The time I sabotaged my editor with ransomware from the dark web.
As you may be aware, there’s money to be made on the internet. The question, of course, is how. Not everyone has the reality-distortion skills to start their own tech unicorn, or the Stanford connections to become an early employee there, or the indifference to sunlight necessary to become a world-class Fortnite gamer. Not everyone lives in the relatively few places where software engineering jobs are well-paying and plentiful.
If you’re willing to break the law—or at least the laws of the U.S., a country you may not yourself call home—your options expand. You can steal credit card numbers, or just buy them in bulk. You can hijack bank accounts and wire yourself money, or you can hijack email accounts and fool someone else into wiring you money. You can scam the lonely on dating sites. All of these ventures, though, require resources of one kind or another: a way to sell the stuff you buy with other people’s plastic, a “mule” willing to cash out your purloined funds, or a talent for persuasion and patience for the long con. And, usually, some programming skill. But if you have none of these, there’s always ransomware.
Malicious software that encrypts data on a computer or a server, ransomware allows an attacker to extort a payment in exchange for the decryption key. Over the past year in the U.S., hackers hit the governments of Baltimore, New Orleans, and a raft of smaller municipalities, taking down city email servers and databases, police incident-report systems, in some cases even 911 dispatch centers. Hospitals, dependent on the flow of vital, time-sensitive data, have proved particularly tempting targets. So have companies that specialize in remotely managing the IT infrastructure of smaller businesses and towns—hacking them means effectively hacking all their clients.
As the number of attacks has grown, so has the scale of the victims and ransoms. “Ransomware really started as something that targeted individuals,” says Herb Stapleton, a section chief in the FBI’s cyber division. “Then it started targeting smaller companies without strong internet security protections, and now it’s evolved to larger companies and municipalities.” In 2019 the Weather Channel, the French media group M6, and the shipping services firm Pitney Bowes Inc. were all hit. Last summer two small Florida towns paid $1.1 million between them to unlock their data. According to the BBC, the European forensics firm Eurofins Scientific also paid off attackers, though it hasn’t confirmed this. Travelex Ltd. also won’t say whether it paid its multimillion-dollar ransom, though as I write this the global currency exchanger’s website remains down, a month after it was attacked.
In a way, the rise of ransomware was foreordained. Simple, scalable, and low-risk, it makes for a particularly tidy cybercrime. Some of the most successful variants are thought to have emerged from the states of the former Soviet Union, where tech-savvy young people can get a high-quality education but not a commensurate-quality job. That combination has helped birth an industry that, in big ways and small, is tech’s outlaw twin.
These days, prospective attackers don’t have to create their own ransomware; they can buy it. If they don’t really know how to use it, they can subscribe to services, complete with customer support, that will help coordinate attacks for them. Software as a service (SaaS in tech vernacular) is a mammoth global industry comprising everything from Salesforce.com customer-relationship management software to the Slack workplace messaging platform to Dropbox cloud storage. Search for “ransomware as a service” or “RaaS” in the dark-web chatrooms that function as both forums and bazaars, and you’ll get pages and pages of hits. In the public imagination, hackers are Mephistophelian savants. But they don’t have to be, not with ransomware. “You could be Joe Schmo, just buying this stuff up,” says Christopher Elisan, director of intelligence at the cybersecurity firm Flashpoint, “and you could start a ransomware business out of it.”
You could even be a liberal-arts-educated writer with a primitive, cargo-cult understanding of how an iPhone or the internet work, who regularly finds himself at the elbow of his office’s tech-support whiz, asking, again, how to find the shared drive. In other words, you could be me. But could you really? I didn’t start out on this article planning to try my hand at ransomware. A few weeks in, though, it occurred to me that if someone like me could pull off a digital heist, it would function as a sort of hacking Turing test, proof that cybercrime had advanced to the point where software-aided ignorance would be indistinguishable from true skill. As a journalist, I’ve spent years writing about people who do things that I, if called upon, couldn’t do myself. Here was my chance to be the man in the arena.
