Your Money or Your Data: A Ransomware Story

while claiming to work on wires and among us. Maybe you just want to watch an episode of The Haunting a blind manner. But whatever the reason, you encounter an unexpected problem. Your computer won't come out of unlock mode. Instead, you get an ominous message. Someone has locked down your computer, creating a new path us were to keep you out. If you don't cough up a certain amount of money by a certain amount of time, something bad will happen.

Maybe that's something bad is that the intruder will lock down your computer forever. Maybe they will convert all the data on your computer to gibberish. Maybe they'll fill up your computer with garbage data to turn it into a useless device. Or maybe they'll use the information stored on your computer against you in some way allah blackmail. You

have been hit by ransomware. Ransomware is a subset of malware, or what we goofs is in the old days, lumped under the general term computer virus, though as it turns out, that's not accurate. Really, ransomware is ugly stuff, and it can cause enormous problems for people and organizations. There are dozens of stories of computer systems and critical infrastructure being hit by ransomware. One target that seems to get hit fairly frequently would be hospitals. That is particularly ugly, and

even more so during a pandemic. So in this episode, we're going to explore the history of ransomware, how it works in general, and some stories on how it's been used and what people did in response. Now, often with these topics, I have to give pretty vague estimations of when something got started, sometimes even having to resort to using a decade rather than a specific year. Thankfully, I guess for ransomware, the origin story is fairly well established.

Now I cannot for certain state that this is categorically the very first case of ransomware, but generally speaking people accept it as such, and so we come to the odd, sinister and absurd story of the Aid's Trojan. Now, in this case, a trojan is also a subset of malware. It's really more of a delivery system for malware, and one that a lot of folks are probably familiar with

by concept, if not by name. The name Trojan references the story of the Trojan Horse, in which the Greek forces that have been laying siege to the Free city of Troy got a great idea. Hey, said the Greek forces, what if we pretend to give them a really big present, only instead of you know, I don't know, chocolate or whatever, they find out that it's actually some secret Greek task force.

That task force will be inside Troy without having to break through the walls, and then they could actually open up the gates and let the rest of us in. And so the story goes, the Greeks constructed a massive wooden horse, hiding the warriors inside of the horse and then leaving it out for the Trojan forces to bring into the city while the rest of the Greek forces

pretended to sail away. Well, according to the story, the Trojans celebrated and they pulled the massive wooden horse into the city as a kind of war trophy, and the Greek warriors inside the horse snuck out at night, opened up the city gates, and then the returning Greek forces just sauntered their way in conquering the city. In the world of malware, a trojan is some sort of program or application that appears to be legitimate but is secretly

carrying along some malware. A lot of malware falls into this category or uses similar tactics to get people to, you know, actually install the malware on their computers. When file sharing became a huge trend as peer to peer networks took off, one of the biggest dangers wasn't that a movie studio or a record studio is going to come after you with some absurdly overblown lawsuit. Although those

did happen. The bigger threat is that one of those files you downloaded was actually malware in disguise, or it had malware embedded within the program just waiting to be unleashed. The AIDS Trojan was called that because it had to do with events surrounding the AIDS crisis, and it was actually distributed on diskette. This was pre Internet days. Well, the Internet was around, but not many people were using it.

This was nineteen eighty nine. So the person who made this malware saved the malware on two disks disguised as a legitimate program. Only that he did it to twenty thousand discs, and I imagine that must have taken a very long time. So who received those discs? Who was on the target side? Well, the discs went to people who were part of a nineteen eighty nine World Health Organization conference on the AIDS crisis. And who was the mastermind behind this plot? Well, that would be Dr Joseph L. Pop,

an evolutionary biologist and AIDS researcher. Okay, so let's get some more context. The medical community first began identifying medical cases that in retrospect we would understand to be related to acquired immuno deficiency syndrome or AIDS, back in nineteen eight one. The c d C would first use the term AIDS on September. The World Health Organization would hold

its first meeting to discuss the global situation in nine three. Now, despite the clear danger, many countries, including the United States, failed to take this crisis very seriously at first, in large part because it was seemingly affecting only gay men, and the general social attitude toward homosexual in these countries, including the United States, was at the very least uninviting,

which is putting it lightly. By nine nine, the US government couldn't sit by idly, and Congress created the National Commission on AIDS. Dr Anthony Fauci, And yes, I'm talking about that Dr Fauci, the same one today who's advocating social distancing and using masks during our COVID pandemic. Well back then he was endorsing giving HIV positive people access to experimental treatments, even if those people did not technically qualify for clinical trials, because that man is a freaking legend.

