Lawfare Daily: The Shadowy World of Ransomware with Professor Anja Shortland

The check-out with the weltite best in converse. The legendary check-out from Shopify, for either the shop of their website,

“this is the social media and over-edits vision.”

That's the music for your oron. Video is also based on vendors with Shopify that can help to a real help. Start your test today for an Euro-pronounet. Off-shopify.de/record.

[MUSIC PLAYING]

The second generation of ransomware

human operator, so not the sort of commodity automated ransomware, but human operator with people take charge of targeting, off-setting a ransom, and maybe investigating how much the victim is worth how much they might be able to pay,

they might have investigated their profit, and lost accounts as they're in the service,

“and they might even have found an insurance certificate.”

It's the law fair podcast. I'm Jonathan Cedarbaum, book review editor at Law Fair, with Professor Ania Shortland, who is a professor of political economy at King's College London. Saying I won't just let's take the profit motive out of it

that never worked because in the end,

if they're lives at a risk or livelihoods at risk and a company is hemorrhaging money. The commitment to saying we'll never pay ransom. This is just not credible. Today, we're talking about her book, Dark Screens,

Hackers, and Heroes, in the shadowy world of ransomware. Let's start off by asking you to tell our audience a little bit about your professional background and how you came to write Dark Screens. My special subject at King's is Economics of Crime,

and I'm fascinated by the governance of criminal markets. It all started in 2010 when my four-year-old son and I got super interested in piracy off the coast of Somalia. And I started asking some really difficult questions

about how do you make prices in this world when is the trust come from when you have a legal entity having to make a deal with a criminal group? How do you create a transaction between Somalia who's just being victimized

who salvation is going to come from the criminals? So I've got a whole body of work around extortive crime and its governance starting with piracy and kidnapping. Then with art crime and art knapping and art recovery.

And ransomware, the third part of my unholy trinity of extortive crime, and I'm asking the same sort of question who governs that gray space between between ransomware groups and the businesses and individuals and governments that they victimize,

who makes that transaction work as well as it does, why is the sub-business model? Why do we see brands branded crime in this space? The more you look, the more interesting it gets, and it's a really complex problem.

“So in the end, the only way to tackle it was in book format”

and also the book is really trying to bring out the people aspect of computing and engage. The ordinary computer user, which means anyone who has a phone, with their own cybersecurity. Very good. How big a problem is ransomware today?

Well, it sits in a much bigger group of cyber crimes,

but in 2025 estimates around $75 billion of costs

to the global economy from ransomware, though interestingly, only about 900 million of that ended up in the hands of the criminal. So there's a lot of damage that does nobody any good. It's almost like a wrecking a car to steal a pair of sunglasses.

Where does the rest of that money go? It's business interruption. It's possibly a regulatory fines. It's litigation around third party liabilities,

or the remedial action around that. Very good. Now, the early chapters of your book offer a very engaging prehistory of ransomware through, as you say, very human stories about some of the quite dramatic individuals involved.

You explained that as early as the 1980s and 1990s, hackers of various kinds, some that we might consider, White Hat hackers, some with darker shaded hats, had developed many of the techniques needed to infiltrate and encrypt computer systems and demand payment

from the owners of those systems to free them from the shutdown. But you know that there were three key technical obstacles that hackers had to overcome in order to make ransomware, these basic techniques, a truly effective method of extortion.

Could you tell us a little bit about those crucial technical successes

“that enabled hackers to turn ransomware into a major form of extortion?”

Yes, of course. So the first one was if you wanted to scale up ransomware, you needed to find a way of encrypting systems in a unique way so that every victim has to have a unique decryption key, otherwise victims can share. So they needed asymmetric encryption, which means a virus that

gently mutates every time at times the new victim and obviously is some really good housekeeping behind the scenes to make sure you can match up each victim with a unique encryption key. So that was a big technical challenge.