In late 1989 medical researchers and computer hobbyists around the world opened their mailboxes—their actual physical ones—to find a 5.25-inch floppy disk containing an interactive program that evaluated someone’s risk of contracting AIDS, at the time an unchecked, fatal pandemic. In all, 20,000 disks, from the “PC Cyborg Corporation,” were mailed from London to addresses throughout Europe and Africa. But the disks had their own viral payload, an additional file that, once loaded onto a workstation, would hide files and encrypt their names, then fill the screen with a red box demanding a $189 “software lease.” A banker’s draft, cashier’s check, or international money order was to be mailed to a post office box in Panama. The AIDS Trojan, as it came to be known, was the world’s first ransomware.
Within weeks, an American named Joseph Popp was stopped on his way back to the U.S. from an AIDS conference in Kenya. An evolutionary biologist who specialized in baboons, Popp had caught the attention of security officers at Amsterdam’s Schiphol airport because of his erratic behavior. According to a story later published in the Cleveland Plain Dealer, Popp, convinced he was being drugged by Interpol agents, had written “Dr. Popp Has Been Poisoned” on someone’s duffel bag then held it over his head. When his own luggage was searched, authorities discovered a PC Cyborg Corporation seal. Popp was extradited from his native Ohio to London but eventually ruled unfit to stand trial: Among other things, he’d started wearing curlers in his beard to protect against radiation. He returned home, self-published a manifesto urging people to reproduce more, and was starting a butterfly sanctuary in Oneonta, N.Y., when he died in 2006.
While Popp’s motivations and mental fitness remain the subject of debate, the effectiveness of his ransomware does not. Most of the recipients of the disk didn’t even load the pernicious file onto their computers. Among those who did, only a tiny number paid the ransom. For one thing, it was a pain, requiring a trip to both the bank and the post office. And it was unnecessary. One victim, a Belgian named Eddy Willems, was a computer systems analyst for a multinational insurer. “I’m not a cryptologist, but I was able to easily see what it did,” he says. “And I was able to put everything back in something like 10 to 15 minutes.” Willems and other security researchers quickly circulated free AIDS Trojan decryption programs, also by floppy.
It’s a testament to Popp’s imagination (and possible mania) that he attempted the scheme at all with the tools at his disposal. The idea of selling stolen data to the highest bidder wasn’t new, but Popp’s innovation, as Mikko Hypponen, chief research officer at the Finnish cybersecurity firm F-Secure, puts it, was “the realization that in many cases the highest bidder is the original owner of the information.”
A decade and a half later, technology caught up with Popp’s insight, first in the form of the internet. In 2005 security researchers starting seeing ransomware they dubbed Gpcode. (In cybersecurity taxonomy, it’s customary to bestow the same name on a strain of malware and the anonymous gang behind it.) Gpcode smuggled itself onto computers as attachments to seemingly legitimate emails, a technique known as phishing, if it’s done at scale, or spear phishing, if a bespoke email is aimed at a single target. Gpcode’s later versions also used much stronger encryption to scramble the contents of files. The only real weakness was the payment step: Ransoms were settled up by prepaid credit or gift cards, and therefore flowed through the highly regulated pipes of the global financial system. Over time, with the help and prodding of law enforcement, payment processors grew better at spotting ransom payments and recovering at least some of the money.
That problem was solved—from the ransomer’s point of view—by Bitcoin. By 2013 the cryptocurrency had become mainstream enough that a ransomware gang decided to give it a try, in a variant that would come to be known as CryptoLocker. Bitcoin isn’t technically untraceable, especially when people convert it into dollars or euros or another fiat currency. Still, the forensics are difficult and time-consuming, complicated by “tumblers” and other anonymizing measures that obscure a transaction’s path through the public blockchain. And there’s no payment processor for law enforcement to ask to shut it down. All of which makes it ideal for ransomware. The only wrinkle is that most people are still unfamiliar with the mechanics of buying and sending cryptocurrency—it’s not uncommon for ransomware attackers to encourage their victims to reach out if they want help with the process.