And just to be clear, HIV is human immuno deficiency virus.

That's the virus that can lead to AIDS. The number of AIDS cases in the United States at that point reached one hundred thousand, and the w h O, the World Health Organization, estimated that there were up to four hundred doll and cases around the world, and in some parts of the world, like Africa, the medical establishment was woefully underprepared to treat infected people and outbreaks were rampant, and all of this is important when we get to

motives behind this trojan malware a little bit later on. That's why I needed to set the stage. So Dr Pop had been a collaborating member of a group called the Flying Doctors, and that itself was a branch of the African Medical Research Foundation. Pop had served as a consultant for the World Health Organization in Kenya and had

even organized AIDS related conferences himself. So Dr Pop takes a look at the list of attendees to this w h O conference in males twenty thousand people and various organizations. A diskette and the discs label stated that it was an quote AIDS Information Introductory Diskette end quote from a company called PC Cyborg Corporation, a fictional company of Dr

Pop's invention. Now, if you were to insert the diskette into a PC and then run the program, you would encounter a seemingly straightforward survey, you know, a questionnaire about AIDS. But in the background, the malware was infecting the auto exec dot bat file in the root directory for the PC. Now, this file is the startup file for a computer of that era. It's in charge of booting up a computer and activating all the components to work with the operating system.

It sets up everything to move forward when you are actually using your computer, so when you power it on, this is the program that sets everything up. And then, like the Greek soldiers in our legend about the City of Troy, the malware would lie and wait for the

right moment to strike. But instead of waiting for night to fall, the malware would keep count of how many times the program had been activated, although actually some sources say it tracked how frequently the computer system was rebooted or turned on, so different reports have conflicting information about this, but generally speaking, it was keeping track of how frequently the system was being used, and eventually, typically around either

the program activation or reboot number ninety, the malware would then initiate the actual attacks. So it would wait until this counter I'd hit nine of ninety instances of this thing happening. The program would then encrypt all the files on the sea drive of the host machine, which is where most files lived. The sea drive is kind of the default drive on PC machines, and it rendered those files inaccessible to the user, and it would also launch

a ransom message. Now, if you search for the stuff online, you're likely to come across a picture of a screen that has a message that starts with quote, attention, I have and elected to inform you that throughout your process of collecting and executing files and so on and so on. It then goes on to drop some expletives. So I'm not going to quote the whole thing on here. This show is family friendly for the most part. And the message also gloats over the fact that the computer has

been infected by a virus. But that is not the actual message that popped up with the AIDS trojan. It's frequently used in articles that are about the AIDS trojan, but that's not what users saw. For one thing, that message has no information regarding the actual ransom, which for ransomware is kind of an important step. The message that gets shown all over the place concludes by saying, rememb member that that's actually the way it's written. Now that's misspelled.

There is no cure for AIDS end quote, So I just want to clear out the confusion. That was not the message that dr pops ransomware used. Instead, the actual message came across as more official and less of a Nelson from the Simpsons, pointing and saying ha ha. The real message starts off as quote, Dear customer, it is time to pay for your software lease from PC Cyborg Corporation. Complete the invoice and attached payment for the lease option

of your choice. End quote, and the two choices offered included a yearly lease for one eighty nine dollars or a lifetime lease for three d seventy eight dollars. In either case, the user was instructed to pay in the form of a banker's draft, a cashier's check, or international money order payable to PC Cyborg Corporation to a post

office box located in Panama. Now, presumably, after paying this so called lease, you would receive a way to decrypt the files on your computer from the PC Cyborg Corporation. But the timeline for how this all shook out was a bit too short to know for sure whether or not Dr Pop would have sent anything out, because I'm not even sure that Dr Pop had a chance to retrieve anything from that post office box before it all

went down. Now, the fact that the malware didn't go into action immediately, it would wait a bit before striking meant that the outbreak of infected computers was a little staggered. The first reports of the computer virus came out of England, and that's also when it first became clear that this was a new type of crime, one that wasn't covered on the lawbooks explicitly, which would force prosecutors to rely on older laws and hope that those laws could maybe

bend enough to apply to this brand new crime. As news spread through the medical research community of the virus, some organizations took extreme steps. The newspaper The Independent reported that and AIDS organization in Italy chose to delete data off of infected machines and they lost ten years of work in the process. Now, as it turned out, that was an extreme overreaction, but this was a new type of crisis, so I can't really put too much blame here.

