Korea After Sony Case,” New York Times, January 2, 2015. 21. Symantec Security Response, “WannaCry: Ransomware Attacks Show Strong Links to Lazarus Group,” Symantec blog, May 22, 2017. 22. At some level, the idea of the worm dated back to a

. Nicole Perlroth and David Sanger, “Hackers Hit Dozens of Countries Exploiting Stolen N.S.A. Tool,” New York Times, May 12, 2017. 25. Sam Petulla, “Ransomware Attack: This Is the Total Paid and How the Virus Spread,” NBC News, May 15, 2017. 26. Symantec Security Response, “WannaCry.” 27. For technical discussion

, see Kaspersky Lab Global Research and Analysis Team, “WannaCry and Lazarus Group: The Missing Link?,” SecureList, May 15, 2017; John Miller and David Mainor, “WannaCry Ransomware Campaign: Threat Details and Risk Management,” FireEye blog, May 15, 2017; Sergei Shevchenko and Adrian Nish, “WanaCrypt0r Ransomworm,” BAE Systems Threat Research Blog, May 16

that was too high by a factor of four. 31. Sergei Shevchenko, Hirman Muhammad bin Abu Bakar, and James Wong, “Taiwan Heist: Lazarus Tools and Ransomware,” BAE Systems blog, October 16, 2017. For local reporting on the case, see “Shalila Moonasinghe Removed as Litro Gas Chairman,” Daily News, October 11, 2017

; David Maynor, Aleksandar Nikolic, Matt Olney, and Yves Younan, “The MeDoc Connection,” Threatsource [Cisco Talos newsletter], July 5, 2017; Microsoft Defender ATP Research Team, “New Ransomware, Old Techniques: Petya Adds Worm Capabilities,” Microsoft Security blog, June 27, 2017; Karan Sood and Shaun Hurley, “NotPetya Technical Analysis—A Triple Threat: File Encryption

, MFT Encryption, Credential Theft,” CrowdStrike, June 29, 2017; Symantic Security Response, “Petya Ransomware Outbreak: Here’s What You Need to Know,” Symantec blog, October 24, 2017. 9. It did not launch this attack if antivirus from Symantec, Norton

, or Kaspersky was present. Microsoft Defender ATP Research Team, “New Ransomware, Old Techniques: Petya Adds Worm Capabilities,” 8–9. 10. Greenberg, Sandworm, 151–153. 11. Greenberg, “The Untold Story of NotPetya.” 12. Catalin Cimpanu, “Maersk Reinstalled

,” Nuance Communications, May 10, 2018, 23; “First-Half 2017 Results,” Saint-Gobain, July 27, 2017, 2; John Leyden, “Nothing Could Protect Durex Peddler from NotPetya Ransomware,” The Register, July 6, 2017. 21. Greenberg, Sandworm, 185–189. For two other good contemporaneous news accounts of the damage, see Lizzie Dearden, “Ukraine Cyber

Daniel, Michael, 228, 309 data, 104–106; collection of (see collection); evaluation / analysis of, 35 (see also analysis); as hostage, 270, 279, 282 (see also ransomware); overseas, protecting, 56–61; retaining, 58 DCCC (Democratic Congressional Campaign Committee), 217–218, 220–221. See also election interference, Russian (2016) DCLeaks, 221, 223, 238

, 314 Der Spiegel, 264 destabilization, 8, 9; disruption, widespread, 288–305; expansion of cyber operations and, 314–316; exposure, 240–267; financial manipulation, 271–278; ransomware, 279–284. See also election interference; NotPetya Destover, 172–174 DiCaprio, Leonardo, 179 Diffie-Hellman key exchange, 48–50 Director of National Intelligence, 228 disinformation