CryptoLocker was hugely successful. Three Italian computer science researchers traced 771 payments flowing into Bitcoin wallets connected to the ransomware variant, totaling 1226 Bitcoin ($1.1 million at the time), likely a very conservative figure. And the CryptoLocker recipe—phishing, strong encryption, Bitcoin—remains the dominant template for ransomware today. But there are others: Some attacks pretend to be from a law enforcement agency that’s locked down your machine because of illicit material found there. (Some ensure the material is there by first downloading actual child pornography.) Some attackers start by luring victims to a compromised website where a software “exploit kit” can slip the malware through their browser’s vulnerabilities. And some attacks turn out not to be ransomware at all: NotPetya, which caused billions of dollars in damages worldwide in 2017, lacked any means to reverse its encryption. It’s widely suspected to have been a Russian cyberweapon built neither to steal information nor hold it for ransom, but simply to destroy it.
“With some of the more sophisticated cybercriminal organizations that we’ve found,” says the FBI’s Stapleton, “ransomware is just another tool to use for the monetization of their cyber activities.” Ryan Olson, a vice president at cybersecurity firm Palo Alto Networks Inc., remembers monitoring a computer for a client after hackers found a way in. First they looked for credit card numbers. Then they searched for passwords or login credentials they could use to take over the network. “And then the last thing they did,” he says, “just on the way out the door, was to install some ransomware and encrypt all the files.”
When I started shopping around for my ransomware service in October, the community was still grieving GandCrab. Rolled out at the beginning of 2018, GandCrab wasn’t the first RaaS, but its overwhelming success—the cybersecurity firm Bitdefender estimates that at one point it comprised half of the world’s attempted ransomware attacks—had demonstrated the model’s commercial potential. The GandCrab gang had licensed their software to “affiliates,” fellow hackers with access to compromised computers or lists of email addresses to phish, in exchange for a percentage of the total take. And they had diligently stayed ahead of the efforts of antivirus programmers, shipping out five major software updates, according to computer security researcher Brian Krebs.
Then, on May 31, 2019, a post on the Russian-language forum Exploit[.]in, announced GandCrab’s “well-deserved retirement.” Over 15 months, the writer claimed, its affiliates had pulled in $2 billion, $150 million of which had flowed back to the creators. Potential affiliates were left asking each other, in thread after thread, what the “next GandCrab” might be.
I’m not going to name the forum where I ended up finding my RaaS; I don’t imagine many readers of this article are aspiring ransomware entrepreneurs, but I don’t want to make things easier for anyone who is. Like most similar sites, it’s on the dark web, a region of the internet that’s been configured to be inaccessible by normal web browsers.
The forum’s logo is a DOS-green skull. The posts are in English, though that’s evidently not the first language of many of the authors, and the mores would be familiar to anyone who’s spent time in an overwhelmingly young, male setting. Start a post with “Possibly a stupid question, but …” and someone will respond, “That is a really stupid question.” Yet I was also struck by the willingness of participants to answer questions in detail, or just offer encouragement to an anonymous stranger on a range of criminal-mischief topics. “Below is an amazing list of resources,” one October post begins. “It has the best books to check out, some websites that have practice hacking targets, a list of free virtual networks to practice on etc.”
I wasn’t the only clueless person on the site. “Easy to Use Ransomware Wanted,” was the headline of an Aug. 31 post. Another read, “I’m browsing resources to acquire ransomware and the like. What specifically do I need to learn to use this stuff?” Some forum members see “noobs” and “script kiddies” like these as targets for scorn, others see them as opportunities. In the hacker ecosystem, the script kiddie’s natural predator is the “ripper,” a person who sells bogus goods or just takes the noob’s Bitcoin payment and disappears. A lot of the back-and-forth on the forum focuses on whether whoever is peddling this or that software or service can be trusted.