The second challenge that hackers had was how they were going to

communicate with their victims without being called. If they just done that from their normal, phone lines, then of course it would be super easy to track them down. And it was actually the U.S. secret services that gave them protocol, the onion router, the tall protocol that allowed them to

disguise their identities and have these pseudonymous conversations within the dark net, which helps them to get together as firms, as groups, but also communicate with their victims. All of that was in place quite early and the really big missing piece of the puzzle was how to take payments safely from a criminal's point of view.

And it was only the gift of cryptocurrencies that made it possible for them to take payment at scale and cash out pseudonymously without ever revealing that their real world identities. And yeah, it was 2013 that all of these things came together.

So quite a long gestation period from the first ransomware attempt in 1989.

Very good. And as you track the history of the development of ransomware, you identify what you call ransomware as a service emerging in that period around 2013 or the 2010s as an important step forward as it were in the development of this kind of

“criminal industry. What is ransomware as a service and why was it's emergent so significant?”

And some where relies on very clever coders creating malware that can can penetrate a computer systems that encrypts and reliably decrypts people's networks and individual computers. Once you've got that kind of technology, they're probably isn't time for you to make money from each individual victims. If you're visiting half a thousand, you can have hundreds of thousands of victims.

So what ransomware as a service does is that it leases that weapons grade malware to other people whose coding skills are not that great, but who might be able to scam or flag their way into a network. So you outsourced effectively that the time-consuming part of the operation to others and you have affiliates, lucophiliates, who do the breaking an entering part and then the malware takes care of the extortion and ransom-ing part on their

behalf and it really drove a massive expansion of ransomware as a threat to the global economy.

“And the malware distributors get a cut for each of those affiliates as it were?”

That's right, so the affiliates are taking more risks. They're more traceable, so they take

very lucrative for the affiliates. The coders take the smaller part, but of course they also have

“the option that when somebody comes in with a huge ransom that they just disappear and take”

the entire ransom. So there is no honour among thieves on this one. In that same period, you also describe what you call ransomware settlement as a service and it seems to be a development that I had to impression you were not happy about or that you you're concerned about some of the unfortunate consequences of development of what you call ransomware settlement as a service. What do you mean by that term and what were some of its

consequences that you were concerned about? Yes indeed, it's something that's ambiguous. So for

people who've been subject to ransomware attack, the chances of them being really stopped by it

“and facing a really long business downtime and not knowing how to resolve it is of course great.”

So people started to outsource their recovery, which is a good idea, because people do get it really wrong as far as insurance companies were concerned, putting the recovery in the hands of experts was a super idea. On the other hand, from a collective point of view, throwing money at the problem and making it easier to recover less trouble to source the bit coin, speed up the transaction with the criminals also made it easier for the criminals to increase their activities,

because rather than holding somebody's hand as they're carefully rebuilding their system after an attack, they could use that time to run further attacks. So yes, it's a two-sided sword here.

“So it's good and it's problematic too. Also because there were some what are called ransomware”

payment mills who don't really add much value, but they give people the idea that they might be able to get out of their predicament without paying the hackers, but paying the ransomware payment mill or multiple of the ransom that the hackers demand and then behind the back, of course, the ransomware payment mills just go back to the hackers. So nothing has gained except for the ransomware payment mills. So yeah, quite a lot of shady businesses in that space praying on people's

predicament as a result of ransomware attacks as well. And that case, if I am lamenting. Who were the folks behind those ransomware payment mills? Were they actually illegal along with the ransomware hackers or? They're legal companies offering illegal service. They exist as long as the organisation. That's taking the ransom as not a prescribed organisation as nothing technically or illegally wrong with making that payment. But sometimes a victimised company doesn't want to be

involved in a direct transaction with a criminal company. And yeah, there is just some jigripo career in that space where they say, oh, you can pay off so you don't need to pay them. And then they're just very opaque about their methods, but people who have investigated the realized that they are just going back to the criminals. I like that technical term, jigripo query, that that term may be unfamiliar to some of some of the secrets of outside the UK. So let's continue with the history, the development

