WEBVTT - Your Money or Your Data: A Ransomware Story 0:00:04.400 --> 0:00:07.800 Welcome to tech Stuff, a production from I Heart Radio. 0:00:12.320 --> 0:00:14.880 Hey there, and welcome to tech Stuff. I'm your host, 0:00:15.000 --> 0:00:18.320 Jonathan Strickland. I'm an executive producer with I Heart Radio 0:00:18.480 --> 0:00:23.360 and I love all things tech. Now, let me paint 0:00:23.440 --> 0:00:28.080 you a scenario, or, as my quiz to alter Ego 0:00:28.120 --> 0:00:33.520 would say, over on Ridiculous History, a sonario. You sit 0:00:33.560 --> 0:00:37.280 down to your computer. Maybe you're about to do some work, 0:00:37.440 --> 0:00:40.360 or maybe you're planning on, you know, being totally sussed 0:00:40.360 --> 0:00:43.360 while claiming to work on wires and among us. Maybe 0:00:43.360 --> 0:00:45.080 you just want to watch an episode of The Haunting 0:00:45.120 --> 0:00:48.920 a blind manner. But whatever the reason, you encounter an 0:00:49.000 --> 0:00:54.040 unexpected problem. Your computer won't come out of unlock mode. Instead, 0:00:54.080 --> 0:00:58.680 you get an ominous message. Someone has locked down your computer, 0:00:59.080 --> 0:01:01.360 creating a new path us were to keep you out. 0:01:01.680 --> 0:01:03.800 If you don't cough up a certain amount of money 0:01:03.920 --> 0:01:06.920 by a certain amount of time, something bad will happen. 0:01:07.319 --> 0:01:10.039 Maybe that's something bad is that the intruder will lock 0:01:10.080 --> 0:01:13.000 down your computer forever. Maybe they will convert all the 0:01:13.080 --> 0:01:16.800 data on your computer to gibberish. Maybe they'll fill up 0:01:16.840 --> 0:01:19.600 your computer with garbage data to turn it into a 0:01:19.680 --> 0:01:24.000 useless device. Or maybe they'll use the information stored on 0:01:24.040 --> 0:01:29.120 your computer against you in some way allah blackmail. You 0:01:29.520 --> 0:01:35.640 have been hit by ransomware. Ransomware is a subset of malware, 0:01:36.080 --> 0:01:38.559 or what we goofs is in the old days, lumped 0:01:38.640 --> 0:01:42.679 under the general term computer virus, though as it turns out, 0:01:43.000 --> 0:01:48.200 that's not accurate. Really, ransomware is ugly stuff, and it 0:01:48.240 --> 0:01:52.400 can cause enormous problems for people and organizations. There are 0:01:52.480 --> 0:01:56.480 dozens of stories of computer systems and critical infrastructure being 0:01:56.560 --> 0:01:59.920 hit by ransomware. One target that seems to get hit 0:02:00.040 --> 0:02:04.840 fairly frequently would be hospitals. That is particularly ugly, and 0:02:04.920 --> 0:02:09.080 even more so during a pandemic. So in this episode, 0:02:09.240 --> 0:02:12.560 we're going to explore the history of ransomware, how it 0:02:12.600 --> 0:02:15.760 works in general, and some stories on how it's been 0:02:15.880 --> 0:02:19.600 used and what people did in response. Now, often with 0:02:19.680 --> 0:02:23.600 these topics, I have to give pretty vague estimations of 0:02:23.840 --> 0:02:27.920 when something got started, sometimes even having to resort to 0:02:28.040 --> 0:02:32.280 using a decade rather than a specific year. Thankfully, I 0:02:32.320 --> 0:02:36.359 guess for ransomware, the origin story is fairly well established. 0:02:36.639 --> 0:02:40.640 Now I cannot for certain state that this is categorically 0:02:40.800 --> 0:02:44.880 the very first case of ransomware, but generally speaking people 0:02:44.960 --> 0:02:49.440 accept it as such, and so we come to the odd, 0:02:49.760 --> 0:02:55.480 sinister and absurd story of the Aid's Trojan. Now, in 0:02:55.520 --> 0:02:59.440 this case, a trojan is also a subset of malware. 0:02:59.760 --> 0:03:03.760 It's really more of a delivery system for malware, and 0:03:03.880 --> 0:03:06.200 one that a lot of folks are probably familiar with 0:03:06.600 --> 0:03:11.040 by concept, if not by name. The name Trojan references 0:03:11.120 --> 0:03:14.320 the story of the Trojan Horse, in which the Greek 0:03:14.440 --> 0:03:17.560 forces that have been laying siege to the Free city 0:03:17.639 --> 0:03:22.639 of Troy got a great idea. Hey, said the Greek forces, 0:03:22.639 --> 0:03:26.400 what if we pretend to give them a really big present, 0:03:26.800 --> 0:03:29.960 only instead of you know, I don't know, chocolate or whatever, 0:03:30.360 --> 0:03:34.840 they find out that it's actually some secret Greek task force. 