protectagainstradiation.Hereturnedhome,self-published
amanifestourgingpeople to reproduce more, and was starting
a butterflysanctuaryin Oneonta, N.Y., when he died in 2006.
WhilePopp’smotivations and mental fitness remain the sub-
jectofdebate,theeffectiveness of his ransomware does not.
Mostoftherecipientsof the disk didn’t even load the perni-
ciousfileontotheircomputers. Among those who did, only
a tinynumberpaidthe ransom. For one thing, it was a pain,
requiringa triptoboththe bank and the post office. And it was
unnecessary.Onevictim, a Belgian named Eddy Willems, was a
computersystemsanalyst for a multinational insurer. “I’m not
a cryptologist,butI was able to easily see what it did,” he says.
“AndI wasabletoputeverything back in something like 10 to
15 minutes.”Willemsand other security researchers quickly cir-
culatedfreeAIDSTrojan decryption programs, also by floppy.
It’sa testamenttoPopp’s imagination (and possible mania)
thatheattemptedthescheme at all with the tools at his dis-
posal.Theideaofselling stolen data to the highest bidder
wasn’tnew,butPopp’s innovation, as Mikko Hypponen, chief
researchofficerattheFinnish cybersecurity firm F-Secure, puts
it,was“therealizationthat in many cases the highest bidder is
theoriginalownerofthe information.”
A decadeanda halflater, technology caught up with Popp’s
insight,firstintheform of the internet. In 2005 security
researchersstartingseeing ransomware they dubbed Gpcode.
(Incybersecuritytaxonomy, it’s customary to bestow the same
nameona strainofmalware and the anonymous gang behind
it.)Gpcodesmuggleditself onto computers as attachments to
seeminglylegitimateemails, a technique known as phishing, if
it’s done at scale, or spear phishing, if a bespoke email is aimed
at a single target. Gpcode’s later versions also used much stron-
ger encryption to scramble the contents of files. The only real
weakness was the payment step: Ransoms were settled up by
prepaid credit or gift cards, and therefore flowed through the
highly regulated pipes of the global financial system. Over time,
with the help and prodding of law enforcement, payment pro-
cessors grew better at spotting ransom payments and recover-
ing at least some of the money.
That problem was solved—from the ran-
somer’s point of view—by Bitcoin. By 2013
the cryptocurrency had become main-
stream enough that a ransomware gang
decided to give it a try, in a variant that
would come to be known as CryptoLocker.
Bitcoin isn’t technically untraceable,
especiallywhenpeopleconvertitinto
dollarsoreurosoranotherfiatcurrency.
Still,theforensicsaredifficultandtime-
consuming,complicatedby“tumblers”
andotheranonymizingmeasuresthat
obscurea transaction’spaththroughthe
publicblockchain.Andthere’snopay-
mentprocessor for law enforcement to
ask to shut it down. All of which makes
it ideal for ransomware. The only wrin-
kle is that most people are still unfamiliar
48
Bloomberg Businessweek February 10, 2020
withthemechanicsofbuyingandsendingcryptocurrency—it’s
notuncommonforransomwareattackerstoencouragetheir
victims to reach out if they want help with the process.
CryptoLocker was hugely successful. Three Italian com-
puter science researchers traced 771 payments flowing into
Bitcoin wallets connected to the ransomware variant, total-
ing 1226 Bitcoin ($1.1 million at the time), likely a very conser-
vative figure. And the CryptoLocker recipe—phishing, strong
encryption, Bitcoin—remains the dominant template for ran-
somware today. But there are others: Some attacks pretend
to be from a law enforcement agency that’s locked down your
machine because of illicit material found there. (Some ensure
the material is there by first downloading actual child por-
nography.) Some attackers start by luring victims to a com-
promised website where a software “exploit kit” can slip the
malware through their browser’s vulnerabilities. And some
attacks turn out not to be ransomware at all: NotPetya, which
caused billions of dollars in damages worldwide in 2017, lacked
any means to reverse its encryption. It’s widely suspected to
have been a Russian cyberweapon built neither to steal infor-
mation nor hold it for ransom, but simply to destroy it.
“With some of the more sophisticated cybercriminal orga-
nizations that we’ve found,” says the FBI’s Stapleton, “ransom-
ware is just another tool to use for the monetization of their
cyber activities.” Ryan Olson, a vice president at cybersecurity
firm Palo Alto Networks Inc., remembers monitoring a com-
puter for a client after hackers found a way in. First they looked
for credit card numbers. Then they searched for passwords or
login credentials they could use to take over the network. “And
then the last thing they did,” he says, “just on the way out the
door, was to install some ransomware and encrypt all the files.”
hen I started shopping around for my
ransomwareservice in October, the commu-
nity was still grieving GandCrab.Rolledoutat
the beginning of 2018, GandCrabwasn’tthe
first RaaS, but its overwhelmingsuccess—the
PHOTO: ARTHUR WOO