Hacking Humans 10.10.19
Ep 69 | 10.10.19

Don't trust the ransomware to tell you its real name.


Fabian Wosar: [00:00:00] Money laundering in general is also, like, a very big issue that criminals have to deal with because it's, like, one thing generating and getting a lot of bitcoin; it's another thing turning all that bitcoin into cash that you can actually use and buy stuff. 

Dave Bittner: [00:00:15]  Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week, we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: [00:00:33]  Hi, Dave. 

Dave Bittner: [00:00:33]  We've got some good stories to share this week. And later in the show, we've got my interview with Fabian Wosar, who is a hacker. He is so well-known for thwarting bad guys that his name sometimes shows up in their code. 

Dave Bittner: [00:00:47]  But first, a word from our sponsors at KnowBe4. So what's a con game? It's fraud that works by getting the victim to misplace their confidence in the con artist. In the world of security, we call confidence tricks social engineering. And as our sponsors at KnowBe4 can tell you, hacking the human is how organizations get compromised. What are some of the ways organizations are victimized by social engineering? We'll find out later in the show. 

Dave Bittner: [00:01:19]  And we are back. Joe, why don't you kick things off for us this week? 

Joe Carrigan: [00:01:23]  Dave, this week I want to talk about two key concepts. 

Dave Bittner: [00:01:25]  OK. 

Joe Carrigan: [00:01:26]  And this gets a little technical. 

Dave Bittner: [00:01:28]  Oh, goody. 


Joe Carrigan: [00:01:30]  It's important to understand these two concepts. 

Dave Bittner: [00:01:32]  OK. 

Joe Carrigan: [00:01:32]  The first concept is a redirect in HTML or on the web; this is when the user loads your page, and you take the user to another page somewhere else, right? Now, there's a whole ton of legitimate reasons why you may want to do this. It's pretty simple to do. It's one line of code that goes in the head tag of an HTML document. You can look up how to create it. And what happens is the user enters a - let's say there's a company that's been acquired, Company A. 

Dave Bittner: [00:01:59]  Right. 

Joe Carrigan: [00:01:59]  And it's been acquired by Company B. It happens all the time. So you go to Company A's website, and immediately, you are taken to Company B's website - right? - to a landing page on Company B's website that says, hey, we just acquired Company A. How can we help you? So that's a legitimate purpose for it. But Google also provides a redirecting service. I don't know why they provide it; probably for some tools that they have. But it looks like this. You type out www.google.com/url?q=, and then you type in another URL, like http

Dave Bittner: [00:02:40]  OK. 

Joe Carrigan: [00:02:41]  And what happens when you enter that URL into a web browser is Google will say, hey, this page is trying to redirect you to Microsoft. And if you click on the link, you go to Microsoft's web page. 

Dave Bittner: [00:02:50]  Oh, yeah, I see this fairly often. This happens sometimes out of Gmail. 

Joe Carrigan: [00:02:54]  And that may be why this URL redirect service actually exists, to support something in Gmail. OK? So that's the first concept, the redirect. The second concept is something called URL encoding, or you may hear it sometimes referred to as percent-sign encoding. But here's how this works. Sometimes the developer may need to send characters in a URL that cannot be sent in a URL, right? For example, a space - you can't send a space in a URL. You can't send a colon in a URL because the web browser will evaluate everything after a colon as a port number, and if you don't have a bunch of numbers in there, you're hosed. 

Joe Carrigan: [00:03:32]  And a lot of times a colon is used as a delimiter in a query string. A slash - if you want to send a literal slash, you can't actually send the literal slash without telling the web server that you're looking for a new directory. So instead of sending them as raw text, you convert them to URL encoding, which represents each character as a percent symbol followed by two hexadecimal digits. For example, the space that I just talked about is a percent sign 20 - two, zero. If you've done any work in printers, like I did back in the '90s... 

Dave Bittner: [00:04:02]  (Laughter). 

Joe Carrigan: [00:04:02]  ...You know that that is a space character. A colon is represented as percent sign 3A, and a slash would be percent sign 2F. Now, there are tables out there where you can represent almost all the characters that you need to represent as these codes, including the alphabetic characters - A through Z, both lower and upper case - because generally speaking, this is just the ASCII text table. 

Dave Bittner: [00:04:23]  OK. 