0:03:35.520 --> 0:03:39.000 That task force will be inside Troy without having to 0:03:39.040 --> 0:03:42.360 break through the walls, and then they could actually open 0:03:42.480 --> 0:03:44.120 up the gates and let the rest of us in. 0:03:44.280 --> 0:03:48.520 And so the story goes, the Greeks constructed a massive 0:03:48.720 --> 0:03:53.480 wooden horse, hiding the warriors inside of the horse and 0:03:53.480 --> 0:03:56.280 then leaving it out for the Trojan forces to bring 0:03:56.320 --> 0:03:58.760 into the city while the rest of the Greek forces 0:03:59.160 --> 0:04:04.920 pretended to sail away. Well, according to the story, the 0:04:04.960 --> 0:04:09.480 Trojans celebrated and they pulled the massive wooden horse into 0:04:09.480 --> 0:04:12.480 the city as a kind of war trophy, and the 0:04:12.560 --> 0:04:16.960 Greek warriors inside the horse snuck out at night, opened 0:04:17.040 --> 0:04:20.440 up the city gates, and then the returning Greek forces 0:04:20.560 --> 0:04:24.279 just sauntered their way in conquering the city. In the 0:04:24.320 --> 0:04:28.920 world of malware, a trojan is some sort of program 0:04:29.080 --> 0:04:33.120 or application that appears to be legitimate but is secretly 0:04:33.279 --> 0:04:37.839 carrying along some malware. A lot of malware falls into 0:04:37.880 --> 0:04:41.080 this category or uses similar tactics to get people to, 0:04:41.520 --> 0:04:45.400 you know, actually install the malware on their computers. When 0:04:45.520 --> 0:04:48.599 file sharing became a huge trend as peer to peer 0:04:48.640 --> 0:04:52.440 networks took off, one of the biggest dangers wasn't that 0:04:52.640 --> 0:04:55.720 a movie studio or a record studio is going to 0:04:55.839 --> 0:05:00.800 come after you with some absurdly overblown lawsuit. Although those 0:05:00.920 --> 0:05:04.520 did happen. The bigger threat is that one of those 0:05:04.560 --> 0:05:08.359 files you downloaded was actually malware in disguise, or it 0:05:08.480 --> 0:05:12.600 had malware embedded within the program just waiting to be unleashed. 0:05:13.120 --> 0:05:17.240 The AIDS Trojan was called that because it had to 0:05:17.360 --> 0:05:22.200 do with events surrounding the AIDS crisis, and it was 0:05:22.240 --> 0:05:27.560 actually distributed on diskette. This was pre Internet days. Well, 0:05:27.640 --> 0:05:30.240 the Internet was around, but not many people were using it. 0:05:30.279 --> 0:05:33.760 This was nineteen eighty nine. So the person who made 0:05:33.800 --> 0:05:38.680 this malware saved the malware on two disks disguised as 0:05:38.720 --> 0:05:42.720 a legitimate program. Only that he did it to twenty 0:05:43.000 --> 0:05:45.920 thousand discs, and I imagine that must have taken a 0:05:46.120 --> 0:05:50.760 very long time. So who received those discs? Who was 0:05:50.800 --> 0:05:53.880 on the target side? Well, the discs went to people 0:05:54.200 --> 0:05:57.359 who were part of a nineteen eighty nine World Health 0:05:57.440 --> 0:06:02.000 Organization conference on the AIDS crisis. And who was the 0:06:02.000 --> 0:06:07.359 mastermind behind this plot? Well, that would be Dr Joseph L. Pop, 0:06:07.760 --> 0:06:13.600 an evolutionary biologist and AIDS researcher. Okay, so let's get 0:06:13.760 --> 0:06:19.120 some more context. The medical community first began identifying medical 0:06:19.160 --> 0:06:22.640 cases that in retrospect we would understand to be related 0:06:22.680 --> 0:06:27.799 to acquired immuno deficiency syndrome or AIDS, back in nineteen 0:06:27.920 --> 0:06:31.200 eight one. The c d C would first use the 0:06:31.360 --> 0:06:37.800 term AIDS on September. The World Health Organization would hold 0:06:37.800 --> 0:06:43.599 its first meeting to discuss the global situation in nine three. Now, 0:06:43.600 --> 0:06:48.039 despite the clear danger, many countries, including the United States, 0:06:48.440 --> 0:06:52.560 failed to take this crisis very seriously at first, in 0:06:52.680 --> 0:06:56.480 large part because it