of the ransomware industry. You described several generations of ransomware, a first generation,

second generation, third generation, what distinguished second generation ransomware from first generation. So the first generation ransomware was large scale, pretty automatic and taking very low ransoms. The second generation of ransomware's human operator, so not because of commodity, automated ransomware, but human operator were people taking charge of targeting, offsetting a ransom, maybe investigating how much the victim is worth how much they might be

able to pay. They might have investigated their profit and loss accounts as they're in the service. And you might even have found an insurance certificate. So they can set the ransom

bit of handholding on the recovery. So it's much more involved, but it was in response to a lot of business as getting wise to to to to cybercrime in general on the ransomware threat in particular. So as the success rate of attacks was dropping, they made up whatever rising ransoms from

the second generation type of ransomware. Got it. You also help readers understand the ransomware

industry by taking a deep look at several of the most prominent ransomware organizations and some of their most, I would say spectacular operations. Let's turn and spend a few minutes on a few of those major ransomware organizations. First, one with perhaps my favorite name for ransomware, organization, are evil. That is, capital are, smooshed together with the word evil. You profile the are evil group and you described one of their most well-known attacks on a company called Cassia.

Can you just to remind our audience or tell our audience what did that hack involved and what

“did it reveal about the methods of sophisticated ransomware organizations and how best to respond to them?”

Yes, so this was a really clever attack targeted, sometimes called the soft underbelly of computers' security. So it was a managed service provider that they targeted here, so where companies outsource their computer security to someone else and have a really deep connection, frictionless communication between that managed service provider and their own computer. So if you can somehow get inside one of those companies, then everyone will take updates or malware from that provider

without any questions. So by breaking into Cassia's servers, they had up to million end users

potentially in their hands. So this could have been one of the most spectacular ransomware attacks in history. In the end, it wasn't quite that spectacular, so it's a bad news story, but also a good news stories because Cassia found out pretty quickly that they had been breached. They had shut down the servers and the end only one server was compromised and about 1500 companies were affected, which of course is a lot of victims or in a tight place at one point. What was really

lovely about the aftermath of that attack was that the companies that had used the Cassia software all rallied around the ones that had been affected and really helped with the rebuild. So it was not as catastrophic as they could have been and also it was not nearly as lucrative as it should have been and the rainfall leadership really got into trouble on the dark net forums because

“people said, well you did this amazing thing and are you hiding the profits from this?”

Did you really only get that small amount of money for it? So it was also something that's so distrust and contributed to the demise of that particular ransomware group. So it sounds as though one of the morals of that story though from the potential victim side is

speed of detection and response. What's crucial, like Cassia's abilities, you said,

shut down many of it servers quickly. That's right. I mean that's been the lesson of quite a few of the recent attacks at those who just sort of bury their head in the sound and hope it's not a ransomware attack. Like Marx and Spencer's end up with a much bigger rebuild and a much larger problem than the companies like the KWP says, okay, this is happening. Let's shut it down. Let's investigate. Yes, even if it's not a ransomware attack, we rather be safe. But then super sorry.

Nah, it's not a bad thing for someone else. We need the Road Captioner Leapness World in Freiburg with

“Euron Melitz, Deuroma, or than any type of victim in any way, that's why our interactive”

Ausstellung by the Elite Nistormate Audio Guide and a classic and the next Parviang, the Ganze World from Road Caption, the Road Captioner Leapness World, just one of the clients. Okay, let's look at another of the groups you profile. That is the Conti group.

the government of Costa Rica, notably its Ministry of Finance, how was Conti organized and what

“do its operations show us about the nature of ransomware threats? Conti was an absolute gift to us”

as researchers of ransomware space. It was a pan-European parvacentral in Eastern European, crime group. They spectacularly collapsed in the aftermath of the Russian invasion of Ukraine. When part of the group put up some message boards saying, "Oh, we are fully in support of President Putin and a special military operation." And some of the Eastern European and the Ukrainian

particular affiliates and associates and members of the group said, "No, we are really not happy

about this." So we got a whole cache of leaked documents and communications going over months. So we know a lot about this particular group and it was organized like a proper firm. They had