Joe Carrigan: [00:04:23]  Right? So it's a percent sign followed by the ASCII value. Here's why it's important. 

Dave Bittner: [00:04:28]  OK. 

Joe Carrigan: [00:04:28]  Because Bleeping Computer's reporting on a phishing campaign that is using these two things in conjunction with each other - all right? - the URL redirect from Google followed by encoding of a malicious URL using the percent sign - the URL encoding. OK? So here's the thing. You get a URL, it says, hey, you need to change your Gmail password. Or actually, in this case they're actually phishing for Microsoft Office 365 usernames and passwords. 

Joe Carrigan: [00:04:57]  So you get an email that says you need to change it, and the URL is a Google URL followed by a bunch of encoded information, right? But it's actually a redirect to a malicious website. And they're doing this because email security scrubbers are not evaluating the encoded URL and deciding whether or not it's malicious. If they just put the text in there, these spam filters and these malicious email filters would catch it right away. But by encoding the malicious link with URL encoding, they are bypassing these security systems. 

Dave Bittner: [00:05:31]  Yeah, and it looks like a Google address, for example. 

Joe Carrigan: [00:05:33]  Right. It looks like a Google address to the filter but also to the human, right? 

Dave Bittner: [00:05:37]  Yeah, yeah, yeah. 

Joe Carrigan: [00:05:37]  How many times have you seen a URL with a bunch of indecipherable stuff at the end of it, and you go, well I know who this company is; I'm going to go ahead and click on it. 

Dave Bittner: [00:05:44]  All those tracking lights or tracking data and all that stuff that... 

Joe Carrigan: [00:05:48]  Right. 

Dave Bittner: [00:05:49]  Yeah, absolutely. 

Joe Carrigan: [00:05:49]  So this is a pretty clever way to get around the filter and then also hiding it from the user as well. 

Dave Bittner: [00:05:56]  So what do you do about it? 

Joe Carrigan: [00:05:57]  As the email filter companies should be encoding these things and seeing what they evaluate to. That's first. But you as the user, what do you do about it? I don't know. If somebody were to use this to try to phish Google passwords, this would be incredibly effective. 

Dave Bittner: [00:06:12]  Yeah, seems to me like it would... 

Joe Carrigan: [00:06:13]  Right. 

Dave Bittner: [00:06:13]  Because it - I mean, it's Google (laughter). 

Joe Carrigan: [00:06:15]  Right. But they're trying to phish Microsoft passwords, Right? So the user has some kind of tip-off here. They're going to Google, and it's saying, this page is trying to redirect you to microsoft.com - or actually, it doesn't say that. It says, to this malicious website. And then you're being asked for Microsoft account information. So why would a Google link ask you for Microsoft account information? Be aware of that. 

Dave Bittner: [00:06:37]  It still gives you the indication that it's doing a redirect, so that should be a red flag. 

Joe Carrigan: [00:06:41]  Right. The Google page will alert you to the fact that you're doing a redirect. That's correct. 

Dave Bittner: [00:06:45]  All right. That's interesting. It's a clever workaround to make you think a trusted name like Google when it's actually not. 

Joe Carrigan: [00:06:53]  Right. Yeah. We see - we've seen this a lot. There - a lot of malicious actors are exploiting Google services to get their phishing stuff through the filters and into the hands of the users. We've seen Google Translate being used this way as well. 

Dave Bittner: [00:07:06]  Yeah. Doesn't seem like it would be that tough to stop. 

Joe Carrigan: [00:07:09]  No. The problem is you have to think of it. It's tough for you to think of these things as a developer, unless you're trying to circumvent something. I will bet it'll be a very short amount of time before these email filters are wise to this and are protecting users from this. 

Dave Bittner: [00:07:24]  Yeah. Well, let's hope so. 

Joe Carrigan: [00:07:25]  Yeah, I hope so. 

Dave Bittner: [00:07:26]  All right. Well, my story this week is a light one. It's just a little bit of satire that came by that's too funny not to share. 

Joe Carrigan: [00:07:33]  (Laughter) OK. 

Dave Bittner: [00:07:33]  This is from something called the Waterford Whispers News, and the title of this article is "Hot Woman in Your Area Marries Nigerian Prince Whose Email You Ignored." 

Joe Carrigan: [00:07:43]  (Laughter). 