was seemingly affecting only gay men, 0:06:56.920 --> 0:07:01.000 and the general social attitude toward homosexual in these countries, 0:07:01.040 --> 0:07:04.640 including the United States, was at the very least uninviting, 0:07:04.839 --> 0:07:08.240 which is putting it lightly. By nine nine, the US 0:07:08.320 --> 0:07:12.400 government couldn't sit by idly, and Congress created the National 0:07:12.440 --> 0:07:17.960 Commission on AIDS. Dr Anthony Fauci, And yes, I'm talking 0:07:18.000 --> 0:07:22.920 about that Dr Fauci, the same one today who's advocating 0:07:23.040 --> 0:07:27.360 social distancing and using masks during our COVID pandemic. Well 0:07:27.400 --> 0:07:31.840 back then he was endorsing giving HIV positive people access 0:07:31.880 --> 0:07:36.000 to experimental treatments, even if those people did not technically 0:07:36.120 --> 0:07:41.080 qualify for clinical trials, because that man is a freaking legend. 0:07:41.600 --> 0:07:46.080 And just to be clear, HIV is human immuno deficiency virus. 0:07:46.200 --> 0:07:49.640 That's the virus that can lead to AIDS. The number 0:07:49.760 --> 0:07:52.400 of AIDS cases in the United States at that point 0:07:52.480 --> 0:07:55.480 reached one hundred thousand, and the w h O, the 0:07:55.520 --> 0:07:59.240 World Health Organization, estimated that there were up to four 0:07:59.320 --> 0:08:02.240 hundred doll and cases around the world, and in some 0:08:02.280 --> 0:08:06.720 parts of the world, like Africa, the medical establishment was 0:08:06.960 --> 0:08:12.280 woefully underprepared to treat infected people and outbreaks were rampant, 0:08:12.760 --> 0:08:15.040 and all of this is important when we get to 0:08:15.520 --> 0:08:19.360 motives behind this trojan malware a little bit later on. 0:08:19.640 --> 0:08:23.160 That's why I needed to set the stage. So Dr 0:08:23.240 --> 0:08:26.559 Pop had been a collaborating member of a group called 0:08:26.640 --> 0:08:30.160 the Flying Doctors, and that itself was a branch of 0:08:30.200 --> 0:08:34.400 the African Medical Research Foundation. Pop had served as a 0:08:34.440 --> 0:08:38.680 consultant for the World Health Organization in Kenya and had 0:08:38.760 --> 0:08:44.640 even organized AIDS related conferences himself. So Dr Pop takes 0:08:44.640 --> 0:08:47.079 a look at the list of attendees to this w 0:08:47.400 --> 0:08:51.840 h O conference in males twenty thousand people and various organizations. 0:08:52.120 --> 0:08:55.360 A diskette and the discs label stated that it was 0:08:55.520 --> 0:09:00.320 an quote AIDS Information Introductory Diskette end quote from a 0:09:00.320 --> 0:09:05.720 company called PC Cyborg Corporation, a fictional company of Dr 0:09:05.800 --> 0:09:09.240 Pop's invention. Now, if you were to insert the diskette 0:09:09.280 --> 0:09:12.400 into a PC and then run the program, you would 0:09:12.440 --> 0:09:16.880 encounter a seemingly straightforward survey, you know, a questionnaire about AIDS. 0:09:17.480 --> 0:09:22.040 But in the background, the malware was infecting the auto 0:09:22.160 --> 0:09:27.240 exec dot bat file in the root directory for the PC. Now, 0:09:27.280 --> 0:09:30.840 this file is the startup file for a computer of 0:09:30.880 --> 0:09:34.040 that era. It's in charge of booting up a computer 0:09:34.120 --> 0:09:37.880 and activating all the components to work with the operating system. 0:09:37.880 --> 0:09:41.200 It sets up everything to move forward when you are 0:09:41.240 --> 0:09:43.880 actually using your computer, so when you power it on, 0:09:44.120 --> 0:09:47.040 this is the program that sets everything up. And then, 0:09:47.480 --> 0:09:50.520 like the Greek soldiers in our legend about the City 0:09:50.559 --> 0:09:53.520 of Troy, the malware would lie and wait for the 0:09:53.640 --> 0:09:56.600 right moment to strike. But instead of waiting for night 0:09:56.640 --> 0:09:59.400 to fall, the malware would keep count of how many 0:09:59.440 --> 0:10:03.520 times the program had been activated, although actually some sources 0:10:03.559 --> 0:10:07.680 say it tracked how frequently the computer system was rebooted 0:10:07.760 --> 0:10:11.840 or turned on, so different reports have conflicting