Placeholder Image

字幕表 動画を再生する

  • Ransomware is everywhere.

  • It's happening to the biggest companies.

  • The cyber weapon NotPetya started in Ukraine

  • in June of 2017.

  • It quickly spread, paralyzing major companies

  • and causing more than $10 billion in damage.

  • Government computers in 22 Texas towns

  • are being held hostage by ransomware.

  • But it's also happening at super low levels,

  • where you have people

  • ransoming individuals for small amounts of money.

  • And the thing that was most interesting

  • and the thing that sort of set us down this path

  • is this thing called ransomware as a service.

  • And as soon as you hear that phrase,

  • I mean, I want to read about that.

  • The idea that people could buy ransomware the same way

  • they buy Salesforce software or anything else.

  • And so then we decided to send Drake out into the dark web

  • to procure some ransomware service.

  • With a story like this,

  • all the reasons not to do it

  • are actually the reasons to do it.

  • My name's Drake Bennett.

  • I went on the dark web, I bought some malware

  • and I used it to attack and extort my editor Max Chafkin.

  • The original idea

  • was just to do something about ransomware.

  • The city of Baltimore was having this huge

  • sort of battle with some hackers.

  • Thousands of Baltimore city computers

  • frozen by hackers demanding ransom.

  • Baltimore's government computer systems

  • recently faced a ransomware attack.

  • Are you seeing these attacks become more sophisticated?

  • The more I learned about this world,

  • the more frustrated I got.

  • It seems hard to know what you can trust here.

  • There's a lot of anonymity.

  • The more I thought about it,

  • the more it seemed like

  • it might make sense to try it myself.

  • He wanted to do something participatory.

  • It's really a cool way

  • to explain a really difficult technical topic.

  • And then that also has the added benefit

  • of testing out a hypothesis I'd begun to have,

  • which is that this stuff has gotten so easy

  • for a variety of reasons

  • that almost anyone could launch one of these attacks.

  • And as it happens,

  • I'd be a particularly good guinea pig for this

  • because I'm particularly technologically illiterate.

  • You got to have a hacker, and that hacker despite his,

  • I'd say modest computing skills,

  • is Drake and the victim was me.

  • And our idea was that Drake could, you know,

  • he's sending me attachments all the time,

  • so the way we decided he was gonna do it is he was gonna

  • pretend to send me a draft,

  • but that draft was gonna be ransomware.

  • - What were some of the legal concerns and how did you get around that?

  • Okay.

  • Legal concerns.

  • What we figured out in consultation with a very amused

  • and maybe slightly confused Bloomberg lawyer, was that--

  • All of the laws that are on the books

  • require not only the possession of malware,

  • but the intent to actually launch an attack

  • against an unwitting victim.

  • Max, my victim was complicit in the scheme,

  • so we figured that kept us on the right side of the law.

  • And I do think there's a really strong

  • public interest argument for doing this kind of thing

  • because if somebody as unsophisticated

  • as a magazine journalist

  • can get really dangerous ransomware

  • without spending very much money,

  • that's something that I think

  • the public needs to know about.

  • So once we kind of talked to a Bloomberg lawyer,

  • we then got two burner laptops,

  • we got two cheap Dell laptops.

  • Max and I both work for a company

  • that takes data security very seriously for obvious reasons,

  • so we made sure

  • that we kept all this off Bloomberg's network.

  • Then we decided to send him

  • onto the dark web to procure some ransomware service.

  • So there are these dark web forums

  • that work sort of like they're chat rooms,

  • but they're also these kind of malware bazaars

  • where you can go and people are hawking

  • different forms of malware and also different ways

  • of getting that malware onto computer systems.

  • The market has now kind of advanced

  • to the point where there are these services,

  • they're called ransomware as a service,

  • and it's a play on this idea of software as a service

  • or SaaS, which is something you hear

  • in Silicon Valley all the time.

  • And so I found a couple,

  • some of them turned out to be bogus,

  • some of them seemed to be defunct.

  • People just didn't get back to me.

  • But there was one where the guy got back to me

  • when I got in touch with him

  • and answered the few questions I had.

  • And it was cheap, it was just 150 bucks,

  • so I figured it was worth a try.

  • So the first thing I did is I reached out to the vendor

  • and I used ProtonMail, which is an encrypted email service.

  • And at that point I had gone ahead

  • and set up a Bitcoin wallet,

  • so I paid the $150 that was the subscription fee

  • for the service and that gave me a login for this website.

  • And it was a pretty simple looking interface.

  • There was a series of tabs at the top of the screen.

  • One of the tabs took me to the quote unquote dashboard,

  • which is where I'd be able to manage the various attacks.

  • There was another tab

  • that took me to what was called the builder,

  • which is a page that allowed me to input a few pieces

  • of information about the kind of malware I wanted.

  • Stuff like what kind of operating system

  • would be on the target computer or what kind of encryption

  • I wanted or what's the email address

  • that my victims should use to contact me

  • once they realize they've been attacked.

  • So I input those few pieces of information

  • and it spits out a piece of software

  • that I could then download onto my computer.

  • So it became obvious pretty quickly

  • that I didn't have particularly top shelf product.

  • And that's not surprising.

  • A lot of the conversation on these dark web forums

  • is about whether this or that product

  • is reliable or how well it works.

  • The person that we bought the ransomware from

  • turned out to be not the most sophisticated.

  • Almost as unsophisticated as we were.

  • And it kind of started to become unclear

  • whether he was trying to con us out of more money,

  • and I kept saying to him,

  • "We got to be really careful

  • that there's not an additional layer to this scam,

  • that he's not gonna ask us to wire him some more money

  • to make the software work better,"

  • which is what he was trying to do.

  • So there's just like so much con artistry.

  • And there does seem to be a wide range

  • in quality reflected partly in the wide range of price.

  • There are other ones that are much more high end

  • where it's not even an annual fee model

  • it's more like you have a gang of hackers

  • with different specialties

  • and they just divide up the pot between them.

  • So I wrote my email to Max, which basically said,

  • 'Hey Max, here's the draft of my latest story.

  • Sorry it's taken so long.

  • The draft is attached'.

  • Even though I had a really bad laptop,

  • it immediately sniffed out the potential

  • that this attachment that Drake was sending me,

  • which looked super suspicious to me, was going to do harm,

  • and there were a bunch of warning boxes that opened up

  • saying, "Are you really sure you want to load up this file?

  • Are you super sure?"

  • And of course I said yes, yes, and infected myself.

  • And then Max looked away for a second

  • and looked back at his computer

  • and there was this ghoulish image of a hand

  • reaching out from a cloud of smoke and a message that said,

  • "All of your files have now been encrypted."

  • And, so I was sitting there waiting for this thing to happen.

  • We had a photographer there.