“about 60 to 100 employees fluctuating over time. They were organized in six different departments,”

they were coders, they were their pen testers, they were reverse engineers, they were the specialist hackers, they were those that maintained an attack infrastructure. But perhaps most interesting

I found the human resources department because it really showed the problems of

trust within such an organization when you only knew people by their pseudonyms. You don't know whether they're sitting in Ukraine, you don't know whether they're police or whether they're committed, they're not committed. Max Smith has a book, has a lot more detail on Conti than my book has, which only has a chapter on it. But he ends up concluding. It sounds like a really badly run

“internet startup. I thought yes, but that's exactly what it is because it's sitting in countries,”

specifically Russia, where the government tolerates, if not smiles on that kind of activity, they don't have to hide, they can even have an offer, they can have a physical presence. It really shows a lot about the geopolitics of rants somewhere and the attack on Costa Rica was just a really terrible way of dealing with the fundamental rupture of the Conti group where they said, "Okay, we've got a reconfigure. Let's create a big distraction somewhere. Let's push this poor

country to the brink of ruin. Let people starve. Everyone will be looking at Costa Rica, well be quietly reconfigure our operations to make them more Russian." Very good. I want to echo your recommendation of Max Smith's book, Ransom War, Max is some of our listeners may know, is a brilliant scholar of cybersecurity and he was just a few months ago, a guest on the Law Fair podcast. We actually had him on just as we're having U on Professor Shortland to discuss his

book. So listeners may be who are interested in your book, maybe interested in his as well. Let's talk a little bit about just one more of the sophisticated rants somewhere organizations that you analyze and that is the lock bit organization and you not only describe the organization, but the efforts of law enforcement to take them down. What are some of the morals of the rise and fall of lock bit? Well, lock bit was centered on rather nasty but perhaps not uncharismatic

character who ran his operation fairly loosely while somewhat lacks in his attitude to their own cybersecurity and while there was super profitable and really egregious in their attacks. He also managed to let in law enforcement into their communication channels and the national crime agency of the UK joined by a lot of other law enforcement agencies spent many, happy weeks going around the servers and finding out absolutely everything about the lock bit machine and then decided to

implode it spectacularly by by hijacking the site and really revealing a lot of the internal

in the promises of these rants somewhere gangs. So there has been a change from the second

“generation to the third generation rants somewhere where data expiltration is the heart of the”

the extortion so you're relying on the honor of thieves again say well we've expiltrated your data but if you pay us around and we won't reveal it in fact we will delete it. Well the turn out they hadn't so that trust was destroyed by their law enforcement operation but they also really targeted the affiliates they targeted they revealed the identity of the leader of the

lock bit group. So hopefully and apparently lock bit imploded has not come back even though

the leader was very determined to do so but yeah it's it's changed the ransom well and scabers become much more fractured as a result of the operation one of the NCA leaders of the

“law enforcement action they're causing it frankenware and I think you get this you get the point.”

Well speaking of that landscape putting aside North Korea's very capable state sponsored hacking groups which you also devoted chapter to are there any significant ransomware

organizations that are based outside of Russia and Eastern Europe particularly Russian

controlled portions of Ukraine it seems as though this industry really is geographically concentrated. Well there was lots of this lots more cyber crime so yes of course there there are cyber crime groups of different kinds in any other places but just focusing on the ransomware has that is that a real specialty of Russia and it's I was gonna say satellites all same neighbors sympathetic neighbors. It is because it does need a great degree of technical sophistication

that the Russians and the North Koreans have but it also requires that that focus that that profit motivation and that that real hostility that it says well we don't care if if people die in medical facilities we don't mind switching intensive care unit equipment off that that requires something that that that not many countries that that that that antagonism doesn't exist in that many countries China of course has has great technical capabilities but they're using it for espionage they