Dave Bittner: [00:07:45]  And it goes like this. (Reading) The sweet, kind and happy young Russian woman in your area, always keen to communicate she was looking for a good man via pop-up ads on questionable websites, has finally achieved her goal. Three weeks ago, Natalya received a message from Jamal Saeed Juma Bin Ghalaita, whose name you might recall from a series of emails he wrote to you in an effort to help you manage the collection of inheritance through the Emirates Islamic Bank. Jamal tried his luck with the young Russian after your failure to respond to his altruistic emails, and Natalya's willingness not only surprised him but also lit the flame of love. 

Joe Carrigan: [00:08:18]  (Laughter). 

Dave Bittner: [00:08:19]  (Reading) The crush was mutual, and after a whirlwind romance, the couple are set to wed in two weeks. I am full of happiness for finally getting married to kind man. My good luck has no limit. Just last week, I managed to lose weight and earn $10,000 a month from home with this one simple trick. 

Joe Carrigan: [00:08:33]  (Laughter). 

Dave Bittner: [00:08:34]  (Reading) After that, my skin cleared up, and now dermatologists hate me, Natalya explained with enthusiasm, showing a photograph of the wedding dress she got through, incredible online raffle I didn't even enter. Jamal, for his part, insists that he has been blessed by God and may finally share the immense fortune that Natalya will receive when the funds are transferred with total security to the account that has been designated by her. I want to see you in person. A person's eyes say a lot about someone. Do you agree with me? Natalya exclaimed nervously in a message addressed to her future husband. He shyly replied, I'm taking all necessary steps for the operation to be successful. Jamal has been undergoing a miraculous hair treatment for a few weeks that will cure his baldness and solve any erectile dysfunction, meaning both Jamal and Natalya are expecting to look radiant on the day of their wedding. Although no one wanted to help them at the time, the couple feels so blessed by love that they have extended an invite to the wedding ceremony to everyone. All that's needed now is for you to transfer funds for the wedding gift, which must be made to the account of the Emirates Islamic Bank, end of week at the latest, through PayPal, providing your personal data to the address listed. Natalya and Jamal wedding. 

Joe Carrigan: [00:09:44]  (Laughter) Brilliant. 

Dave Bittner: [00:09:45]  It is. 

Joe Carrigan: [00:09:45]  That's absolutely hilarious. 


Dave Bittner: [00:09:48]  It is. You know, they're kind of made for each other, I think. 

Joe Carrigan: [00:09:50]  Yeah, I think so. 

Dave Bittner: [00:09:51]  It's a - there's a picture here. We'll include a link in the show notes. They're just a really lovely couple. They're just a lovely couple. All right. So that is a silly one this week. Having a little fun with it. But Joe, it's time to move on to our Catch of the Day. 


Dave Bittner: [00:10:09]  Joe, our Catch of the Day comes to us from The Sun, which is a U.K. publication. 

Joe Carrigan: [00:10:14]  Yep. 

Dave Bittner: [00:10:14]  This is from Harry Pettit. He is a senior digital technology and science reporter. This is about a student in Ireland who turned the tables on an online scammer who was trying to fleece him. He turned it around and actually got the scammer to send him some money. 

Joe Carrigan: [00:10:28]  Really? 

Dave Bittner: [00:10:29]  The student's name is Ross Walsh. He is a student at the University of Limerick. You know what that means? So this exchange starts with a message from Solomon Grundy, and it is titled "Business Opportunity." Joe, why don't you start off here as Solomon? 

Joe Carrigan: [00:10:45]  (Reading) Hello, friend. Pleased to be with you. I know this email will come to a surprise to you, but permit me to desire to go into business with you. My name is Solomon. I am big business banker looking to go into business with fellow enthusiastic business man. I want you to invest 1,000 pound in my company in exchange for a half business. My business is all about trading stocks. Last week I made a small sum of 35,000 pounds. You may wonder why I need 1,000 pound when I have 35,000 pound. I want to teach young business people my knowledge, which comes at a fair price. If you send me PayPal transfer of 1,000 pound, we can begin immediately and become rich. Kind regards, Solomon. 

Dave Bittner: [00:11:32]  So this student, Ross from Limerick, replies, (reading) my dearest Solomon, delighted to receive your intriguing business proposal. As you know, I'm a very enthusiastic business man, and I think 1,000 pounds is an insult. I have attached proof of payment of 50,000 to get the ball running. One of the things you need to understand about doing business in Europe is we do things big. Please get back to me ASAP to discuss our next move. Best, Ross. 