While computer scientists started to tackle the technological problem of how to decrypt infected computers, Scotland Yards Computer Unit launched its largest investigation at that point to try and track down the perpetrator, and Dr Pop might have even slipped away without anyone ever knowing about his involvement except for his odd behaviors which gave him away. Researchers figured out

how to decrypt the machines. They created a decryption tool called AIDS out, for example, that would reverse the process on an infected computer, so you could decrypt your own files. If Dr Pop had just kept a low profile, the AIDS trojan might have entered computer lore as a great unsolved mystery. But Dr Pop was behaving in odd ways. Shortly after mailing out the discs, he attended an AIDS seminar in Nairobi, and while this was a short time after the infected discs had hit the targets, it was

already becoming a big point of conversation. It was like less than two weeks after he had mailed out the discs, and maybe that unnerved Dr Pop. As he was traveling back to the United States, he had a layover at an airport in Amsterdam, and he wrote the phrase Dr Pop has been poisoned on a fellow traveler's suitcase. That did not go unnoticed, and authorities decided they wanted to

have a little word with Dr Pop. Upon searching his luggage, the authorities found material with the label PC Cyborg Corporation, the fictional company at the heart of the ransomware. Pop was allowed to return to the United States, but not long afterward received a visit from the FBI, who arrested him, and then the US extradited Dr Pop to Britain on

charges of blackmail and criminal damage. Pop's lawyers would claim that Pop was planning on using that money from his scheme to fund alternative AIDS research, kind of framing his defense in such a way as to make it seem as though Pop was responding to what he saw as a flawed approach to tackling this global crisis. Now, as I mentioned earlier, it took far too long for most of the world to take the AIDS crisis seriously, so this narrative had a bit of an appeal to it.

There was evidence that the world was not responding quickly or appropriately to this problem, so he was kind of like a Robin Hood figure at least by this story, you know, stealing from bloated bureaucracies that were spending more money on infrastructure than on actual research. Or at least that was the narrative that his lawyers wanted people to accept,

but there were some potential alternative motivations. The guard In newspaper published an article that revealed that Dr Pop had recently applied for a job with the w h O but had been rejected, so it's possible that the malware was an act of vindictive revenge for being snubbed. The actual trial was a huge mess for many reasons. One big one, as I mentioned, is that the legal system didn't yet have a framework for cyber crimes like this, so they had to apply older crimes in the charge.

But another was Pop's own behavior. Reportedly, he would show up to court while wearing a cardboard box on his head, or he would put curlers in his beard or a condom on his nose, and he claimed that it was to ward off radiation. The judge in the case ultimately ruled that Dr Pop was unfit to stand trial. Prosecutors were frustrated, pointing out that a digital diary in Pop's possession revealed that this aid's trojan plan had been in development for well over a year, indicating that this was

not some sort of spontaneous manic manifestation. And nevertheless, Pop was off the hook and he returned back home to the United States. He continued his work researching evolutionary biology. According to some sources that came across. He also spent a lot of time pushing some rather unorthodox ideas about human reproduction that I find at best misogynistic. Anyway, he passed away in two thousand seven. His legacy includes not just the first case of ransomware, but also a lovely

butterfly conservatory in Cooperstown, New York. For real, So I mean that Joseph L. Pop Junior Butterfly Conservatory is a place you can visit, you know, when things are more safe. When we come back, I'll talk a bit more about the encryption method Pop used and why the ransomware of today is far more dangerous. But first let's take a quick break. When Pop designed his malware, he had a limited tool set. When it came to encrypting the files

on target computers, he used a process called symmetric key encryption. Now, the name gives us a hint about how this works. You've got a key to encode and decode text, and that key is the same for both parties that are trying to communicate secretly. You each have an exact copy of this key. This is easier to understand with an analogy.