; telecommunications hubs and, 16–19. See also internet companies; telecommunications companies hop points, 111, 112–113, 114 hostage-taking, digital, 270, 279, 282. See also ransomware Huawei, 313 Hussein, Saddam, 271 Hutchins, Marcus, 282 identities, masking, 111. See also hop points; operational security; secrecy Inception (film), 125 indictments, against hackers, 98

North Korea, 2, 124–125; counterfeiting by, 268–269, 270–271; cyber attacks on South Korea, 169; cyber capabilities of, 169; hacking by, 269–278; ransomware, 279–284; targeting of financial institutions by, 269–278, 286; use of NSA tools, 280–281. See also Interview, The (film); Sony Pictures Entertainment Norton

Putin, Vladimir, 228. See also Russia Q. See Dual_EC; Juniper Networks Qatar, 316–317 QUANTUM, 37 rallies, political, 236 randomness, encryption and, 65–70 ransomware, 279–284, 295–296. See also destabilization; financial institutions; NotPetya Reagan, Ronald, 3, 5, 56 Realtek, 139 reconnaissance: in cyber attacks, 132–133; for hacking

; encryption during, 43–44 (see also Enigma); Ōshima during, 108–109; signaling during, 310; telecommunications companies during, 24 worms, 129; Fanny, 132–133; North Korea ransomware, 280; spread of, 133, 134–142, 293–294; WannaCry, 280–282, 289, 295, 310. See also NotPetya; Stuxnet X-Agent, 220 Xenophon, 312 XKEYSCORE, 36

The Fifth Domain: Defending Our Country, Our Companies, and Ourselves in the Age of Cyber Threats

by Richard A. Clarke and Robert K. Knake  · 15 Jul 2019  · 409pp  · 112,055 words

and had to spend another night in the hospital. It was May 12, 2017, and the British National Health Service had been hit by a ransomware cyberattack that was shutting down businesses all over Europe and North America, locking down computers and demanding payment in Bitcoin to unlock them. The attack

down key infrastructure. While WannaCry got the public’s attention, corporate and government IT security professionals had already been aware of the growing risk of ransomware. A year earlier, a virus known as Petya (named after a Soviet weapon in a James Bond movie) had demonstrated significant success in attacking Windows

major companies seemingly selected at random, and at their facilities in scores of nations, computer screens froze and flashed messages demanding payment. It looked like ransomware again. It wasn’t. Once analysts realized it was not the Petya attack again, they creatively labeled the new attack NotPetya. What cybersecurity experts quickly

limited and far more easily and inexpensively achieved. If a hacker’s goal is to steal information, hold a company’s data hostage for payment (ransomware), permanently delete all the software from the devices on a network (wiper), or flood a network to the point where it cannot operate (a distributed

web where hackers sell those attack tools. Remote access tools (RATs) can sell for as little as five hundred dollars. A kit to engage in ransomware could be available for a thousand dollars. These tools will likely not get you into the network of Bank of America or Citibank, but most

you know where I can buy some Bitcoin?” In 2017 and 2018, there was a near pandemic of ransomware in North America and Europe. According to the Royal Canadian Mounted Police, sixteen hundred ransomware attacks were occurring each day in Canada in 2015. By the fall of 2016, the attacks almost doubled

has actually turned out to be easy to use it to hide money flows. Bitcoin is the coin of the realm when it comes to ransomware, allegedly very difficult to trace. Faramarz Savandi and Mohammad Mansouri knew how to do it. The two Iranians wrote their own version of

ransomware software and it became known as the SamSam kit. The two men hit about two hundred networks in the United States over two years and

collected more than $6 million in Bitcoin. The damage that their ransomware did to networks was estimated at $30 million. Among their victims were numerous hospitals and medical facilities (MedStar Georgetown, Kansas Heart Hospital, Hollywood Presbyterian, LabCorps

often tell them to pay up? There is honor among thieves, and if you pay, you usually get back to business pretty quickly. If the ransomware thieves did not free up your network when you paid up, then word would get around and no one would pay. After all, they have

somewhere nice that has an extradition treaty with the United States. Andy Ozment, a former White House and Homeland Security official, has provocatively proposed that ransomware may be one of the more useful regulatory mechanisms we’ve got, essentially imposing fines on companies that have not invested in basic cybersecurity. It

is a compelling argument, but we think it is time to remove the incentive for cyber criminals to use ransomware by having a government law or regulation that bans paying the ransom or institutes a fine in addition to whatever ransom is paid

