49cybersecurity firm Bitdefender estimates that at one point it
comprisedhalfoftheworld’sattemptedransomwareattacks—
haddemonstratedthemodel’scommercialpotential.The
GandCrabganghadlicensedtheirsoftwareto“affiliates,”fellow
hackers with access to compromised computers or lists of email
addresses to phish, in exchange for a percentage of the total
take. And they had diligently stayed ahead of the efforts of anti-
virus programmers, shipping out five major software updates,
according to computer security researcher Brian Krebs.
Then, on May 31, 2019, a post on the Russian-language forum
Exploit[.]in, announced GandCrab’s “well-deserved retire-
ment.” Over 15 months, the writer claimed, its affiliates had
pulled in $2 billion, $150 million of which had flowed back to
the creators. Potential affiliates were left asking each other, in
thread after thread, what the “next GandCrab” might be.
I’m not going to name the forum where I ended up finding
my RaaS; I don’t imagine many readers of this article are aspir-
ing ransomware entrepreneurs, but I don’t want to make things
easier for anyone who is. Like most similar sites, it’s on the dark
web, a region of the internet that’s been configured to be inac-
cessible by normal web browsers.
The forum’s logo is a DOS-green skull. The posts are in
English, though that’s evidently not the first language of many of
the authors, and the mores would be familiar to anyone who’s
spent time in an overwhelmingly young, male setting. Start a
post with “Possibly a stupid question, but ...” and someone will
respond, “That is a really stupid question.” Yet I was also struck
by the willingness of participants to answer questions in detail,
or just offer encouragement to an anonymous stranger on a
range of criminal-mischief topics. “Below is an amazing list of
resources,” one October post begins. “It has the best books to
check out, some websites that have practice hacking targets, a
list of free virtual networks to practice on etc.”
I wasn’t the only clueless person on the site. “Easy to Use
Ransomware Wanted,” was the headline of an Aug. 31 post.
Another read, “I’m browsing resources to acquire ransomware
and the like. What specifically do I need to learn to use this
stuff ?” Some forum members see “noobs” and “script kiddies”
like these as targets for scorn, others see them as opportunities.
In the hacker ecosystem, the script kiddie’s natural predator is
the “ripper,” a person who sells bogus goods or just takes the
noob’s Bitcoin payment and disappears. A lot of the back-and-
forth on the forum focuses on whether whoever is peddling
this or that software or service can be trusted.
I,ofcourse,wasa noob’s noob,protectedonlybyan
awareness of how little I knew and the narrow scope of my
ambitions. The plan, worked out with my editor, Max Chafkin,
was that I would ransom a single target: him. Max, reasonably
enough, wasn’t eager to put his own actual personal informa-
tion at risk, or that of our employer, which handles sensitive
data for the world’s wealthiest financial institutions. So the two
of us bought cheap laptops and took care not to connect them
at any point to our work internet. Max loaded his with a grab
bag of files: some WikiLeaks documents; a pdf of the Mueller
Report; some random pictures of cats, boats and monkeys; and
what he described to me as “a bunch of Romanian academic
papers.” He then steeled himself for my attack, which I planned
to announce to him in advance. What the plan lacked in realism,
it made up for in safety, and, hopefully, our not getting fired.
Or arrested. Several states explicitly outlaw ransomware
attacks, and legislators in Maryland recently introduced a
bill that would criminalize the mere possession of ransom-
ware. There are also broader federal computer fraud statutes,
which were used in the 2018 indictment of two Iranian hackers
allegedly behind attacks against Atlanta, Newark, and several
large hospital systems. Ransomware prosecutions remain rare,
but I, unlike most attackers, was actually in the U.S.
Still, the laws on the books so far seem to require the intent
to attack an unaware, unconspiring victim. “A person shall not
knowingly possess ransomware with the intent to use or employ
that ransomware,” says the Michigan law, “without authoriza-
tion of the other person.” My victim would be fully informed,
indeed complicit—we were just two consenting adults taking
risks on the internet. (If Max tried to pretend otherwise, I had
emails.) The Bloomberg lawyer we talked to basically agreed. He
did, however, suggest that, if I got the impression I was about to
do business with the North Korean government or some other
sanctioned entity, I should get back in touch with him.one ofthis wouldhave been possible
without Joe Stewart. Stewart lives in Myrtle
Beach, S.C., and runs his own blockchain
developmentandsecurityresearchcom-
pany.Sincelastyearhe’sbeenworking
withthecybersecurity company Armor,
who put me in touch with him. He was
one of the first analysts to describe the
criminal uses for the hijacked computer