So let's say that you and I both have a Captain Crusader decoder ring, and I can write a message in plain old English, and then I use this decoder ring to encode that message so that it looks like a meaningless jumble of letters, numbers, and symbols. I send you the encoded message. You have your own ring, which in every way is a duplicate of the one I have, and using your ring, you reverse the process. You turn each coded letter back into the original uncoded text, and

after some work, voila, you have the original message. You probably see the limitations of this approach right away. It depends upon the various parties having access to a private encryption key. If anyone else should get hold of that key, they could conceivably reverse the encryption process on any intercepted message. So the encryption method only works if the keys remain secret, and that's tricky because you first have to make sure that both parties have the secret key, and getting a

secret key to somebody securely is its own problem. Moreover, this type of encryption can be vulnerable to cryptanalysis, that is, efforts of others to reverse the process without a key in an effort to determine what the key is. This is something that happened a lot during World War Two, where both the Axis and the Allied powers worked hard to crack the codes of the opposition and then try to keep the fact that they had cracked the codes

secret long enough to capitalize on the discovered information. The limitations of symmetric key cryptography made ransomware largely an impractical method to make some cash. With a wide enough spread, you might get some hits from people who lack the information or access to information to make an informed decision, So a few targets might panic and capitulate, but it's not the most reliable means of pulling off a big heist.

A few years after Dr Pop's attempt, a pair of researchers, or as some have written, a cryptographer and a hacker, laid out the strategies that they expected to see used in future ransomware attacks, and they were right. The two were multi Yng and Adam L Young, Young and Young.

They were working together to anticipate future problems, and just to be clear here, they were looking at the challenges from the perspective of a potential attacker, which is important because that's what the attackers are doing all the time right. I mean this is similar to white hat hackers, who operate the same way as a malicious attacker, but for the purposes of figuring out where vulnerabilities are within a system and in an effort to design a more effective

digital security measure. Young and Young started to ask some pretty simple questions and come up with answers. So let's say you want to design some malware. You know for some reason, you'd probably have a checklist of things you would want for that malware. Now, depending upon your motivations, you might want the malware to remain hidden from view as well. If you're making a statement with malware, that's

probably not the case. Maybe you want to hijack computer systems and display some sort of anarchistic message on monitors. But if your goal is to do something else like secretly monitor communications or steal information, or spread an infection to other computers on a connected system, chances are you

don't want people detecting the malware right away. But let's say you actually want people to know that their machines are infected, because the whole point of your malware is to extort money from the owners of the target systems, and you can only do that if they realize that they've been targeted. You'll have a few other considerations at play. For example, you probably don't want people to be able to remove the malware easily before it can actually do

its work. Young and Young compared this to the face hugger in the Alien franchise of films. Once the face hugger latches onto a person, any attempts to remove it from the victim cause injury to the victim. So a malware designer will likely want to make it difficult or impossible to remove the malware without causing harm to the target machine. It reduces the incentive to just rip out the malware, So you want your malware to be like

a barbed arrow. Removing the arrow has the potential to cause even more damage than it creates, an opportunity to convince people to pay up rather than risk their data being out of reach forever. The question then arises, how do you make sure the attack is one that isn't easily reversible? How do you avoid the weakness of pops approach? And their answer wasn't Another approach to cryptography, one that

had its history dating back several decades. This approach called asymmetric key or public private key cryptography sidestep the major vulnerabilities of the symmetric key approach. Now I'll describe what's going on from a very high level, and just to let you guys know, I'm not going to go into a deep dive into detail because it's a very complicated concept to unwrap and it merits its own episode. In fact,

I've actually done episodes about this. But with a symmetric key, the two parties in communication are using exact copies of the same encoding and decoding component. But with an asymmetric key, you've got one key that encodes and a different key that decodes, and that's it. Communication goes one way for each set of keys. This allows for a public key for encoding and a private key for decoding. So again

let's talk about examples. Let's say I want to send you an encrypted message, and that way, anyone who intercepts my communication to you would just see a garbled mess of nonsense. Now you have your own private key and there is a corresponding public key, and you have made the public key truly public. Anyone in the world can use it to send you encrypted messages. So I use your public key to encode my message to you. Now we've got an encrypted message, one that could only be

decoded by the private key. There's only one of those, and it's in your possession, and that one you are not sharing with nobody. Gosh darn it. So with a public private key, everyone can send you encrypted messages. Only you can decrypt them to see the original text. The public key cannot be used for decoding. It can only be used for encoding. But then, what if you wanted to send a reply message to me, then you wanted