. Ransomware is funneling billions of dollars to the underground economy. As DEF CON cofounder Jeff Moss has pointed out, even if most of those billions of

used wiper hacks, including an attack against the world’s largest oil company, Saudi Aramco. Cybersecurity experts have been warning companies that hackers are placing ransomware in database backups, so that when network operators attempt to activate their business continuity systems, they will find that the backup is inoperable too. Those

not being used. If your backup is always connected, it can be hacked just as easily as your computer. If you are hit by a ransomware or wiperware attack, your backup might be as well. So keep it disconnected until your daily, weekly, or monthly session of backing up everything. Yes

the case of cybersecurity, detect malicious network traffic. Malware: Software that causes computers or networks to behave in an unintended manner. Examples of malware include ransomware, Trojans, viruses, keyloggers, and worms. Managed Security Service Provider (MSSP): A company to which other firms outsource some security of their network. Multifactor Authentication (MFA

with bits that are in either an on or off state, 1 or 0. Qubits can be in many states simultaneously, allowing greater computational power. Ransomware: A form of malware that encrypts critical system files or user data and holds it for ransom, often instructing the user to send a payment

.theguardian.com/society/2017/may/12/hospitals-across-england-hit-by-large-scale-cyber-attack. National Security Agency’s EternalBlue weapon: Security Response Team, “Petya ransomware outbreak: Here’s what you need to know,” Symantec Blogs/Threat Intelligence, October 24, 2017, www.symantec.com/blogs/threat-intelligence/petya

-ransomware-wiper. damages cost them almost $900 million: Andy Greenberg, “The Untold Story of NotPetya, the Most Devastating Cyberattack in History,” Wired, August 22, 2018, www.

Zurich,” Reinsurance News, December 17, 2018, www.reinsurancene.ws/mondelezs-notpetya-cyber-attack-claim-disputed-by-zurich-report. According to the Royal Canadian Mounted Police: “Ransomware: Recognize, Reject, and Report It!,” Royal Canadian Mounted Police, Scams and Frauds, accessed on January 15, 2019, www.rcmp-grc.gc.ca/scams-fraudes

/ransomware-rancongiciels-eng.htm#fn1. The two Iranians wrote: “SamSam Subjects,” wanted poster, Federal Bureau of Investigation, accessed on January 15, 2019, www.fbi.gov/wanted/

, 81, 241, 253–64, 280, 305–6 AI and, 263–64 encryption and, 260–62 quantum key distribution, 262 qubit (quantum bit), 253, 255–59 ransomware, 18, 38, 125–28, 188, 306 Rattray, Greg, 101–3 Raul, Alan Charles, 95 ReallyU, 138–40, 306 reconnaissance, 51, 52 “recover” function, 45, 66

Dawn of the Code War: America's Battle Against Russia, China, and the Rising Global Cyber Threat

by John P. Carlin and Garrett M. Graff  · 15 Oct 2018  · 568pp  · 164,014 words

a local hospital at the same time they carried out a bombing or attack. We’ve already seen in the United Kingdom hospitals paralyzed by ransomware attacks, with emergency rooms closed and operating procedures cancelled because malware has frozen out the computer systems. In the financial world, we’ve seen sophisticated

of nonfinancial businesses large and small, nonprofits, and even individuals. In October 2013, Slavik’s group began deploying malware known as CryptoLocker, a form of ransomware that encrypted the files on an infected machine and forced its owner to pay a small fee, say $300 to $500, to unlock the files