Dave Bittner: [00:11:58]  So then Ross sent a doctored a picture of a transaction for 50,000 pounds. 

Joe Carrigan: [00:12:02]  (Laughter). 

Dave Bittner: [00:12:03]  And the scammer said he hadn't gotten the money back. So Ross told him that the bank had put a stop on the transaction because they thought it was a scam. And he asked the scammer, Solomon, to transfer him 25 pounds as part of a security check. He wrote him back, and he said this. (Reading) Solomon, you'll be pleased to know I have this problem many times before, and it's easy to fix. Essentially, what's happening is my bank are freezing this transaction, as they fear this may be a scam, which I know it isn't as we are now business partners. This is actually my third time this happened to me, and the bank quickly resolved the issue. In order to unfreeze the assets, they need to see a small sum of money going from your account to mine to prove this isn't a scam. The last time, 25 pounds worked. 

Dave Bittner: [00:12:47]  So Solomon sent him the 25 pounds. 

Joe Carrigan: [00:12:51]  (Impersonating Solomon Grundy) I send 25 pounds. 


Dave Bittner: [00:12:53]  Ross took the 25 pounds and sent it to a charity that helps treat cancer. 

Joe Carrigan: [00:12:58]  Oh, that's nice. 

Dave Bittner: [00:12:59]  It is nice (laughter) - so a happy ending here. And Ross says that every time he gets one of these scam kinds of things, this is how he tries to do it. And he's been kind of successful in getting the bad guys to take his hook and turn it around. 

Joe Carrigan: [00:13:13]  That's pretty awesome. 

Dave Bittner: [00:13:15]  So hats off to Ross. 

Joe Carrigan: [00:13:16]  Thank you, Ross. 

Dave Bittner: [00:13:17]  And apologies for mutilating what I'm sure is a beautiful accent that you have in real life (laughter), so... 

Joe Carrigan: [00:13:21]  I will not apologize for my Solomon Grundy impression, though. 


Dave Bittner: [00:13:26]  Right. All right. That is our Catch of the Day. Coming up next, we've got my conversation with Fabian Wosar. He's a hacker who is pretty well-known for being able to decrypt things that have been encrypted by bad guys. He's kind of famous in those circles. So we're going to have a conversation with him. 

Dave Bittner: [00:13:45]  But first, a word from our sponsors at KnowBe4. And now we return to our sponsor's question about forms of social engineering. KnowBe4 will tell you that where there's human contact, there can be con games. It's important to build the kind of security culture in which your employees are enabled to make smart security decisions. To do that, they need to recognize phishing emails, of course, but they also need to understand that they can be hooked by voice calls. This is known as vishing or by SMS texts, which people call SMiShing. See how your security culture stacks up against KnowBe4's free test. Get it at knowbe4.com/phishtest. That's knowbe4.com/phishtest. 

Dave Bittner: [00:14:38]  And we're back. Joe, I recently had the pleasure of speaking with Fabian Wosar. He is a very well-known hacker and really interesting background - do the bad guys know who this guy is? Here's my conversation with Fabian. 

Fabian Wosar: [00:14:51]  I didn't really write, like, my own virus; I more took, like, existing viruses and made, like, small changes and looked at what happened because, I mean, you have to imagine, like, all the real information back then was only available in English, right? Trying to find something in German about, like, what certain interrupts were doing or figuring anything out, really, about undocumented functions in the DOS operating system and stuff like that, that was, like, really difficult. So I learned a lot by just playing around and changing a few bits there and see what happens and stuff like that. Later I actually - I think I was, like, 14 or 15, and at that point I already knew, like, quite a bit, and I was actually considering writing, like, my own virus. I actually talked to someone on, like, BBS, which was, like, kind of the new spot that you can dial in with, with a modem back then. 

Dave Bittner: [00:15:44]  Right. 

Fabian Wosar: [00:15:45]  And they told me that you don't have to do that. I mean, the equivalent of you having to write viruses to, like, truly understand it is the same as if you would, say, that, like, a trauma surgeon has to go around shooting people just to learn how to treat the wounds correctly, right? And that made a lot of sense to me back then, so I never really pursued it and just focused on learning from all of the viruses that other people wrote and trying to come up with ways on how to detect them and how to repair the damage that they caused. 

