Today, Explained - Hack to the Future
Episode Date: May 28, 2019Baltimore is under attack. Hackers have hijacked the city’s online services and are demanding $100,000 worth of bitcoin. ProPublica’s Renee Dudley explains how ransomware is threatening cities acr...oss the country. Learn more about your ad choices. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
You know how the United States is in desperate need of infrastructure work?
It's got some serious work with its digital infrastructure, too.
Just look at Baltimore.
Tonight, it's a huge headache to complete a home sale in Baltimore.
The city's computer system that looks for property liens or debts to check for a clear title is locked up. For the last three weeks, city employees in Baltimore haven't been
able to get into their email accounts. Residents haven't been able to pay water and electric bills.
Home sales have been significantly delayed. And it's all because of some hackers.
Hackers demanded 13 bitcoins worth about $100,000
for the code to unlock the system.
But Baltimore City Council president says
the city won't pay the ransom.
People who pay ransoms,
they can leave something in the system
and come back and shut you down again.
And I just have to take the advice
of the law enforcement and the professionals.
The situation in Baltimore isn't a one-off.
This is something that's been happening for a while now all over the country, all over the world.
This is ransomware.
Ransomware is a type of malicious software.
When it enters your computer, your files are encrypted.
Renee Dudley is a senior reporter at ProPublica.
A ransom note pops up on your screen,
and you need to pay a ransom, generally speaking, to get those files back.
How often is stuff like this happening?
Actual statistics are hard to come by,
but there are estimates posted by the Department of Homeland Security that estimate about 1.5 million attacks occur annually. The FBI does collect statistics on reports of ransomware, but even the FBI itself admits that this is far below what's actually happening. So for example, in 2018,
there were only something like 1,400 victims who reported ransomware incidents to the FBI.
That is so far below what's actually happening. I have a Google Alert set up for ransomware, and every day you see new attacks.
But these victims don't necessarily report that to law enforcement.
And there are a few reasons for that.
One of them is that they may be reluctant to disclose to law enforcement that they've been hit because they don't want people to know about potential vulnerabilities or gaps in their IT security, or they may be embarrassed.
And another reason, of course, is they may have the perception that law enforcement
may not be able to help them. And there's a few reasons for that. One is that they are mostly
overseas, and in some cases, in countries that are hostile to the U.S. that don't have extradition
treaties. So even if federal
law enforcement would go after them, they wouldn't necessarily be returned to the U.S. Another reason,
of course, is that the criminals typically request payment in Bitcoin, you know, the digital
online currency. And that's notoriously hard to trace. So if this is so common, I assume it's not just
happening to cities like Baltimore. Is this something that's happening to regular people,
too? Anybody who is connected to the internet is potentially vulnerable to ransomware.
Home users, big companies, municipalities, even local law enforcement. Anybody can be a victim of ransomware.
But what we're seeing is increasingly businesses and municipalities and law enforcement agencies
are being hit more so than your typical home user because those are organizations that would suffer disruption to day-to-day activities when
they're subject to a ransomware incident. And you may be more willing to quickly pay the ransom.
And also, you may have deeper pockets. What kind of deep pockets are we talking about? What's the
average ransomware request like? According to cyber research firms, the average ransom ask is in the several thousands of dollars range.
But as you can see from the recent news, demands to companies and municipalities have stretched into the six-figure range.
How do they get in exactly to, you know, hack our data? One way is that they will send out blanket spam email attachments and hope somebody clicks on an attachment that they're not supposed to.
Another way is through brute force tools. You'll see oftentimes small businesses are attacked, and those are organizations that may outsource their IT to a remote professional who uses remote desktop protocol to get onto their computer networks.
And those are filled with vulnerabilities like weak passwords and unpatched software.
So it's all the people who made their password like password 123?
Potentially. And the security vulnerabilities are an issue here as well. People who fail to
upgrade to the latest software, people who haven't patched the vulnerabilities that are
known to exist. And hackers will get through
those vulnerabilities. So before this situation in Baltimore, what were some of the biggest
instances of ransomware attacks? Well, one of the most famous ones is the SamSam attack that
raged from 2015 to 2018. And this was a big deal around this time last year when the city of Atlanta was attacked.
Atlanta suffered far-ranging consequences from the attack.
A cyber attack brought city services there to a virtual standstill.
Court proceedings were slowed down. The city couldn't process court payments.
Online billing systems went down.