zombie computers don’t connect to fat corporate accounts; Slavik and his associates found themselves with tens of thousands of mostly idle zombie machines. Though ransomware didn’t yield huge amounts, it afforded the criminals a way to monetize those otherwise worthless infected computers—and the dollar amounts involved were generally

low enough that victims either didn’t complain to the police or law enforcement wouldn’t do anything about it. The concept of ransomware had been around since the 1990s, but CryptoLocker took it mainstream. Typically arriving on a victim’s machine under the cover of an unassuming email

attachment, the Business Club’s ransomware used strong encryption and forced victims to pay using Bitcoin. It was embarrassing and inconvenient, but many relented. The Swansea, Massachusetts, police department grumpily ponied

online. The year ahead, after I left the government, underscored that Russia was a uniquely dangerous actor online. In the spring of 2017, Russia unleashed ransomware that became known as NotPetya, an attack aimed at Ukraine that spun beyond Russia’s control and caused massive disruptions at companies as varied as

from both the government and the private sector to build international alliances of countries and companies that share our values. The criminal tactics, such as ransomware, botnets, and DDoS attacks, that were so novel when Bogachev helped pioneer them have grown commonplace. In May 2018, four hackers from the Boston collective

and private sector companies and resulted in the theft of intellectual property totaling more than $3.4 billion. When North Korea launched the destructive WannaCry ransomware in 2017, then White House Homeland Security Advisor Tom Bossert went public with that attribution: “North Korea has acted especially badly, largely unchecked, for more

.com/2017/12/18/technology/biggest-cyberattacks-of-the-year/index.html. 33. Patrick Howell O’Neill, “NotPetya Ransomware Cost Merck More Than $310 Million,” Cyberscoop, October 27, 2017, www.cyberscoop.com/notpetya-ransomware-cost-merck-310-million/. 34. Warwick Ashford, “NotPetya Attack Cost up to £15m, Says UK Ad Agency WPP

,” ComputerWeekly.com, September 25, 2017, www.computerweekly.com/news/450426854/NotPetya-attack-cost-up-to-15m-says-UK-ad-agency-WPP. 35. Charlie Osborne, “NotPetya Ransomware Forced Maersk to Reinstall 4000 Servers, 45000 PCs,” ZDNet.com, January 26, 2018, www.zdnet.com/article/maersk-forced-to-reinstall-4000-servers-45000-pcs

, Jack Linchuan, 165 Quds Force, 213–216, 224 Radio Shack TRS-80, 34, 87 Radware, 357 Rahim, Usaamah Abdullah, 21 RAND Corporation, 91 randoms, 81 ransomware attacks, 56, 291–292, 387, 392, 401 Rasch, Mark, 94 RasGas, 221 Rasmussen, Nick, 373 RATs. See remote access tools Rattray, Greg, 38, 244 Rawls

, 175n, 189 Walker, Kent, 98, 98n Wallace, Brian, 232 Wang, Huiyao, 260 Wang Dong (Jack Wong/UglyGorilla), 241, 248–249, 265 Wang Weizhong, 246 WannaCry ransomware, 401 war videos, 14–17 WarGames (movie), 35, 79, 86, 87, 90 Washington: The Indispensable Man (Flexner), 69 Watergate, 39 WCE. See Windows Credentials Editor

Spam Nation: The Inside Story of Organized Cybercrime-From Global Epidemic to Your Front Door

by Brian Krebs  · 18 Nov 2014  · 252pp  · 75,349 words

rogue antivirus or scareware industry that ChronoPay had so carefully nurtured. But in its place, a far more insidious threat has taken hold: ransomware. Much like scareware, ransomware is most often distributed via hacked or malicious sites that exploit browser vulnerabilities. Typically, these scams impersonate the Department of Homeland Security or the

authority in the victim’s country) and try to frighten people into paying fines to avoid prosecution for supposedly downloading child pornography and pirated content. Ransomware locks the victim’s PC until he either pays the ransom or finds a way to remove the malware. Increasingly