I, of course, was a noob’s noob, protected only by an awareness of how little I knew and the narrow scope of my ambitions. The plan, worked out with my editor, Max Chafkin, was that I would ransom a single target: him. Max, reasonably enough, wasn’t eager to put his own actual personal information at risk, or that of our employer, which handles sensitive data for the world’s wealthiest financial institutions. So the two of us bought cheap laptops and took care not to connect them at any point to our work internet. Max loaded his with a grab bag of files: some WikiLeaks documents; a pdf of the Mueller Report; some random pictures of cats, boats and monkeys; and what he described to me as “a bunch of Romanian academic papers.” He then steeled himself for my attack, which I planned to announce to him in advance. What the plan lacked in realism, it made up for in safety, and, hopefully, our not getting fired.
Or arrested. Several states explicitly outlaw ransomware attacks, and legislators in Maryland recently introduced a bill that would criminalize the mere possession of ransomware. There are also broader federal computer fraud statutes, which were used in the 2018 indictment of two Iranian hackers allegedly behind attacks against Atlanta, Newark, and several large hospital systems. Ransomware prosecutions remain rare, but I, unlike most attackers, was actually in the U.S.
Still, the laws on the books so far seem to require the intent to attack an unaware, unconspiring victim. “A person shall not knowingly possess ransomware with the intent to use or employ that ransomware,” says the Michigan law, “without authorization of the other person.” My victim would be fully informed, indeed complicit—we were just two consenting adults taking risks on the internet. (If Max tried to pretend otherwise, I had emails.) The Bloomberg lawyer we talked to basically agreed. He did, however, suggest that, if I got the impression I was about to do business with the North Korean government or some other sanctioned entity, I should get back in touch with him.
None of this would have been possible without Joe Stewart. Stewart lives in Myrtle Beach, S.C., and runs his own blockchain development and security research company. Since last year he’s been working with the cybersecurity company Armor. He was one of the first analysts to describe the criminal uses for the hijacked computer networks known as botnets. He also coded an early reverse-engineered decryptor to allow victims of carelessly written ransomware to unscramble their files for free. Several years ago, he helped a couple of my colleagues identify a hacker working for the Chinese People’s Liberation Army.
Stewart is quiet and in conversation wears a stony expression that I eventually learned to read as attentiveness rather than dismay. I’d been talking to Armor and Stewart over the phone for a few months before I told him I wanted to try ransomware myself. He told me that once I got my hands on some, I could come down to Myrtle Beach and deploy it from his computer lab.
The ransomware service I ended up using was the first one I found, a few minutes after logging in to the first hacker chatroom I tried. Even at the time, there were warning signs. The consensus on the forum was decidedly skeptical. “[T]his guy has been spamming this shit for days now and acts like no one has ever done this before,” one poster complained, “can’t explain a simple sales pitch about it.” The coder himself had weighed in, telling that critic to “stfu” before mocking him with an obscure reference to the coding language C# and signing off with another “stfu.” Still, the inquiries I’d sent to other sellers had gone unanswered, and a couple others were clearly fake. And while the popular Ranion RaaS costs $900 a year, according to the possibly defunct ad I had tried responding to, this one was only $150. I decided it was worth a try. The morning of Oct. 23, I paid my 0.020135666 Bitcoin and sent a note through Protonmail, an encrypted email service, to the address on the payment page. A half-hour later, I got a response: “Hello sir, your account is activated now!!! sorry for the delay!”
The web page I could now access was white, with a black Mercator projection of the world beneath a row of tabs. Clicking on “Dashboard” called up an empty table with the heading “Victims.” Its columns would presumably populate once I had multiple campaigns going, with the names of each and their corresponding decryption keys. A second tab, “Builder,” took me to a page that created my malware for me. I typed in a Protonmail address for my victims to use and specified the kind of operating system on my target computer. (The vast majority of malware is written for Microsoft Windows; on Stewart’s suggestion, I was using the Linux operating system, decreasing the chances of getting hacked myself.) I clicked on a button labeled “Build,” and a box popped up asking me if I wanted to download a file. After a few moments’ hesitation, I clicked yes. I now had a piece of malware on my computer. I attached it to an email and sent it, clearly marked, to Stewart.