People actually faced things like delayed and canceled doctor's appointments and medical treatments. It was one of the most crippling cyber attacks ever unleashed in the United States,
wreaking havoc across a swath of American companies and major city agencies for nearly three years.
Other victims of the Sam Sam attacks included the city of Newark,
the port of San Diego, the Colorado Department of Transportation,
which called in the National Guard.
Across the country, people's lives were disrupted because of the Sam Sam strain.
Were any of the people behind SamSam ever caught?
They were never caught, but they were indicted.
In November of 2018, the U.S. Justice Department indicted two Iranian men
accused of operating and distributing SamSam ransomware.
The conspirators collected more than $6 million in extortion payments
and caused more than $30 million in losses.
But they have not been returned to the U.S.
They've remained fugitives.
How about all the people and companies that SamSam affected
or who were targeted in this attack?
Did they get their files back?
It's unclear what exactly happened with all of them.
The Justice Department declined to answer questions about specific victims.
But in general, ransomware victims can only get their data back by paying the ransom.
For a city like Baltimore, paying the ransom might be the only option, but it's not as easy as it seems because there's a whole industry of companies trying to take a cut. That's in a minute. Bill Nye, you know him, you love him, he's on TV, but he's also in the podcast.
He's got a new one, it's called Science Rules.
In it, Bill Nye takes calls from listeners and answers all their weird, embarrassing, funny,
and occasionally sometimes serious questions like,
how do we go about putting colonies on Mars?
How often should I really be
washing my pillowcase? Or how will we prevent another Flint River crisis? On Science Rules,
Bill Nye answers such questions with his co-host, Corey S. Powell, who's a science writer, editor,
and Bill's trusty friend. No word yet on whether Corey is wearing a bow tie the whole time, but
you'll have to listen to find out.
There's also a bunch of field experts and special
celebrity guests. Bill is on
a mission to explain how science rules
everything in the universe, and you'll have to
listen to the podcast to find out what
other questions people are asking him.
The first episode of Science Rules is out now.
You can check it out right after you finish
listening to this here episode of Today Explained.
Enjoy and subscribe so you never miss an episode.
Renee, when people get attacked with ransomware, what is the process of getting their data back?
Could you sort of walk us through it?
Typically, when you are hit with ransomware, a ransom note will pop up on your computer screen,
and there will be instructions of how to pay.
Like straight up pop up, like interrupt whatever you're doing, something will just pop up?
Yep.
And the two main ways that I've seen the instructions go down are, number one,
there will be some email addresses on how to
contact the hacker for further instruction, including the amount of Bitcoin they want
and how they would like it to be transacted. They'll send you a Bitcoin wallet number to
send it to and things like that. The other way is that some of them will set up sites on the dark
web and you'll have to download a dark web browser. You'll have to
log on to their site and there's typically a portal where they'll instruct you how much they
want. And then if you do that, everything goes back to normal and everything's great?
It depends. If everything goes well, then you'll send the Bitcoin and they'll send the decryptor and the key that you can use to
decrypt your files. And from what I understand, sources told me that while sometimes hackers fail
to live up to their end of the bargain, they usually don't because they need to have a reliable
product, if you will, to stay in business. They need people to believe that
they're going to get something if you pay them.
So does everyone just pay the ransom then? Or is there another way? Law enforcement,
good hackers?
You know, some organizations find this particularly unpalatable. They don't want to deal with
criminals. They don't want to use with criminals. They don't want to use
taxpayer money to pay ransom. And in some cases, they've been allured by data recovery firms who've
promised to recover their files using their own technology.
What kind of firms are those? Is that like a whole business?
Yeah, this is the industry that is at the center of our reporting. On one end of the spectrum, there are firms that are completely transparent with their clients. They know that there's usually only one way to decrypt ransomware stricken files, and that's to pay the hacker. Their business model is we can help people who are
uncomfortable dealing with hackers directly, people who don't know how to use Bitcoin,
and our service is to handle that for them. On the other side of the spectrum, there are firms
that claim to use their own quote-unquote trade secrets and their own technology to decrypt ransomware.
But as we found, they're just paying the ransom.
What do you mean? They're lying?
The main issue is that clients believe that these firms are using their own technology to decrypt files
without having to deal with hackers,
when in reality, they're dealing with the hackers and adding a fee.
So these third-party firms are just like charging you an extra fee to pay the hackers their ransom?
Correct.
One example is with the SamSam ransomware strain.
Proven Data, one of the firms, had what became a mutually beneficial relationship with the SamSam attackers.