information about this, 0:10:11.920 --> 0:10:15.479 but generally speaking, it was keeping track of how frequently 0:10:15.640 --> 0:10:19.480 the system was being used, and eventually, typically around either 0:10:19.760 --> 0:10:24.800 the program activation or reboot number ninety, the malware would 0:10:24.800 --> 0:10:27.439 then initiate the actual attacks. So it would wait until 0:10:27.960 --> 0:10:31.800 this counter I'd hit nine of ninety instances of this 0:10:31.840 --> 0:10:35.280 thing happening. The program would then encrypt all the files 0:10:35.320 --> 0:10:38.559 on the sea drive of the host machine, which is 0:10:38.600 --> 0:10:41.160 where most files lived. The sea drive is kind of 0:10:41.160 --> 0:10:45.760 the default drive on PC machines, and it rendered those 0:10:45.760 --> 0:10:49.400 files inaccessible to the user, and it would also launch 0:10:49.520 --> 0:10:53.320 a ransom message. Now, if you search for the stuff online, 0:10:53.520 --> 0:10:56.360 you're likely to come across a picture of a screen 0:10:56.440 --> 0:10:59.720 that has a message that starts with quote, attention, I 0:10:59.760 --> 0:11:02.760 have and elected to inform you that throughout your process 0:11:02.800 --> 0:11:05.520 of collecting and executing files and so on and so on. 0:11:06.200 --> 0:11:08.760 It then goes on to drop some expletives. So I'm 0:11:08.760 --> 0:11:10.480 not going to quote the whole thing on here. This 0:11:10.760 --> 0:11:13.560 show is family friendly for the most part. And the 0:11:13.679 --> 0:11:16.800 message also gloats over the fact that the computer has 0:11:16.800 --> 0:11:19.880 been infected by a virus. But that is not the 0:11:19.920 --> 0:11:23.720 actual message that popped up with the AIDS trojan. It's 0:11:23.760 --> 0:11:27.360 frequently used in articles that are about the AIDS trojan, 0:11:27.559 --> 0:11:31.000 but that's not what users saw. For one thing, that 0:11:31.040 --> 0:11:35.440 message has no information regarding the actual ransom, which for 0:11:35.600 --> 0:11:40.480 ransomware is kind of an important step. The message that 0:11:40.679 --> 0:11:44.360 gets shown all over the place concludes by saying, rememb 0:11:44.360 --> 0:11:49.079 member that that's actually the way it's written. Now that's misspelled. 0:11:49.400 --> 0:11:52.720 There is no cure for AIDS end quote, So I 0:11:52.760 --> 0:11:55.040 just want to clear out the confusion. That was not 0:11:55.160 --> 0:12:00.640 the message that dr pops ransomware used. Instead, the actual 0:12:00.760 --> 0:12:04.080 message came across as more official and less of a 0:12:04.400 --> 0:12:08.080 Nelson from the Simpsons, pointing and saying ha ha. The 0:12:08.160 --> 0:12:12.640 real message starts off as quote, Dear customer, it is 0:12:12.720 --> 0:12:17.439 time to pay for your software lease from PC Cyborg Corporation. 0:12:17.920 --> 0:12:21.560 Complete the invoice and attached payment for the lease option 0:12:21.720 --> 0:12:25.400 of your choice. End quote, and the two choices offered 0:12:25.679 --> 0:12:30.240 included a yearly lease for one eighty nine dollars or 0:12:30.320 --> 0:12:34.360 a lifetime lease for three d seventy eight dollars. In 0:12:34.400 --> 0:12:36.920 either case, the user was instructed to pay in the 0:12:36.960 --> 0:12:41.120 form of a banker's draft, a cashier's check, or international 0:12:41.320 --> 0:12:45.720 money order payable to PC Cyborg Corporation to a post 0:12:45.760 --> 0:12:51.040 office box located in Panama. Now, presumably, after paying this 0:12:51.160 --> 0:12:54.839 so called lease, you would receive a way to decrypt 0:12:55.040 --> 0:12:59.240 the files on your computer from the PC Cyborg Corporation. 0:12:59.600 --> 0:13:02.640 But the timeline for how this all shook out was 0:13:02.679 --> 0:13:04.800 a bit too short to know for sure whether or 0:13:04.800 --> 0:13:07.720 not Dr Pop would have sent anything out, because I'm 0:13:07.720 --> 0:13:09.880 not even sure that Dr Pop had a chance to 0:13:09.920 --> 0:13:12.520 retrieve anything from that post office box before it all 0:13:12.559 --> 0:13:15.800 went down. Now, the fact that the malware didn't go 0:13:16.040 --> 0:13:19.400 into action immediately, it would wait a bit before striking 0:13:19.600 --> 0:13:23.120 meant that the outbreak of infected computers was a little staggered. 