By the time I showed up in Myrtle Beach on the morning of Nov. 11, Stewart had run it on a special quarantined computer he used to defuse and dissect malware. High-quality variants are often coded so they won’t deploy if they sense they’re in a “sandbox” such as Stewart’s, or they have dormancy periods longer than the attention span of the average security researcher. My malware wasn’t so equipped, one of several traits that suggested I hadn’t procured top-shelf product. The ransomware service itself had been built not on some cryptocurrency-accepting, law-enforcement-unfriendly overseas web hoster—which would, as Stewart put it, have been “best practices in the criminal underground”—but on Amazon Web Services’ cloud. A subpoena could produce the name attached to the Amazon account, potentially leading law enforcement directly to my provider.
The biggest snag, though, was the decryptor I got from the site. After receiving my ransom payment, I was supposed to send the file to my victim along with an alphabetical key. But when Stewart and I tested it out, it didn’t work—the files in Stewart’s sandbox stayed encrypted. In the short term, that wouldn’t be my problem: I’d already be paid by the time Max discovered this flaw. But just as with traditional kidnapping, the information-ransoming business model works only if victims are at least moderately hopeful they’ll get their data upon payment. As a result, ransomers often go out of their way to show their good faith and dependability. It’s common practice to decrypt a few files for free as proof of concept. Some RaaS dashboards dispense with the term “victim” entirely: Screenshots of the Ranion variant taken by Armor analysts show a table headed “clients” instead. Elisan at Flashpoint forwarded me a note one ransomware gang sent their victims that laid out security measures they could take to avoid future attacks.
For Stewart it had been easy enough to throw together a decryption workaround. “I’m guessing he’s never actually tested the code in a real environment,” he wrote me in an email. Rather than send Max a key to type or paste in himself, I’d need to send him a few lines of code and instructions for where to put them. It was inelegant, but it was the sort of thing that I figured I could walk him through.
But as Mike Tyson famously said, everyone has a plan until they get punched in the mouth. On the appointed morning, sitting in Stewart’s windowless computer lab, I logged in to my specially purchased laptop, opened up the anonymizing Tor browser, and clicked on the bookmarked link for the dark-web address of my RaaS control panel. But instead of the Mercator projection and the row of helpful tabs, I saw only a cryptic note. “WE ARE TAKING DOWN THE WEBSITE,” it read, “IN ORDER TO LAKE OF THE USERS.” My first thought was to wonder if “lake of the users” was a coding term I was unaware of, something related to torrents or streams. My second, more practical thought was that I had better email tech support.
“Hi, I see you took the website down,” I wrote to an encrypted email address containing the name of the comic-book antihero Johnny Blaze. “How do I keep access?” The answer came back an hour later: “You have to buy pro version if you want to keep using this.” The pro version, I learned, would cost an additional $500 on top of my $150. When I’d signed up two and a half weeks earlier, the pro version had cost $300, though my provider was at pains to point out that it now featured Android-compatible malware. What became clear in a back-and-forth that went on for much of the morning was that my RaaS had ceased to be a service at all. The server, along with the website, had been taken down, though, this, too, was presented as an opportunity: I could host it myself. At Stewart’s prompting, I asked how I’d be able to get my decryption keys now that the site was taken down. Johnny Blaze informed me apologetically that they’d forgotten to back up their database.
Had the whole thing been a scam? Was I dealing with a ripper? If so, why had they gone to the trouble to stand up an actual service and create actual, if cruddy, malware? In retrospect, it seems more likely that my not particularly adept suppliers, their product having flopped, had decided to close up shop for “lake” of enough paying users—it’s conceivable I was their only one—and were seeing if I might want to buy them out.
