Writer: How My Mom Got Hacked

HughPickens.com writes Alina Simone writes in the NYT that her mother received a ransom note on the Tuesday before Thanksgiving.."Your files are encrypted," it announced. "To get the key to decrypt files you have to pay 500 USD." If she failed to pay within a week, the price would go up to $1,000. After that, her decryption key would be destroyed and any chance of accessing the 5,726 files on her PC — all of her data would be lost forever. "By the time my mom called to ask for my help, it was already Day 6 and the clock was ticking," writes Simone. "My father had already spent all week trying to convince her that losing six months of files wasn't the end of the world (she had last backed up her computer in May). It was pointless to argue with her. She had thought through all of her options; she wanted to pay." Simone found that it appears to be technologically impossible for anyone to decrypt your files once CryptoWall 2.0 has locked them and so she eventually helped her mother through the process of making a cash deposit to the Bitcoin "wallet" provided by her ransomers and she was able to decrypt her files. "From what we can tell, they almost always honor what they say because they want word to get around that they're trustworthy criminals who'll give you your files back," says Chester Wisniewski.

The peddlers of ransomware are clearly businesspeople who have skillfully tested the market with prices as low as $100 and as high as $800,000, which the city of Detroit refused to pay. They are appropriating all the tools of e-commerce and their operations are part of "a very mature, well-oiled capitalist machine" says Wisniewski. "I think they like the idea they don't have to pretend they're not criminals. By using the fact that they're criminals to scare you, it's just a lot easier on them."

Yeah...

Your Mom's system was wide open. Every hacker I know has been in there.

Re:How about educating your dumbfuck mother?

[Anonanonaon]

Context, man!

The "Don't blame the victim" notion comes in response to this kind of (boiled down) common claim:

"It was her fault that we exploited her! It was impossible for us to choose to not exploit her. We take no responsibility for our own actions!"

Which is the way psychopaths operate. They're always blameless or their actions are 100% forgivable in their eyes.

Her ignorance and subsequent choices were on her; she could have protected herself better, but the crime is not her fault and the perps should get zero slack because of it.

The Government is NOT here to help you...

[FlyHelicopters]

This is exactly the sort of crime that the government should be able to solve, there are so many fingerprints left, double that with the bitcoins (which aren't actually anonymous).

Granted, the $500 itself might not be worth much attention, but over and over and it adds up to a lot.

Plus this is the sort of nonsense that your government is supposed to do something about. If not stopped now, the problem just grows.

These criminals do this because there is low risk of getting caught and if caught, the punishment isn't likely to be high.

If I were in charge, I'd task the NSA with catching them, then publicly execute them on TV. While some people will say, "oh, that is overkill and not fair", I'd say, "yea, but it sure will give these criminals pause in the future, won't it?"

Re:The Government is NOT here to help you...

This is pretty much the very definition of international organized crime. And it is affecting way more Americans than "terrorism".

The action of the government on this issue shows that the government is more interested in what terrorism can do for the military industrial complex than what the government can do for you.

Strategy

[TheCreeep]

I would really hate to have all my files encrypted and inaccessible. I'd probably just pay the $500 with much begrudge.

That being said, as soon as I would get the encryption key and get my files back, I would post everywhere that the hackers did NOT give me the key after I paid the $500.

It's kind of like game theory. If enough people do the same, then fewer people would actually pay up, or the price would drop lower, thus proving an advantage for the victims.

Posting in the damn NYT that the hackers are true to their word assures that they have credibility, and just torpedoes the strategy above. In the same way that it's valuable for them to get the word out that they are (kinda) honest, it would be valuable for the victims to get the word out that they are crooked. Being the marketing and pricing geniuses they seem to be, they would surely lower the price if they had bad publicity. So in the name of future victims, I would like to sarcastically thank you Alina for giving those fuckers ammo. They'll probably raise their price now.

Re:How about educating your dumbfuck mother?

[93+Escort+Wagon]

She shouldn't have dressed her computer so provocatively!

Re:What's the new hole?