0:13:23.480 --> 0:13:26.760 The first reports of the computer virus came out of England, 0:13:27.240 --> 0:13:30.079 and that's also when it first became clear that this 0:13:30.200 --> 0:13:33.560 was a new type of crime, one that wasn't covered 0:13:33.640 --> 0:13:38.400 on the lawbooks explicitly, which would force prosecutors to rely 0:13:38.520 --> 0:13:42.120 on older laws and hope that those laws could maybe 0:13:42.400 --> 0:13:46.760 bend enough to apply to this brand new crime. As 0:13:46.840 --> 0:13:50.240 news spread through the medical research community of the virus, 0:13:50.280 --> 0:13:55.760 some organizations took extreme steps. The newspaper The Independent reported 0:13:55.800 --> 0:13:59.720 that and AIDS organization in Italy chose to delete data 0:14:00.120 --> 0:14:03.400 off of infected machines and they lost ten years of 0:14:03.440 --> 0:14:06.600 work in the process. Now, as it turned out, that 0:14:06.760 --> 0:14:10.600 was an extreme overreaction, but this was a new type 0:14:10.600 --> 0:14:13.720 of crisis, so I can't really put too much blame here. 0:14:14.400 --> 0:14:18.360 While computer scientists started to tackle the technological problem of 0:14:18.360 --> 0:14:23.440 how to decrypt infected computers, Scotland Yards Computer Unit launched 0:14:23.480 --> 0:14:26.800 its largest investigation at that point to try and track 0:14:26.840 --> 0:14:30.200 down the perpetrator, and Dr Pop might have even slipped 0:14:30.200 --> 0:14:34.480 away without anyone ever knowing about his involvement except for 0:14:34.600 --> 0:14:39.000 his odd behaviors which gave him away. Researchers figured out 0:14:39.120 --> 0:14:42.640 how to decrypt the machines. They created a decryption tool 0:14:42.920 --> 0:14:46.760 called AIDS out, for example, that would reverse the process 0:14:46.840 --> 0:14:50.360 on an infected computer, so you could decrypt your own files. 0:14:50.800 --> 0:14:53.920 If Dr Pop had just kept a low profile, the 0:14:54.000 --> 0:14:57.440 AIDS trojan might have entered computer lore as a great 0:14:57.600 --> 0:15:03.160 unsolved mystery. But Dr Pop was behaving in odd ways. 0:15:03.520 --> 0:15:06.320 Shortly after mailing out the discs, he attended an AIDS 0:15:06.400 --> 0:15:10.000 seminar in Nairobi, and while this was a short time 0:15:10.080 --> 0:15:13.040 after the infected discs had hit the targets, it was 0:15:13.080 --> 0:15:15.600 already becoming a big point of conversation. It was like 0:15:15.960 --> 0:15:18.560 less than two weeks after he had mailed out the discs, 0:15:19.120 --> 0:15:22.880 and maybe that unnerved Dr Pop. As he was traveling 0:15:22.920 --> 0:15:25.600 back to the United States, he had a layover at 0:15:25.600 --> 0:15:29.400 an airport in Amsterdam, and he wrote the phrase Dr 0:15:29.480 --> 0:15:34.600 Pop has been poisoned on a fellow traveler's suitcase. That 0:15:34.680 --> 0:15:37.840 did not go unnoticed, and authorities decided they wanted to 0:15:37.880 --> 0:15:42.000 have a little word with Dr Pop. Upon searching his luggage, 0:15:42.040 --> 0:15:46.280 the authorities found material with the label PC Cyborg Corporation, 0:15:46.680 --> 0:15:50.440 the fictional company at the heart of the ransomware. Pop 0:15:50.600 --> 0:15:53.480 was allowed to return to the United States, but not 0:15:53.600 --> 0:15:57.320 long afterward received a visit from the FBI, who arrested him, 0:15:57.680 --> 0:16:01.600 and then the US extradited Dr Pop to Britain on 0:16:01.760 --> 0:16:06.800 charges of blackmail and criminal damage. Pop's lawyers would claim 0:16:06.880 --> 0:16:09.800 that Pop was planning on using that money from his 0:16:09.880 --> 0:16:14.080 scheme to fund alternative AIDS research, kind of framing his 0:16:14.120 --> 0:16:15.800 defense in such a way as to make it seem 0:16:15.840 --> 0:16:18.400 as though Pop was responding to what he saw as 0:16:18.440 --> 0:16:22.800 a flawed approach to tackling this global crisis. Now, as 0:16:22.840 --> 0:16:26.240 I mentioned earlier, it took far too long for most 0:16:26.280 --> 0:16:29.840 of the world to take the AIDS