50
networksknownasbotnets.Healsocodedanearlyreverse-
engineered decryptor to allow victims of carelessly written
ransomware to unscramble their files for free. Several years
ago, he helped a couple of my colleagues identify a hacker
working for the Chinese People’s Liberation Army.
Stewart is quiet and in conversation wears a stony expres-
sion that I eventually learned to read as attentiveness rather
than dismay. I’d been talking to him over the phone for a few
months before I told him I wanted to try ransomware myself.
He told me that once I got my hands on some, I could come
down to Myrtle Beach and deploy it from his computer lab.
TheransomwareserviceI endedupusingwasthefirst
oneI found,a fewminutesafterloggingintothefirsthacker
chatroom I tried. Even at the time, there were warning signs.
The consensus on the forum was decidedly skeptical. “[T]his
guy has been spamming this shit for days now and acts like
no one has ever done this before,” one poster complained,
“can’t explain a simple sales pitch about it.” The coder him-
self had weighed in, telling that critic to “stfu” before mock-
ing him with an obscure reference to the coding language C#
and signing off with another “stfu.” Still, the inquiries I’d sent
to other sellers had gone unanswered, and a couple others
were clearly fake. And while the popular Ranion RaaS costs
$900 a year, according to the possibly defunct ad I’d tried
responding to, this one was only $150. I decided it was worth
a try. The morning of Oct. 23, I paid my 0.020135666 Bitcoin
and sent a note through Protonmail, an encrypted email ser-
vice, to the address on the payment page. A half-hour later,
I got a response: “Hello sir, your account is activated now!!!
sorry for the delay!”
The web page I could now access was white, with a black
Mercator projection of the world beneath a row of tabs.
Clicking on “Dashboard” called up an empty table with the
heading “Victims.” Its columns would presumably popu-
late once I had multiple campaigns going, with the names of
each and their corresponding decryption keys. A second tab,
“Builder,” took me to a page that created my malware for me. I
typed in a Protonmail address for my victims to use and speci-
fied the kind of operating system on my target computer. (The
vast majority of malware is written for Microsoft Windows; on
Stewart’s suggestion, I was using the Linux operating system,
decreasing the chances of getting hacked myself.) I clicked on
a buttonlabeled“Build,”anda boxpoppedupaskingmeif I
wantedtodownloada file.Aftera fewmoments’hesitation,
I clickedyes.I nowhada pieceofmalwareonmycomputer. I
attached it to an email and sent it, clearly marked, to Stewart.
By the time I showed up in Myrtle Beach on the morning of
Nov.11,Stewarthadrunit ona specialquarantinedcomputer
he used to defuse and dissect malware. High-quality variants
are often coded so they won’t deploy if they sense they’re
in a “sandbox” such as Stewart’s, or they have dormancy
periods longer than the attention span of the average secu-
rity researcher. My malware wasn’t so equipped, one of sev-
eraltraitsthatsuggestedI hadn’tprocuredtop-shelfproduct.
Theransomwareserviceitselfhadbeenbuiltnotonsome
cryptocurrency-accepting, law-enforcement-unfriendly over-
seas web hoster—which would, as Stewart put it, have been
“best practices in the criminal underground”—but on Amazon
Web Services’ cloud. A subpoena could produce the name
attached to the Amazon account, potentially leading law
enforcement directly to my provider.
The biggest snag, though, was the decryptor I got from the
site. After receiving my ransom payment, I was supposed to
send the file to my victim along with an alphabetical key. But
when Stewart and I tested it out, it didn’t work—the files in
Stewart’s sandbox stayed encrypted. In the short term, that
wouldn’t be my problem: I’d already be paid by the time Max
discovered this flaw. But just as with traditional kidnapping,
the information-ransoming business model works only if vic-
tims are at least moderately hopeful they’ll get their data
upon payment. As a result, ransomers often go out of their
way to show their good faith and dependability. It’s com-
mon practice to decrypt a few files for free as proof of con-
cept. Some RaaS dashboards dispense with the term “victim”
entirely: Screenshots of the Ranion variant taken by Armor
analysts show a table headed “clients” instead. Elisan at
Flashpoint forwarded me a note one ransomware gang sent
their victims that laid out security measures they could take
to avoid future attacks.
For Stewart it had been easy enough to throw together a
decryption workaround. “I’m guessing he’s never actually
tested the code in a real environment,” he wrote me in an
email. Rather than send Max a key to type or paste in him-
self, I’d need to send him a few lines of code and instructions
for where to put them. It was inelegant, but it was the sort of
thing that I figured I could walk him through.
ut as Mike Tyson famously said, everyone has a
plan until they get punched in the mouth. On the
appointed morning, sitting in Stewart’s window-
less computer lab, I logged in to my specially pur-
chased laptop, opened up the anonymizing Tor
browser, and clicked on the bookmarked link for the dark-web
address of my RaaS control panel. But instead of the Mercator