Dave Bittner: [00:16:20]  You know, I think it's fair to say that you may be the most well-known person in the world when it comes to coming up with tools to decrypt ransomware, to the point where you're being name-checked in the code of some of the packages that these bad guys are writing. 

Fabian Wosar: [00:16:36]  Yeah. Yeah, that's true. I think it's pretty much Michael Gillespie - who's, like, from the U.S., who's also working for us - and me who are probably responsible for the most decryptors out there. And we got - we both get name-dropped quite a bit. I think I have, like, a couple of more mentions than he does. 

Dave Bittner: [00:16:55]  (Laughter). 

Fabian Wosar: [00:16:55]  But that's mostly because, like, he started a little bit later than I did. So yeah, it happens quite a lot, and usually it's not, like, a nice kind of mention; it's usually some sort of insult. (Laughter) I think we don't really have to go into too much detail what those messages say. 

Dave Bittner: [00:17:11]  No, but I think there's a component to it, though, where when you're thwarting these folks, many of who are attached to things like organized crime, there's a real possibility that you need to be concerned about your safety. 

Fabian Wosar: [00:17:25]  Oh, yeah, absolutely, especially in the place I used to live in. So I'm from Eastern Germany, right? And I'm actually from a town called Rostock. And Rostock is, like, the biggest harbor city on the Baltic Sea in Germany. So that means all the illegal traffic from Russia that is coming in via ships - pretty much all going through Rostock. So there is, like, a very real presence of the Russian mob there to the point that the local shipyards is actually - it was found out in 2018, I think, that the local shipyard was pretty much just one huge money laundering operation for the Russian mob, which is interesting because, like, the Russia - well, that shipyard was pretty much across the street from where I live. 

Fabian Wosar: [00:18:10]  So the Russian mob was literally operating right next door across the street pretty much. And one of the main businesses that the Russian mob is doing is money laundering. And money laundering in general is also, like, a very big issues that the cyber criminals have to deal with because it's, like, one thing generating and getting a lot of bitcoin. It's another thing turning all that bitcoin into clean cash that you can actually use and buy stuff. So there are certainly ties between the Russian mob and at least the Russian cyber criminals or, like, the Russian ransomware gangs, if not even, like, from other countries. So that's actually a real threat. 

Fabian Wosar: [00:18:50]  And back then on my LinkedIn profile, I had the town I was living in set to Hamburg, and I got some messages that said, hey, we have friends in Hamburg. Stop what you're doing, pretty much, right? And I got some cryptic tweets that contained hidden URLs that if you - once you clicked on them, it would reveal your location or at the very least, like, your rough location where you're living in. And what a lot of people don't know is that in Germany, you can actually figure out where someone lives quite easily because there's, like, a central register that you can query. As long as you hand over enough information to uniquely identify a person, like their name and birth date, for example, they will hand out your address - no questions asked. You only have to pay, like - I don't know - like, five to 10 euros. It kind of depends where you are. So that's, like, a real threat. 

Fabian Wosar: [00:19:47]  If you know roughly where someone lives, you can just go to the municipality there, give them five euros, the name and the - I mean, in my case, probably the name would be enough because my name is so unique that I almost certainly would be the only person in their entire register, right? And they would have handed over my address. And I was living with my mom back at the time because I was nursing - my mom was quite sick. So I wasn't only worried about myself, right? I was obviously also worried about my mom and my sister and her family there who are all living there. So it was certainly, like, a very threatening perspective once I realized that people were actually out there looking for me. 

Dave Bittner: [00:20:28]  When you're analyzing different types of ransomware, are there common things that come up? Are there common flaws that they make that allow you to do the work you do creating decryptors? 

Fabian Wosar: [00:20:39]  Yeah. There are actually, like, probably about a dozen mistakes that people do over and over again. They usually involve like (ph) that they somehow mess up the way they come up with the encryption key or that they use algorithms in certain ways that make them insecure. I mean, cryptography in general is quite difficult, right? I mean, problems with cryptography, they don't just exist in ransomware. They exist in all kinds of applications. And we are talking huge applications here with, like, large budgets that only, like, well-seasoned developers work on. 