, ransomware attacks encrypt all of the files on the victim’s PC, holding them for ransom until victims pay up. Victims are instructed to pay the

card number that allows the bad guys to redeem the information for cash. “I don’t think it’s an accident that we’ve seen ransomware rise as it’s become harder for these partnerka programs to find a continuous supply of banks to help them process cards for scareware payments

not really an option. There’s a void in the ecosystem where people can make money. It’s not at all an accident that these ransomware schemes essentially are bypassing traditional payment schemes.” The past few years have also witnessed a noticeable change in the ways that botmasters are using the

data they can find,” Savage said. “The mantra these days seems to be, ‘Why leave any unused resources on the table’?” While some are using ransomware and data harvesting, Savage said, many other former affiliates and managers of failed scareware, pharma, and pirated software partnerkas are casting about for the next

Building Secure and Reliable Systems: Best Practices for Designing, Implementing, and Maintaining Systems

by Heather Adkins, Betsy Beyer, Paul Blankinship, Ana Oprea, Piotr Lewandowski and Adam Stubblefield  · 29 Mar 2020  · 1,380pp  · 190,710 words

The Currency Cold War: Cash and Cryptography, Hash Rates and Hegemony

by David G. W. Birch  · 14 Apr 2020  · 247pp  · 60,543 words

Mastering Blockchain: Unlocking the Power of Cryptocurrencies and Smart Contracts

by Lorne Lantz and Daniel Cawrey  · 8 Dec 2020  · 434pp  · 77,974 words

Future Crimes: Everything Is Connected, Everyone Is Vulnerable and What We Can Do About It

by Marc Goodman  · 24 Feb 2015  · 677pp  · 206,548 words

Tools and Weapons: The Promise and the Peril of the Digital Age

by Brad Smith and Carol Ann Browne  · 9 Sep 2019  · 482pp  · 121,173 words

Fancy Bear Goes Phishing: The Dark History of the Information Age, in Five Extraordinary Hacks

by Scott J. Shapiro  · 523pp  · 154,042 words

Coders: The Making of a New Tribe and the Remaking of the World

by Clive Thompson  · 26 Mar 2019  · 499pp  · 144,278 words

Money in the Metaverse: Digital Assets, Online Identities, Spatial Computing and Why Virtual Worlds Mean Real Business

by David G. W. Birch and Victoria Richardson  · 28 Apr 2024  · 249pp  · 74,201 words

The Truth Machine: The Blockchain and the Future of Everything

by Paul Vigna and Michael J. Casey  · 27 Feb 2018  · 348pp  · 97,277 words

The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age

by David E. Sanger  · 18 Jun 2018  · 394pp  · 117,982 words

The Art of Invisibility: The World's Most Famous Hacker Teaches You How to Be Safe in the Age of Big Brother and Big Data

by Kevin Mitnick, Mikko Hypponen and Robert Vamosi  · 14 Feb 2017  · 305pp  · 93,091 words

There's a War Going on but No One Can See It

by Huib Modderkolk  · 1 Sep 2021  · 295pp  · 84,843 words

There Is Nothing for You Here: Finding Opportunity in the Twenty-First Century

by Fiona Hill  · 4 Oct 2021  · 569pp  · 165,510 words

Cybersecurity: What Everyone Needs to Know

by P. W. Singer and Allan Friedman  · 3 Jan 2014  · 587pp  · 117,894 words

The Coming Wave: Technology, Power, and the Twenty-First Century's Greatest Dilemma

by Mustafa Suleyman  · 4 Sep 2023  · 444pp  · 117,770 words

Gray Day: My Undercover Mission to Expose America's First Cyber Spy

by Eric O'Neill  · 1 Mar 2019  · 299pp  · 88,375 words

Thank You for Being Late: An Optimist's Guide to Thriving in the Age of Accelerations