To the point that the SamSam attackers actually started recommending that victims work with proven data.
The SamSam attackers knew that proven data was a recovery firm and that their business model is to pay ransoms on behalf of clients.
And they had a relationship in which once a victim came in with SamSam ransomware,
proven data could go to the portal where the SAMSAM hackers corresponded and say,
we've got a client, we'd like you to suspend the timer for payment, because usually they had a timer of seven days or else your files would be permanently deleted.
And the SAMSAM attackers would suspend the timer and allow the client whatever time they needed to get the payment to them.
Now, it raises some interesting legal questions because, you know, as one lawyer I talked to put it,
the SAMSAM hackers are recommending that the client work with Proven Data because they know that Proven Data will pay the ransom
in the manner that they prescribed.
It raises the question of whether that relationship
between Proven Data and the SamSam attackers is too close.
Because they know Proven Data is like a surefire way
to get their ransom money quickly?
Yes, exactly.
They know that proven data is a data recovery firm and that their business is to pay the ransom.
It's just so funny because I feel like most people's notion of data recovery is like I pay someone who knows hard drives and computers better than I do to rescue my information.
And this is I pay like a third party to like broker a cash transaction or a Bitcoin transaction.
Exactly.
We looked at a case in Safford, Arizona, that was interesting. And because it's a public entity, of course, we were able to get the email correspondence between the city and proven data.
So what had happened there was the city of Safford was hit by a strain of ransomware that was not decryptable at the time.
Their files were down.
It was affecting operations.
They needed to get
back on their feet, so they called Proven Data. Proven Data, according to the emails we have,
said that they would be able to recover the data using their own technology. The city paid $4,000
and the data was recovered. Savard was a fairly satisfied client until they realized about a month later that not all of the files had been recovered.
Their network administrator began to get a little suspicious because when he went back to Proven Data, Proven Data wanted to charge another $4,000 to decrypt the rest of the data.
And he asked the question in an interview with me, if their algorithms could decrypt the first set of files, why wouldn't it work on the second set? So he began to believe that they might have just been working with the hackers and adding their own fee on top. security researchers who are some of the foremost specialists in ransomware. And they said that the
strain that affected the city of Safford at that time was not decryptable except by paying a hacker.
So if cities are attacked and then these firms paid ransoms to these hackers, does that mean that
taxpayer money was used to pay off a ransom?
Theoretically, yes.
The example of Safford highlights that.
They unknowingly paid the hackers because, of course, they believed that proven data was using its own technology, but on the other side, proven data was paying the ransom. And while Safford's costs were mostly covered by their insurer,
at the end of it, taxpayer dollars indeed were used to pay a ransom.
Is it legal to pay a ransom using taxpayer money? Are normal people who get hacked allowed to be
paying ransoms? I'm not really sure about the legality there.
So there are no U.S. laws that prohibit the payment of
ransom. Publicly, the FBI says ransom payment, quote, encourages continued criminal activity,
leads to other victimizations, and can be used to facilitate serious crimes. But in 2015,
an FBI special agent in charge of the FBI's cyber program in Boston told people at a cybersecurity conference that the FBI will often advise people just to pay the ransom.
If not illegal, is it a bad idea?
Isn't it just giving the hackers exactly what they want?
Well, it is what keeps the ransomware hackers in business. So if the FBI is admitting that even they often pay ransoms,
whose job is it to make these things go away?
Individuals? Cities? Someone else?
Well, it's an interesting question.
Law enforcement hasn't been entirely effective.
On the federal level, you have the FBI.
And the issue with the FBI is it has limited resources and the average ransom is only a few thousand dollars. But at the local level, meanwhile, the issue of ransomware is too complex of an area for local law enforcement to do anything about.
So as one attorney I talked to said, it's sort of a legal gray area
where there's no great remedy for ransomware victims.
As long as people will pay ransoms, ransomware is profitable for the people who are deploying it.
Renee Dudley is a senior reporter at ProPublica.
She reported her story on ransomware with Jeff Cow.
Baltimore still hasn't solved its ransomware problem. And to add another wrinkle to the situation,
reporting from the New York Times suggests that
the malware used to hack the city may have come from the NSA.
The NSA developed stuff like this as tools for the United States government,
and this particular stuff leaked.
Which is to say, taxpayer dollars may have funded a government agency to create malware
that was then used by some hackers to hijack a U.S. city.
And taxpayers may end up being the ones who have to fix it, too.
I'm Sean Ramos from This Is Today Explained.