Fabian Wosar: [00:21:17]  So mistakes in cryptography are quite common, and they happen very easily. So ransomware isn't an exception at all. It's just that ransomware is often written by, like, hobby programmers, so they make mistakes more easily, and they also tend to do, like, the same mistakes all the time. Obviously, if for some reason they did everything right, and a lot of them do make everything right, then there's obviously nothing that we can do. But in many, many cases, they don't do everything right. And in those cases, we can help, and we do help. 

Dave Bittner: [00:21:52]  So if someone finds themselves being hit by ransomware, what are the steps they should take to get their files back? 

Fabian Wosar: [00:21:59]  The very first thing that is actually a little bit counterintuitive is to leave the ransomware alone, meaning don't delete the ransomware file that you double-clicked. Don't do anything with that. And the reason being is quite simple - to have a chance to get your files back, if we can't readily determine what kind of ransomware you got hit by, we will have to take a look at the actual file that you executed and that infected your system. If you deleted that file or if you got rid of it somehow, then that process becomes way, way more difficult because, in that case, we would have to try to find the ransomware file ourselves. And that means we would have to find, like, that one malware file in a sea of over a million malware files per day that hit your system. So you are literally looking in a needle in a huge stack of needles. So it's totally fine to use, like, antivirus software to quarantine the infection, but don't delete it and don't get rid of it entirely. 

Fabian Wosar: [00:23:07]  Now, the next step is you have to figure out kind of what kind of ransomware you got hit by. And don't trust the ransomware telling you its real name. There have been so many cases where there are copycats that try to imitate bigger and more professional campaigns. For example, like, one of the biggest ransomware campaigns was CryptoLocker, for example. There have been so many ransomware that had nothing to do with CryptoLocker that just pretended to be CryptoLocker. So don't trust anything the ransom note says. Don't trust anything the ransomware may display to you. 

Fabian Wosar: [00:23:45]  Instead, you can use a service like ID Ransomware, for example, which is done by my colleague Michael Gillespie. And you can upload the ransom note, as well as one of the encrypted files from your system, to that website, and it will try to recognize the exact ransomware family that you got hit by. And it will not only do that, it will also tell you if there's, like, a free fix available, like, if there's a free decryptor available that you can use to get your files back or what the current status is. Like, for example, it may say that's this ransomware hasn't been analyzed yet. And in those cases, it may be a good idea to reach out to a person like myself and send, like, the ransomware file that you got from your system so that we can take a look at it and figure out whether or not we can create a free decryption tool. 

Dave Bittner: [00:24:36]  How do you recommend folks deal with the emotional component of dealing with something like this? You log onto your computer. You find that your files have been locked up. I think there's that sinking feeling that people have and maybe a feeling of hopelessness. 

Fabian Wosar: [00:24:52]  Yeah, most definitely. And I see that with, like, a lot of victims that contact me. Now, my best advice is always to try to restore as much of your important files through other means without paying the ransom, especially when it comes to family photos. What you shouldn't do, however, is just contact data recovery companies. There have been numerous cases where data recovery companies have charged a horrendous amount of money to recover the files when, in reality, all they did was paying off the ransom and then pretend they had, like, some magic tool that was able to recover the files, often asking for huge markups, markups that are so huge that they even eclipse the initial ransom demands. We are talking, like, four, five times the amount they pay the ransomware author and just adding it as some sort of markup just to essentially send a couple of emails. 

Dave Bittner: [00:25:53]  Interesting stuff, huh, Joe. 

Joe Carrigan: [00:25:55]  A really interesting interview, Dave. I love that Fabian explains what a BBS is. 

Dave Bittner: [00:25:59]  (Laughter). 

Joe Carrigan: [00:26:00]  Some of our listeners might not know that. 

Dave Bittner: [00:26:01]  Yes, good times. 

Joe Carrigan: [00:26:03]  Right. His story about the organized criminals threatening him in living in Germany - terrifying, absolutely terrifying. He's right about cryptography being hard. There are a lot of mistakes that people make when implementing cryptography. Even when they're very good cryptographers, they still make these mistakes. In order to get these things to work properly, they need to be implemented properly. And there are a ton of different settings that you need to get right in order for your cryptography to be solid. So it's easy to understand how people who, as he describes them, are hobbyist developers can easily make these mistakes. 

Dave Bittner: [00:26:36]  Yeah. And I guess it is a double-edged sword there because, on the one hand, the mistakes that they make can make it easier to get your stuff back. 