to encrypt it. Well, in that case, you would use my public key, the one I have for anyone to send me an encrypted message. You send your encoded message to me, and then I use my private key to decipher that message and read the contents. So we're using two different sets of keys here, to public and to private keys. Now why is this important for ransomware? Well, asymmetric keys are harder to crack through cryptanalysis. You cannot

reverse engineer them nearly as effectively. They typically rely on factoring really big numbers. So, for example, take two enormous prime numbers, and a prime number is a number that can only be divided by itself. So you multiply these two huge prime numbers together, and thus you get an even bigger number that is the the product of these two being multiplied. This bigger number, you can think of

that as the public key. If you happen to know the two factors that were used to create that bigger number, then you can decode messages that use that public key. That would technically be the private key. But by choosing really really big prime numbers, you've created a difficult computational challenge. A computer system would have to go through all the factors of that big number and then dismiss any of

the factors that are not themselves prime numbers. So if one of the factors where something like a four, you would toss that one. That could not possibly be one of the components you need because four it can be divided by two, So four is not a prime number. You get rid of it, You get rid of all the non prime factors. Then you would have to find the specific pair of really big prime numbers that were

used to create this private key. Now this isn't impossible, but as you use larger prime numbers, it gets more computationally complex and it requires more processing power and thus more time to crack it. Time is a precious resource, you know, you can think of time as money, so you don't even need to make the encryption full proof. You just need to make it good enough so that

is too expensive for anyone to bother trying to crack it. Anyway, this type of cryptography is fascinating, and like all cryptog or, he becomes a sort of seesaw approach as people find new ways to decrypt things more effectively and efficiently. Young and Young projected that future ransomware designers would make use of asymmetric cryptography approaches to make it more difficult to reverse the attack, and it would just be easier for

people to pay the hackers the ransoms. So in other words, you might say, well, they're asking for ten thousand dollars, but the value of my data is incredibly high, and the price of reversing this attack could end up being much more expensive than ten grand, so we'll just cough up the money. Young and Young called this crypto viral extortion, defining it as quote an active attack in which the hybrid encrypts the victims files works if there are no backups.

Attacker demands ransom in return for the randomly generated symmetric key. Cannot determine decryption key even when code is scrutinized end quote. Young also describes some related scenarios that are equally troubling, such as one in which malware infects a computer and then uses cryptography to encode specific information on that computer before broadcasting the information to the attacker, essentially sending secret

messages from the target machine. The attacker has created the keys for encoding and decoding, and thus only the attacker knows what information was even stolen. So even if someone detects that a security breach has happened, they couldn't be certain what information had been accessed. That's not great if you're handling supersensitive information like financial information or medical records

or military communications, etcetera. But I digress. When we come back, i'll dive into a little more detail in cryptoviral extortion methods and we'll talk about a few cases where we've seen it play out. But first let's take another quick break. You'll pointed out that a crypto viral extortion methodology really only works if a computer system lacks backups, and that's because you could potentially wipe an effect infected machine clean.

Right you've got hit by ransomware, you could just completely reformat that machine. You can even uninstall and reinstall the operating system and all the necessary applications, and then restore the data from your backup. It doesn't matter if the attacker encrypted all the content on the computer, because you've

got an unaffected copy of that material. I think what I'm trying to say here is that it's a good idea to make regular backups of your data, preferably onto a secondary storage device that you can keep in a safe location. There are a lot of external hard drive solutions out there, and many of them are not very expensive. So if you work on sensitive stuff, or let's say you've just got a lot of data that you're attached to, like maybe a lot of sentimental photos and videos and stuff,

I recommend investing in a backup. It's an extra step, and I get it that can be a hassle, but it's better to have it and not need it than need it and not have it. Uh. Cloud storage can also be a solution, so that's also a potential, but you should definitely have a backup now. Young also said that an attacker could take a couple of different tactics

to make their approach more robust. And this gets pretty technical too, so I'm not going to go into any detail because to explain all of it would require another episode. But the point is that Young and Young were anticipating the attacks that would happen in the future, and they published this paper that they wrote in It would take about a decade before we started seeing ransomware attacks that kind of aligned with the predictions, but they were on

the way. And by the way, I think this is a good point for me to reaffirm my stance on this kind of work. So from one perspective, you could argue that this research accelerated the development of new approaches to ransomware. In other words, that by publishing these findings, Young and Young were enabling the next wave of attackers. But on the other hand, figuring out potential vulnerabilities is important if you want to prevent people from exploiting those vulnerabilities.