by Thomas L. Friedman  · 22 Nov 2016  · 602pp  · 177,874 words

Reset

by Ronald J. Deibert  · 14 Aug 2020

The People vs Tech: How the Internet Is Killing Democracy (And How We Save It)

by Jamie Bartlett  · 4 Apr 2018  · 170pp  · 49,193 words

Our Dollar, Your Problem: An Insider’s View of Seven Turbulent Decades of Global Finance, and the Road Ahead

by Kenneth Rogoff  · 27 Feb 2025  · 330pp  · 127,791 words

Gilded Rage: Elon Musk and the Radicalization of Silicon Valley

by Jacob Silverman  · 9 Oct 2025  · 312pp  · 103,645 words

The Pay Off: How Changing the Way We Pay Changes Everything

by Gottfried Leibbrandt and Natasha de Teran  · 14 Jul 2021  · 326pp  · 91,532 words

Future Politics: Living Together in a World Transformed by Tech

by Jamie Susskind  · 3 Sep 2018  · 533pp

AIQ: How People and Machines Are Smarter Together

by Nick Polson and James Scott  · 14 May 2018  · 301pp  · 85,126 words

Blockchain Revolution: How the Technology Behind Bitcoin Is Changing Money, Business, and the World

by Don Tapscott and Alex Tapscott  · 9 May 2016  · 515pp  · 126,820 words

The Bitcoin Standard: The Decentralized Alternative to Central Banking

by Saifedean Ammous  · 23 Mar 2018  · 571pp  · 106,255 words

Visual Thinking: The Hidden Gifts of People Who Think in Pictures, Patterns, and Abstractions

by Temple Grandin, Ph.d.  · 11 Oct 2022

Easy Money: Cryptocurrency, Casino Capitalism, and the Golden Age of Fraud

by Ben McKenzie and Jacob Silverman  · 17 Jul 2023  · 329pp  · 99,504 words

The System: Who Owns the Internet, and How It Owns Us

by James Ball  · 19 Aug 2020  · 268pp  · 76,702 words

The Bitcoin Guidebook: How to Obtain, Invest, and Spend the World's First Decentralized Cryptocurrency

by Ian Demartino  · 2 Feb 2016  · 296pp  · 86,610 words

Enshittification: Why Everything Suddenly Got Worse and What to Do About It

by Cory Doctorow  · 6 Oct 2025  · 313pp  · 94,415 words

The New Rules of War: Victory in the Age of Durable Disorder

by Sean McFate  · 22 Jan 2019  · 330pp  · 83,319 words

Number Go Up: Inside Crypto's Wild Rise and Staggering Fall

by Zeke Faux  · 11 Sep 2023  · 385pp  · 106,848 words

I, Warbot: The Dawn of Artificially Intelligent Conflict

by Kenneth Payne  · 16 Jun 2021  · 339pp  · 92,785 words

Breaking News: The Remaking of Journalism and Why It Matters Now

by Alan Rusbridger  · 14 Oct 2018  · 579pp  · 160,351 words

The Nature of Software Development: Keep It Simple, Make It Valuable, Build It Piece by Piece

by Ron Jeffries  · 14 Aug 2015  · 444pp  · 118,393 words

Seriously Curious: The Facts and Figures That Turn Our World Upside Down

by Tom Standage  · 27 Nov 2018  · 215pp  · 59,188 words

MegaThreats: Ten Dangerous Trends That Imperil Our Future, and How to Survive Them