Joe Carrigan: [00:26:43]  Right. 

Dave Bittner: [00:26:43]  On the other hand, the mistakes that they make can make it impossible to get your stuff back. 

Joe Carrigan: [00:26:47]  Yeah. That's (laughter) also possible. Correct. Some things that seem counterintuitive - don't delete the ransomware file - I'd keep that so it can be analyzed - and make backups of your encrypted files - two good pieces of advice, but you wouldn't necessarily think of those. I think that's important. 

Dave Bittner: [00:27:02]  Yeah. 

Joe Carrigan: [00:27:02]  It's a shame that you just can't trust ransomware developers to tell you who they are. That's very disappointing. It's also a shame that you can't trust data recovery companies, right? 

Dave Bittner: [00:27:13]  Yeah. 

Joe Carrigan: [00:27:14]  They're just going to go ahead and pay the ransom. And I think you've had stories about this before on the CyberWire as well. You know, these unscrupulous companies go, oh, we can get your data back for you. 

Dave Bittner: [00:27:23]  Right. And then they just go and pay the ransom... 

Joe Carrigan: [00:27:24]  Exactly. 

Dave Bittner: [00:27:25]  ...With a big markup for you. I think part of that, too, is it's sort of covering the story. In other words, if they are the ones who pay the ransom and it's not me who pays the ransom, I didn't pay the ransom. 

Joe Carrigan: [00:27:37]  Right. 

Dave Bittner: [00:27:37]  I paid a recovery company... 

Joe Carrigan: [00:27:39]  Right. 

Dave Bittner: [00:27:39]  ...Who paid the ransom. And so I wasn't supporting paying the ransom, so plausible deniability I suppose (laughter). 

Joe Carrigan: [00:27:46]  Plausible deniability, yes. But if you know that the company is doing this, does that still make you, you know, responsible for that? I don't know. A lot of these... 

Dave Bittner: [00:27:51]  Well, yeah, and - right. And some of the data recovery companies don't tell you that's what they're doing, and that's the problem. 

Joe Carrigan: [00:27:56]  Right. That's different. Yeah, that's a different issue. 

Dave Bittner: [00:27:58]  Which is not - I mean, there are plenty of data recovery companies out there that are above board. Unfortunately, there are some who are not. 

Joe Carrigan: [00:28:04]  That's correct. My recommendation for recovering from this stuff is just have offline backups, offline and offsite backups. Personally, you know, it's not hard to make an offline backup of your personal computer. You go to one of these big-box stores and buy a USB hard drive, copy all your data. Keep your data in one location. That's what I do. I keep it on a particular drive in my computer that is also supported with RAID internally. RAID will not help you in ransomware attack (laughter). 

Dave Bittner: [00:28:31]  Right. 

Joe Carrigan: [00:28:32]  When your files are encrypted, they're encrypted on all the RAID devices. So it's really just helping me in case one of my drives fails. But keep an offline backup as well. These things cost less than 100 bucks, and you can copy all your files to them. It's a little slow, but you're a lot better off. 

Dave Bittner: [00:28:47]  Well - and also there are the online backup companies that... 

Joe Carrigan: [00:28:50]  Right. 

Dave Bittner: [00:28:51]  ...Are dirt cheap, relatively speaking. A few bucks a month... 

Joe Carrigan: [00:28:55]  Exactly, yeah. 

Dave Bittner: [00:28:55]  ...You can have all your stuff backed up. They'll even mail you a hard drive if you have trouble. They'll ship it to you if you need to recover your files more quickly than you can do online - so lots of options out there. It's harder to justify not doing it these days. 

Joe Carrigan: [00:29:09]  I would agree. 

Dave Bittner: [00:29:10]  Yeah. All right. Well, that is our show. Of course, we want to thank all of you for listening. 

Dave Bittner: [00:29:14]  And we want to thank our sponsors at KnowBe4. They are the social engineering experts and the pioneers of new-school security awareness training. Be sure to take advantage of their free phishing test, which you can find at knowbe4.com/phishtest. Think of KnowBe4 for your security training. 

Dave Bittner: [00:29:28]  We want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. 

Dave Bittner: [00:29:37]  The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: [00:29:50]  And I'm Joe Carrigan. 

Dave Bittner: [00:29:51]  Thanks for listening.