crisis seriously, so 0:16:30.000 --> 0:16:32.360 this narrative had a bit of an appeal to it. 0:16:32.400 --> 0:16:36.400 There was evidence that the world was not responding quickly 0:16:36.720 --> 0:16:41.520 or appropriately to this problem, so he was kind of 0:16:41.600 --> 0:16:44.800 like a Robin Hood figure at least by this story, 0:16:44.880 --> 0:16:48.640 you know, stealing from bloated bureaucracies that were spending more 0:16:48.680 --> 0:16:52.560 money on infrastructure than on actual research. Or at least 0:16:52.920 --> 0:16:56.160 that was the narrative that his lawyers wanted people to accept, 0:16:56.440 --> 0:17:00.240 but there were some potential alternative motivations. The guard In 0:17:00.280 --> 0:17:03.480 newspaper published an article that revealed that Dr Pop had 0:17:03.520 --> 0:17:05.960 recently applied for a job with the w h O 0:17:06.480 --> 0:17:10.439 but had been rejected, so it's possible that the malware 0:17:10.560 --> 0:17:14.600 was an act of vindictive revenge for being snubbed. The 0:17:14.640 --> 0:17:18.720 actual trial was a huge mess for many reasons. One 0:17:18.760 --> 0:17:20.959 big one, as I mentioned, is that the legal system 0:17:21.000 --> 0:17:24.160 didn't yet have a framework for cyber crimes like this, 0:17:24.600 --> 0:17:27.879 so they had to apply older crimes in the charge. 0:17:28.160 --> 0:17:32.240 But another was Pop's own behavior. Reportedly, he would show 0:17:32.320 --> 0:17:35.119 up to court while wearing a cardboard box on his head, 0:17:35.320 --> 0:17:38.400 or he would put curlers in his beard or a 0:17:38.440 --> 0:17:41.399 condom on his nose, and he claimed that it was 0:17:41.440 --> 0:17:45.080 to ward off radiation. The judge in the case ultimately 0:17:45.160 --> 0:17:49.280 ruled that Dr Pop was unfit to stand trial. Prosecutors 0:17:49.280 --> 0:17:53.400 were frustrated, pointing out that a digital diary in Pop's 0:17:53.440 --> 0:17:57.399 possession revealed that this aid's trojan plan had been in 0:17:57.440 --> 0:18:01.879 development for well over a year, indicating that this was 0:18:01.920 --> 0:18:07.240 not some sort of spontaneous manic manifestation. And nevertheless, Pop 0:18:07.359 --> 0:18:10.320 was off the hook and he returned back home to 0:18:10.359 --> 0:18:15.480 the United States. He continued his work researching evolutionary biology. 0:18:15.520 --> 0:18:18.240 According to some sources that came across. He also spent 0:18:18.280 --> 0:18:21.560 a lot of time pushing some rather unorthodox ideas about 0:18:21.680 --> 0:18:27.800 human reproduction that I find at best misogynistic. Anyway, he 0:18:27.920 --> 0:18:31.520 passed away in two thousand seven. His legacy includes not 0:18:31.640 --> 0:18:35.959 just the first case of ransomware, but also a lovely 0:18:36.080 --> 0:18:39.879 butterfly conservatory in Cooperstown, New York. For real, So I 0:18:39.880 --> 0:18:43.399 mean that Joseph L. Pop Junior Butterfly Conservatory is a 0:18:43.440 --> 0:18:47.280 place you can visit, you know, when things are more safe. 0:18:48.000 --> 0:18:50.280 When we come back, I'll talk a bit more about 0:18:50.280 --> 0:18:53.760 the encryption method Pop used and why the ransomware of 0:18:53.800 --> 0:18:57.359 today is far more dangerous. But first let's take a 0:18:57.480 --> 0:19:08.800 quick break. When Pop designed his malware, he had a 0:19:08.840 --> 0:19:11.840 limited tool set. When it came to encrypting the files 0:19:11.840 --> 0:19:17.520 on target computers, he used a process called symmetric key encryption. Now, 0:19:17.560 --> 0:19:20.639 the name gives us a hint about how this works. 0:19:21.160 --> 0:19:25.399 You've got a key to encode and decode text, and 0:19:25.480 --> 0:19:29.040 that key is the same for both parties that are 0:19:29.080 --> 0:19:32.800 trying to communicate secretly. You each have an exact copy 0:19:33.000 --> 0:19:36.840 of this key. This is easier to understand with an analogy. 