So the good guys have to look at how to crack systems because that's what the bad guys are always doing. If good guys were not doing it too, then only the bad guys would be figuring out how to exploit systems, and we would be caught unawares far more often, with much more dire consequences as a result. Now, all that being said, there is a tendency even within the white hat community to communicate these discoveries in a way that comes across as you know, smug or snarky, or sometimes

even cruel. That's more of a commentary about communication style and the tendency to detach the significance of the consequences of an action from the problems of just solving tough computational challenges. But that's a soapbox for another episode. In the mid two thousand's we started to see slightly more sophisticated attempts at ransomware emerge. One ransomware was cry zip, and the name suggests that it used ZIP file compression technology as part of the attack. In fact, that's exactly

what it did. Essentially, if you were unlucky enough to have fallen for the tactic and installed the program, cry zip would crawl through your sea drive and select files to put into a password protected ZIP folder, and then it would delete all the original files. So rather than a hard drive full of files, you would see a folder with password protection on it, and the ransomware would place a t x T or text file on the drive that, if you opened, would of you instructions on

where you were to deposit money. In return, you would get the password to access your files. The hacker who designed this actually put the password within the d l L file for the ransomware itself, unencrypted too. I guess they just figured no one was going to go looking for it. But it turns out if you include your password with the protected stuff, it's not that protected. It's kind of like writing the password for your computer on a post it note and then putting the post it

note next to your computer. What's even the point. The Archivaus ransomware, which was based off of Chrysip, was another one that caused some mischief. In two thousand six, Mike Chrysip analysts found the password for the ransomware embedded within the code of the malware itself, and it was a thirty digit pass code. I'm not gonna read it, because who wants to hear a string of seemingly ran of

letters and numbers. The point is that if the code had not contained the passwords, it would have been a lot trickier to get around, But while some folks were tricked into installing the malware, the solution ended up being fairly straightforward in the end, so it didn't have as massive an impact as it could have. By ransomware was on the rise, in September of that year, hackers released

a particularly effective weapon called crypto Locker. Like the other examples that I've mentioned, this malware, once it was installed, would encrypted files on Windows machines and then show a message demanding payment in exchange for the decryption key. One new twist is that the hackers were demanding the ransom be paid in bitcoins, the cryptocurrency that makes transactions difficult

to trace. If the hackers remained careful about how they accessed their ill gotten gains, they could profit off their crime without much fear of being tracked by the authorities. The trojan horse attacks carrying crypto Lockers spread primarily through email attachments. The code could not replicate itself. It couldn't spread to other machines all on its own, so it wasn't a virus or a worm like other malware. Instead, the hackers created a boton net to spam out millions

of computers with emails carrying infected files. A boton net, by the way, is a network of computers a k a. Bots that ultimately are under the control of a hacker or a group of hackers. There are other types of malware that can give a hacker remote access to your computer. Sometimes this is done just to snoop on communications, other times to turn your computer into a resource for the hackers. So in this case it was a resource. It was meant to help distribute emails, and these emails had the

infected attachments. Uh. This also comes with the bonus of creating some separation between the hacker and the emails. So, in other words, if authorities were to trace back where the email came from and they found out it came from your computer, and your computer had been compromised by this botan net, you could be on the hook at

least temporarily, while the hacker remains undetected. The cryptographic method used by crypto locker was pretty sophisticated, and unlike the earlier examples, the decryption key was not evident within the code of the malware itself. Crypto Locker used asymmetric keys, a public and a private one, and the hackers held on to both of them. A task force called Operation Tovar was able to discover the decryption keys another way, because the task force targeted the bot net, not the

actual ransomware directly. Doing this gave the team access to the decryption keys, but it took time, and in the gap between when the malware first hit the Internet and started to infect machines and when the task force had found the decryption keys, a lot of people and companies had given up and they had ponied up the cash to get their data back. Since crypto Locker, numerous ransomware variants, many of them descended from crypto Locker itself, have appeared