[LVSlushdat]

Best advice is GET THE HELL OFF WINDOWS!! I have a thriving little business upgrading people who are still on XP over to either XUbuntu or Mint. I've gotten calls after an upgrade with the user saying "I got this weird error when I open this email", and it turned out that the user had an email with the Cryptolocker vector, and the odd error was the malware *trying* (and failing) to encrypt files on an ext4 filesystem... At this point in time, THAT aint happening....

Re:How about educating your dumbfuck mother?

[nmb3000]

The most common attack vector for this particular malware and many like it is email attachments.

That was true 4-6 years ago, but not today. Now we're seeing most of this stuff getting installed via zero-day exploits in browsers and plugins like Java and Flash, and distributed via third-party advertising networks. It's a lot harder to blame someone for getting compromised via a browser plugin they didn't even know they had.

The best protection these days is still to block all advertising, run with limited permissions, and have automated external backups with versioning. If the user is capable, blocking all third-party scripting is also incredibly effective.

It's 2015 anyone in the world can still send an email with file attachments to anyone using whatever FROM address they'd like without any prior trust relationship, vetting or authorization by receiver.

You just listed some of the best features of email.

It is *our* fault for installing AV software and going back to picking our noses

Now this is true. Antivirus software has been a joke for a decade.

Re:How about educating your dumbfuck mother?

[circletimessquare]

Everyone is stupid.

I'm stupid. You're stupid. We're all ignorant of something.

Malice gets 100% of the blame.

To use knowledge of something to abuse and transgress against another who does not, is a crime. The only crime. And all of the blame

Analogy: if you leave a $100 bill on your front porch, yeah, that's fucking stupid.

But someone has to go on property they have no permission to, and take something that is not there's. That's 100% of the blame. The moral person will not steal that $100 bill. In fact, they'll ring the doorbell and educate the stupid person, that they should be careful and not leave money on their front porch.

You don't punish stupid, you educate it. You punish malice.

Unfortunately, we punish stupidity too much in this world, our anger is always in full rage and pointed at the dumb. And we let the truly malicious off, because our hate goes towards the stupid, and in the meantime, the malicious gets away. Or we have no more anger left for them.

It's some sort of fundamental weakness with human nature, that we do this: punish the stupid and ignore the malicious. When we should be educating the stupid and punishing the malicious.

Re:How about educating your dumbfuck mother?

[GoddersUK]

Turns out, when Microsoft tried this, they really annoyed a lot of their customers and took an awful lot of stick for it. Even from people who would consider themselves fairly technical. Users don't want you to put hoops between them and what they (think they) want to do.

Typical user scenario:
Clicks malware.exe email attachment.
Email client: Email attachments of this type this type are dangerous. Are you sure you want to run it?
*yes*
MSE/Windows defender: Virus detected. Quarantine file?
*nah... seems legit*
Windows: Filez from teh internetz can be dangerous. Continue?
*Yes. How dare you question me Bill Gates!?!*
UAC: File malware.exe from some dude on the internet wants admin access to your computer. Allow?
*Stop getting in my way stupid computer*
Windows: Install unsigned drivers? Guidance: Basically no unless your plugging in exotic or old hardware.
*Get the **** out of my way piece of *** I bet that *** Bill Gates thinks he knows better than me*
MSE/Windows defender: ***DEFCON1DEFCON1***
*whatevs. I need those novelty smileys and cool web search*
Malware: Mwhahahaha installs pop ups, steals bank details, encrypts files emails child pr0ns to the police etc. etc.
*Wah.... f***cking stupid Bill Gates your software's **** I hate Microsoft. Plus whenever I want to do something it asks me questions like I'm stupid and it knows better*

They hate the dialogues etc. and just click through them. Don't get me wrong I'm all for warning dialogues, but they exist already and they don't help a large proportion of "average users".

And, before some smartypants points it out, I know MS have since said that UAC was designed to annoy users to encourage developers to write apps that don't require admin privileges. A good warning system *should* be annoying though, and hopefully fairly infrequently triggered by innocent actions (as it is now that UAC has been around for a while and developers have fixed their apps (and MS have tweaked it a little)).