0:19:37.080 --> 0:19:39.399 So let's say that you and I both have a 0:19:39.520 --> 0:19:43.760 Captain Crusader decoder ring, and I can write a message 0:19:43.960 --> 0:19:47.000 in plain old English, and then I use this decoder 0:19:47.119 --> 0:19:50.800 ring to encode that message so that it looks like 0:19:50.840 --> 0:19:55.119 a meaningless jumble of letters, numbers, and symbols. I send 0:19:55.160 --> 0:19:58.879 you the encoded message. You have your own ring, which 0:19:59.040 --> 0:20:01.760 in every way is a duplicate of the one I have, 0:20:02.280 --> 0:20:05.480 and using your ring, you reverse the process. You turn 0:20:05.520 --> 0:20:09.600 each coded letter back into the original uncoded text, and 0:20:09.640 --> 0:20:13.800 after some work, voila, you have the original message. You 0:20:13.920 --> 0:20:17.399 probably see the limitations of this approach right away. It 0:20:17.440 --> 0:20:20.960 depends upon the various parties having access to a private 0:20:21.080 --> 0:20:26.040 encryption key. If anyone else should get hold of that key, 0:20:26.080 --> 0:20:31.000 they could conceivably reverse the encryption process on any intercepted message. 0:20:31.359 --> 0:20:35.080 So the encryption method only works if the keys remain secret, 0:20:35.600 --> 0:20:38.800 and that's tricky because you first have to make sure 0:20:38.840 --> 0:20:43.280 that both parties have the secret key, and getting a 0:20:43.359 --> 0:20:48.520 secret key to somebody securely is its own problem. Moreover, 0:20:48.960 --> 0:20:53.000 this type of encryption can be vulnerable to cryptanalysis, that is, 0:20:53.320 --> 0:20:57.359 efforts of others to reverse the process without a key 0:20:57.400 --> 0:21:00.680 in an effort to determine what the key is. This 0:21:00.760 --> 0:21:03.280 is something that happened a lot during World War Two, 0:21:03.359 --> 0:21:06.960 where both the Axis and the Allied powers worked hard 0:21:07.000 --> 0:21:10.200 to crack the codes of the opposition and then try 0:21:10.240 --> 0:21:12.399 to keep the fact that they had cracked the codes 0:21:12.600 --> 0:21:16.439 secret long enough to capitalize on the discovered information. The 0:21:16.520 --> 0:21:22.440 limitations of symmetric key cryptography made ransomware largely an impractical 0:21:22.600 --> 0:21:26.240 method to make some cash. With a wide enough spread, 0:21:26.440 --> 0:21:28.840 you might get some hits from people who lack the 0:21:28.920 --> 0:21:33.720 information or access to information to make an informed decision, 0:21:34.040 --> 0:21:37.760 So a few targets might panic and capitulate, but it's 0:21:37.760 --> 0:21:40.919 not the most reliable means of pulling off a big heist. 0:21:41.440 --> 0:21:45.880 A few years after Dr Pop's attempt, a pair of researchers, 0:21:46.359 --> 0:21:50.000 or as some have written, a cryptographer and a hacker, 0:21:50.520 --> 0:21:53.920 laid out the strategies that they expected to see used 0:21:54.000 --> 0:21:58.800 in future ransomware attacks, and they were right. The two 0:21:58.840 --> 0:22:03.600 were multi Yng and Adam L Young, Young and Young. 0:22:04.160 --> 0:22:07.679 They were working together to anticipate future problems, and just 0:22:07.760 --> 0:22:10.200 to be clear here, they were looking at the challenges 0:22:10.400 --> 0:22:14.480 from the perspective of a potential attacker, which is important 0:22:14.520 --> 0:22:18.520 because that's what the attackers are doing all the time right. 0:22:18.840 --> 0:22:21.640 I mean this is similar to white hat hackers, who 0:22:21.680 --> 0:22:25.520 operate the same way as a malicious attacker, but for 0:22:25.560 --> 0:22:28.879 the purposes of figuring out where vulnerabilities are within a 0:22:29.000 --> 0:22:32.359 system and in an effort to design a more effective 0:22:32.400 --> 0:22:37.040 digital security measure. Young and Young started to ask some 0:22:37.280 --> 0:22:41.280 pretty simple questions and come up with answers. So let's 0:22:41.280 --> 0:22:44.879 say you want to design some malware. You know for 0:22:44.960 --> 0:22:48.240 some reason, you'd probably have a checklist of things you 0:22:48.280 --> 0:22:52.880 would want for that malware. Now, depending upon your motivations, 0:22:53.240 --> 0:22:56.240 you might want the malware to remain hidden from view 0:22:56.359 --> 0:23:00.240 as well. If you're making a statement with malware, that's 0:23:00.280 --> 0:23:03.199 probably not the case. Maybe you want to hijack computer 0:23:03.280 --> 0:23:07.280 systems and display some sort of anarchistic message on monitors. 