by Nouriel Roubini  · 17 Oct 2022  · 328pp  · 96,678 words

Reamde

by Neal Stephenson  · 19 Sep 2011  · 1,318pp  · 403,894 words

Digital Bank: Strategies for Launching or Becoming a Digital Bank

by Chris Skinner  · 27 Aug 2013  · 329pp  · 95,309 words

Ten Arguments for Deleting Your Social Media Accounts Right Now

by Jaron Lanier  · 28 May 2018  · 151pp  · 39,757 words

Infinite Detail

by Tim Maughan  · 1 Apr 2019  · 303pp  · 81,071 words

Going Dark: The Secret Social Lives of Extremists

by Julia Ebner  · 20 Feb 2020  · 309pp  · 79,414 words

Kings of Crypto: One Startup's Quest to Take Cryptocurrency Out of Silicon Valley and Onto Wall Street

by Jeff John Roberts  · 15 Dec 2020  · 226pp  · 65,516 words

Digital Empires: The Global Battle to Regulate Technology

by Anu Bradford  · 25 Sep 2023  · 898pp  · 236,779 words

The Price of Life: In Search of What We're Worth and Who Decides

by Jenny Kleeman  · 13 Mar 2024  · 334pp  · 96,342 words

Exponential: How Accelerating Technology Is Leaving Us Behind and What to Do About It

by Azeem Azhar  · 6 Sep 2021  · 447pp  · 111,991 words

Dark Mirror: Edward Snowden and the Surveillance State

by Barton Gellman  · 20 May 2020  · 562pp  · 153,825 words

Demystifying Smart Cities

by Anders Lisdorf

Life After Google: The Fall of Big Data and the Rise of the Blockchain Economy

by George Gilder  · 16 Jul 2018  · 332pp  · 93,672 words

Artificial Intelligence: A Modern Approach

by Stuart Russell and Peter Norvig  · 14 Jul 2019  · 2,466pp  · 668,761 words

The Autonomous Revolution: Reclaiming the Future We’ve Sold to Machines

by William Davidow and Michael Malone  · 18 Feb 2020  · 304pp  · 80,143 words

Practical Doomsday: A User's Guide to the End of the World

by Michal Zalewski  · 11 Jan 2022  · 337pp  · 96,666 words

The New Silk Roads: The Present and Future of the World

by Peter Frankopan  · 14 Jun 2018  · 352pp  · 80,030 words

Pandemic, Inc.: Chasing the Capitalists and Thieves Who Got Rich While We Got Sick

by J. David McSwane  · 11 Apr 2022  · 368pp  · 102,379 words

Hello World: Being Human in the Age of Algorithms

by Hannah Fry  · 17 Sep 2018  · 296pp  · 78,631 words

The Internet of Money

by Andreas M. Antonopoulos  · 28 Aug 2016  · 200pp  · 47,378 words

Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World

by Joseph Menn  · 3 Jun 2019  · 302pp  · 85,877 words

Digital Transformation at Scale: Why the Strategy Is Delivery

by Andrew Greenway,Ben Terrett,Mike Bracken,Tom Loosemore  · 18 Jun 2018

When Computers Can Think: The Artificial Intelligence Singularity

by Anthony Berglas, William Black, Samantha Thalind, Max Scratchmann and Michelle Estes  · 28 Feb 2015

Chaos Engineering: System Resiliency in Practice

by Casey Rosenthal and Nora Jones  · 27 Apr 2020  · 419pp  · 102,488 words

Robot, Take the Wheel: The Road to Autonomous Cars and the Lost Art of Driving

by Jason Torchinsky  · 6 May 2019  · 175pp  · 54,755 words

These Strange New Minds: How AI Learned to Talk and What It Means

by Christopher Summerfield  · 11 Mar 2025  · 412pp  · 122,298 words

Who Is Government?: The Untold Story of Public Service

by Michael Lewis  · 18 Mar 2025  · 186pp  · 61,027 words

How the Railways Will Fix the Future: Rediscovering the Essential Brilliance of the Iron Road

by Gareth Dennis  · 12 Nov 2024  · 261pp  · 76,645 words

Who Will Defend Europe?: An Awakened Russia and a Sleeping Continent

by Keir Giles  · 24 Oct 2024  · 296pp  · 81,440 words