on the scene. The medical sector continues to be one that gets hit hard by this type of malware, and from a criminals perspective, you can understand why the information on computers that are tied to the medical industry contain critical information. A lot of that information is private. It is protected by law, so for it to get revealed

would be a big legal problem as well. It's tied to patients frequently, and there is an enormous sense of urgency to regain access to that kind of information, and many medical establishments, including hospitals, lacked the robust backup infrastructure to recover in the event of a ransomware attack. And that's not just me throwing shade at hospitals for not

having appropriate backups. This is actually a really tricky area because you want that data to remain secure and private, and making copies of data creates an opportunity for data breaches. So it's a pretty delicate balance. Since crypto Locker, we've seen a lot of other ransomware variants out in the wild. Locky, similar to crypto Locker, targeted more than one sixty different file types when infecting machines, particularly those file types that

are prevalent in areas like design and engineering. Wanna cry, which made headlines in teen, took advantage of an exploit in older Windows systems. Now, one juicy bit of information about that mess was that the United States National Security Agency a A the n s A had discovered this exploit, but then they sat on it. They were quiet about it, presumably so that the agency itself would be able to

take advantage of that exploit. Now, reporting the exploit would have given Microsoft the chance to patch the problem, So the NSA said nothing at all so that they could take advantage of it. And then addictively, hackers got hold of that information, and so they used the exploit themselves to craft the Wanna cry ransomware, which, like crypto locker, demanded payment in the form of bitcoin to return data.

And that gives me a chance not just to wag my finger at the n S, a an organization that has had an incredibly shady reputation, but also to explain how this points out that a government mandated back door

into any system is always a bad idea. Governments love the idea because monitoring digital communication is really hard, and sometimes parties that are in opposition to that government, whether foreign or domestic, will use digital communications, you know, plan stuff, and so it would be useful to have a window to peek through and see what's going on and prepare.

But even if you trust your government, a backdoor is something that can potentially be exploited by any one if they find out about it, which was kind of the case with Wanna cry, although that was an exploit, not an intentional back door. You do not improve national security by making systems less secure anyway. Want to Cry could

have been an enormous problem. But fortunately Microsoft was able to patch the exploit quickly and data security specialists discovered a kill switch for the ransomware and we're able to shut it down before I could really go into overdrive. So we were lucky on that one. Other examples of ransomware include malware names like bad Rabbit, Yoke, troll Dish, Golden Eye, and ganned Crab. The details vary from case

to case, but the general approach is very similar. To close this out, I want to stress a few good ways to prevent yourself from becoming a victim of ransomware. First, of course, is to be on alert for suspicious messages and files and attachments. Don't open emails from sources you don't know. Definitely don't open unfamiliar email attachments, and back up your data. The best defense against ransomware is just not to install the dang stuff in the first place.

But if you do get tricked, and we all get tricked on occasion, having that backup is key. What you absolutely do not want to do is pay the ransom. Every time a ransom is paid, the message is sent out that this tactic works. This is a way to make money. So if we send that message, we shouldn't be surprised when we see it happen again and again, because other people will follow suit in an effort to

make some cash. And also keep in mind, there's no guarantee that paying the ransom will actually get you the decryption key. There might be cases where there is no way to recover the day, but you don't necessarily know that, and then you pay the ransom and you never get a cure for your problem. So paying is a terrible idea. Let's all just remember the lesson we learned from that classic film War Games. The only winning move is not to play, and that wraps up this look at what

ransomware is and its history. It is fascinating. It is important to be very much on alert about it, especially right now and again in our pandemic, we've seen an uptick in malware attacks and spamming attacks because we have people who are not in centralized locations anymore. They're working from home. Their security at home maybe lower than it is in say, an office environment. So it's even more important that we each do our part and we pay very close attention, and if we do get attacked, we

should not panic. We should really care fully consider all of our options. Sometimes just the option of waiting. It works because there are people in data security constantly trying to build decryptor tools to reverse these kind of attacks. So hold on and just be alert, keep calm, and don't install ransomwhere I guess is what I'm saying. If you guys have suggestions for topics for future episodes of tech Stuff, reach out to me on Twitter. The handle is text stuff h s W and I'll talk to

you again really soon. Text Stuff is an I Heart Radio production. For more podcasts from my Heart Radio, visit the i Heart Radio app, Apple Podcasts, or wherever you listen to your favorite shows.