Stolen nude photos and hacked defibrillators: is this the future of ransomware?
Hackers behind attacks such as WannaCry might not have become hugely rich, but that doesn’t mean they are going to give up any time soon
By Alex Hern
Aug 3 2017
The destructive potential of ransomware, the malicious software that is used to extort money from victims, is huge: in the first half of 2017, two major outbreaks, WannaCry and NotPetya, led to service outages from organisations around the world.
A third of the UK’s National Health Service was hit by WannaCry, and the outbreak was estimated by risk modelling firm Cyence to have cost up to $4bn in lost revenues and mitigation expenses. Then, a month later, NotPetya (so-called because it is not Petya, another type of ransomware with which it was initially mistaken), brought down a significant chunk of the Ukrainian government, pharmaceutical company Merck, shipping firm Maersk, and the advertising agency WPP, as well as the radiation monitoring system at Chernobyl.
But while both outbreaks wrought huge costs on the organisations they infected, they were surprisingly unrewarding for their creators.
The WannaCry payment address has taken just $149,545 (£113,814) to date, while the NotPetya address took much less: £8,456 ($11,181).
The problem the criminals face, says Marcin Kleczynski, the chief executive of information security firm Malwarebytes, is that “people have become desensitised to common ransomware, where it just encrypts your files”. The criminals hope that people will face the loss of their digital memories, or critical business documents, and pay a few hundred dollars for the key to decrypt them. In practice, says Kleczynski, a growing number of victims simply shrug their shoulders and restore from a back-up.
“You look at the bitcoin addresses, they’re not well-funded. You see a couple of thousand dollars at best,” he adds. “So how does the criminal step up his or her game?”
Kleczynski, and his colleague, Adam Kujawa, who directs research at Malwarebytes, predict that criminals will evolve new ways of encouraging victims, both corporate and individual, to pay up rather than simply restoring from back-ups and ignoring the payment request.
New on the scene is a form of ransomware known as “doxware,”. “Basically what it says is ‘pay, or we’ll take all the stuff we encrypted and we’ll put it online with your name on it’,” says Kujawa.
The name comes from “doxing”, the term for publishing private information on the internet to bully, threaten or intimidate, and the idea of automating it isn’t hypothetical. A number of similar attacks have already occurred in the wild. At one end of the spectrum was the Chimera ransomware, which hit German companies in 2015. The malware encrypted files and asked for around £200 ($260) to return them, but also came with the warning that if victims did not pay up, “we will publish your personal data, photos and videos and your name on the internet”.
Chimera, however, didn’t actually have the capability to publish anything online – the warning was bluster, designed to scare victims into paying up. But in other cases, the threat of publishing data is very real.
In May, hackers stole files from a Lithuanian plastic surgery clinic, containing highly personal information about 25,000 former clients: names, addresses and procedures performed, as well as passport scans, national insurance numbers and nude photos of patients. They put the database online through the encrypted network Tor, and asked for payments from individual patients to remove their personal information from the site. Prices started at €50 for those patients who just had names and addresses in the site, but rose to €2,000 for the more invasive information stolen.
Just this week, HBO faced its own threat, with 1.5TB of video stolen by hackers – including unaired episodes of Game of Thrones – and being held to ransom.
But currently, the hack-and-leakers are working on a manual, boutique basis: picking their targets where they can find them, and doing the hard work of monetising the attack manually.