don't need to earn money through through through that kind of insidious threat there are some groups sponsored out of Iran but of course Iran doesn't have an internet at the moment at all but if you are a activist who is looking to cause destruction then then the new can can rely on a radiant sponsored groups to provide you with with with with with ransomware malware so so that exists and that that hand-dala group in particular but it's not as big and it's not as

well organized it's not on that self-industrial scale very good we've been talking a lot about the ransomware industry let's flip over and talk a little bit about responses to ransomware efforts to reduce the threat of ransomware you discussed several of those approaches one of them you talk about was an effort actually organized through the private sector in the U.S. though drawing on people from many parts of society and that is the ransomware task force that put out an extensive

report with many recommendations about how to defend against ransomware and reduce the burden of

“ransomware can you tell us a little bit about that task force and what of some of its key recommendations”

were yes of course so it started in 2020 when the private sector was absolutely aware of the problem of ransomware and it was so so difficult to get the government particularly U.S. government interested in in tackling what is the wicked problem it's it's it's super complex and in effect there couldn't really get any politician to to run with an agenda so what they thought is let's get everyone together everyone who's active in this space everyone get a get a voice let's discuss

could do so it was a real effort to put the computer security and law enforcement and thick tags

“and policy makers in the room and really discuss what to do about preparation about resilience”

about computer safety about policy about regulation they managed to come up with a list of 48 recommendations and they said you can't really choose pick and choose you've got to do all of this and it's going to be so much better and it was such a hard sell except a week later there was the attack on colonial pipeline which finally focused political attention on the threat around somewhere and there was some diplomatic activity with President Biden having a conversation

direct conversation with President Putin saying national critical national infrastructure is

off limits and civilised nations don't have a criminal as we do that sort of thing so we've been relying on that rather French all consensus ever since but yeah unfortunately the community could not come up with one big policy idea that would solve the problem the the idea of a of a ransomware ransomband saying I won't just let's take the profit motive out of it that never worked because in the end if their lives at a risk or or livelihoods at risk and and a company is

hemorrhaging money the commitment to saying it will never pay ransom it was just not credible if you look back at that list of the 48 recommendations from the ransomware task force were there any on that list that proved influential in practice yes of course only lots of things that we could do as individuals and there was still can do more but really basic cyber hygiene recommendations of multifactor authentication having sensible passwords not recycling those passwords

patching the computer where the update comes up all of that is so important and of course the

“the vigilance against all these social engineering attacks i think a lot of companies have”

learnt many many lessons over the last years but that this is this is a co-evolution of of crime and and and security and we've also learnt great deal about resilience so one thing is not getting breached but the other thing as well how likely is it that you can say well thanks but but no thanks i don't need a decryption key i've got my my offline back up here's my memory stick

i'm good it's about what you put online in the first place what data you whole confidential data

you you you you collect so i think they've become a lot wiser and in terms of of that in terms of really resourcing law enforcement well i think more could be done i think i think we haven't have to have a really grown-up debate about how ready we want to be for the for for this threat but but but also what our plan be is when when the light goes somewhere part of the country or there's no drinking water because somebody's decided that they're going to target that part

of our national infrastructure we still have to have that conversation unfortunately on your shortland thank you so much for joining us on the law fair podcast professor shortland's book hackers and heroes in the shadowy world of ransomware will be on bookstore shelves at least in the United States on April 28 you can learn more by getting yourself a copy

“the law fair podcast is produced by the law fair institute if you want to support the show”

and listen add free you can become a law fair material supporter at law fair media dot org slash support supporters also get access to special events and other bonus content you don't share anywhere else if you enjoy the podcast please rate and review us wherever you listen it really does help and be sure to check out our other shows including rational security allies the aftermath and escalation our latest law fair presents podcast series about the war in Ukraine you can

also find all of our written work at law fairmedia.org the podcast is edited by Jen Potchew

and there's always thank you for listening sickling and found.