The problem wasn’t just the decryption keys. Without a server, ransomware like mine was all but inert. As Stewart patiently explained, before encrypting any files the program first generated the decryption key and sent it back to the RaaS server to pop up in my dashboard. If the server didn't answer, the program wouldn’t proceed. Deflated, I wrote Johnny Blaze asking if I was entitled to a refund. I was told, curtly, that I was not.
“I think,” Stewart said, “there’s a way around this.” Sitting at one end of the room on a black leather couch, he hunched forward over his laptop. Minutes later, he sent me a line of code and instructions to forward to Max, at that moment sitting in New York in front of his burner Dell sending me prodding text messages. Stewart’s fix replaced some code in Max’s computer’s operating system so that when the malware told it to reach out to the now defunct Amazon web server, it would reach out to one of Stewart’s servers instead, which would acknowledge receipt of the key and give the green light to encrypt. My ransomware service provider, in other words, was now Stewart.
And so, the groundwork laid, I launched my reverse-engineered puppet ransomware. An instant later, Max received an email from a trusted colleague: “Hey, Max, sorry it’s so late and that it’s such a giant file, but here’s the draft (attached). Let me know what you think!” He clicked on the “draft,” only for his antivirus software to flag it and warn him not to open it. (Well-designed computer viruses, like actual viruses, envelop their payloads in obfuscatory layers of code; mine announced itself like a man going through customs with cocaine trickling out of his pants leg.) Gamely, Max opened the file.
At first, nothing happened. A few minutes passed, and we started texting back and forth about trying again. “Then, I looked away from my screen for a second,” Max recounts, “and suddenly there was that crazy message.” While ransomware designers often opt for a blandly informational aesthetic, ours had aimed for something more demented. Max’s screen filled with the image of a cloud of smoke, a pale, grasping hand reaching out from its center, and the scrawled words “Your Files are Encrypted.” Max’s WikiLeaks downloads, his cat photos, his Romanian monographs, all of them were gibberish. (The Mueller Report, mysteriously, was unaffected.)
Max wrote me a note full of theatrical betrayal and outrage, to which I responded in a tone of bloodless professionalism, telling him the ransom ($100) and my Bitcoin wallet address. If I thought he was dragging his feet, I could have given him a deadline, after which the ransom would increase or I would destroy the decryption key. Once I got an alert from my cryptocurrency app that his payment was processing, I sent him the decryptor with Stewart’s jury-rigged key. Max ran it as instructed and watched as his files returned, one by one, to normal. He got his data back, I got my money. (As agreed, I did eventually return it.) But the grasping hand image didn’t ever go away.
In the end, it’s hard to claim that my ransomware and I really passed our test. The cybercrime singularity appears a ways off. When I returned from Myrtle Beach, I contacted a particularly knowledgeable and helpful-seeming poster on one of the dark-web forums. After insisting on some ground rules and taking various steps to verify who I was, he (or she) agreed to talk. “In regards to types of malware, I have coded and used almost anything you can think of: backdoors, rats, cryptors, droppers, data destroyers, CSRF and phishing pages, ransomware, etc.,” he wrote. He was dismissive of much of what you could buy—in his description the recent surge in ransomware attacks sounded almost like a bubble: “Many of those ransomware projects are just complete junk,” he wrote, amateur coders finding something on the software development platform GitHub, making a couple cosmetic changes, and then trying to pass it off as their own. “In the end, RaaS does allow for higher numbers of less experienced people to have access to ransomware, but the most successful attacks I know of are still carried out by fewer people using more private code.”
Of course, an inexperienced horde launching incompetent ransomware attacks can still cause plenty of damage. And every master was once a script kiddie. When I emailed my RaaS suppliers asking to interview them for this story, they were more than happy to talk, though they were in the end typically gnomic. “We are team we are 18 to 26 year old teens,” Johnny Blaze wrote back. One thing they did emphasize was that the RaaS I had tried was old news. The team was already coming to market with a newer product, something they promised would be “much better.”
(Updates in 17th and 18th paragraph to clarify Stewart’s relationship with Armor.)