0:23:07.600 --> 0:23:09.800 But if your goal is to do something else like 0:23:10.160 --> 0:23:14.920 secretly monitor communications or steal information, or spread an infection 0:23:14.960 --> 0:23:18.600 to other computers on a connected system, chances are you 0:23:18.680 --> 0:23:21.760 don't want people detecting the malware right away. But let's 0:23:21.800 --> 0:23:24.080 say you actually want people to know that their machines 0:23:24.119 --> 0:23:27.399 are infected, because the whole point of your malware is 0:23:27.440 --> 0:23:30.440 to extort money from the owners of the target systems, 0:23:30.760 --> 0:23:32.639 and you can only do that if they realize that 0:23:32.680 --> 0:23:36.480 they've been targeted. You'll have a few other considerations at play. 0:23:36.520 --> 0:23:39.400 For example, you probably don't want people to be able 0:23:39.440 --> 0:23:43.119 to remove the malware easily before it can actually do 0:23:43.240 --> 0:23:46.720 its work. Young and Young compared this to the face 0:23:46.800 --> 0:23:50.560 hugger in the Alien franchise of films. Once the face 0:23:50.640 --> 0:23:54.479 hugger latches onto a person, any attempts to remove it 0:23:54.600 --> 0:23:58.600 from the victim cause injury to the victim. So a 0:23:58.640 --> 0:24:01.879 malware designer will likely want to make it difficult or 0:24:01.920 --> 0:24:05.679 impossible to remove the malware without causing harm to the 0:24:05.720 --> 0:24:10.360 target machine. It reduces the incentive to just rip out 0:24:10.400 --> 0:24:13.720 the malware, So you want your malware to be like 0:24:13.960 --> 0:24:17.399 a barbed arrow. Removing the arrow has the potential to 0:24:17.480 --> 0:24:20.560 cause even more damage than it creates, an opportunity to 0:24:20.560 --> 0:24:24.080 convince people to pay up rather than risk their data 0:24:24.160 --> 0:24:27.320 being out of reach forever. The question then arises, how 0:24:27.359 --> 0:24:29.840 do you make sure the attack is one that isn't 0:24:29.920 --> 0:24:35.120 easily reversible? How do you avoid the weakness of pops approach? 0:24:35.880 --> 0:24:39.879 And their answer wasn't Another approach to cryptography, one that 0:24:40.080 --> 0:24:43.520 had its history dating back several decades. This approach called 0:24:43.640 --> 0:24:48.840 asymmetric key or public private key cryptography sidestep the major 0:24:48.920 --> 0:24:53.640 vulnerabilities of the symmetric key approach. Now I'll describe what's 0:24:53.640 --> 0:24:57.080 going on from a very high level, and just to 0:24:57.160 --> 0:24:59.760 let you guys know, I'm not going to go into 0:24:59.800 --> 0:25:03.360 a deep dive into detail because it's a very complicated 0:25:03.400 --> 0:25:07.000 concept to unwrap and it merits its own episode. In fact, 0:25:07.119 --> 0:25:11.880 I've actually done episodes about this. But with a symmetric key, 0:25:12.040 --> 0:25:15.480 the two parties in communication are using exact copies of 0:25:15.520 --> 0:25:21.119 the same encoding and decoding component. But with an asymmetric key, 0:25:21.200 --> 0:25:25.520 you've got one key that encodes and a different key 0:25:25.560 --> 0:25:30.639 that decodes, and that's it. Communication goes one way for 0:25:30.720 --> 0:25:34.159 each set of keys. This allows for a public key 0:25:34.200 --> 0:25:38.240 for encoding and a private key for decoding. So again 0:25:38.320 --> 0:25:41.600 let's talk about examples. Let's say I want to send 0:25:41.760 --> 0:25:45.760 you an encrypted message, and that way, anyone who intercepts 0:25:45.840 --> 0:25:48.359 my communication to you would just see a garbled mess 0:25:48.359 --> 0:25:52.200 of nonsense. Now you have your own private key and 0:25:52.280 --> 0:25:55.680 there is a corresponding public key, and you have made 0:25:55.960 --> 0:25:59.640 the public key truly public. Anyone in the world can 0:25:59.760 --> 0:26:03.960 use it to send you encrypted messages. So I use 0:26:04.119 --> 0:26:07.520 your public key to encode my message to you. Now 0:26:07.560 --> 0:26:10.520 we've got an encrypted message, one that could only be 0:26:10.680 --> 0:26:13.879