Smashing Security podcast #282: Raising money through ransomware, China’s mega-leak, and hackers for hire

I'd put Dave in drag at some sort of bar close to your house. See if he could lure, so he could be a sort of agent provocateur.

Yeah, because Dave and I look very different from each other. So, you know, that might work.

Well, especially if I was in drag, I look very different from you. But I would add irresistible.

Smashing Security, episode 282. Raising money through ransomware, China's mega leak, and hackers for hire. With Carole Theriault and Graham Cluley. Hello, hello.

And welcome to Smashing Security, episode 282. My name's Graham Cluley.

And I'm Carole Theriault.

And this week on the show, Carole, we are joined by CyberWire's David Bittner.

Hello. Nice to be back. Thank you for inviting me. Always fun to join you. So the pleasure is mine.

Exactly. We're so glad to have you here.

It's an honor and a privilege.

How about we thank this week's sponsor, Bitwarden. It's support that helps us give you this show for free. Now, coming up in today's show, Graham, what do you got?

I'm going to be explaining how to make money from a ransomware infection.

Okay, great. What about you, Dave?

I've got the story of upward of a billion records being released on the dark web.

Oh, God, it's going to be a fun show. And I'm delving into the murky world of digital mercenaries. All this and much more coming up on this episode of Smashing Security.

Now, chums, I want you to cast your mind back to Christmas 2019. Those innocent heady days. The snow is falling, the bells are jingle jangling, before lockdown. There was some sort of news about bad things going on in China, but we thought that's a long way away from us, it's never going to reach...

Well, you did. You thought that, yeah, despite me telling you repeatedly.

Yes, we have that on record. I think as well, when you think about Christmas, I don't know about you, but I sort of think of a European Christmas market. Going around, having a little tangerine with a candle sticking out the top, the smell of cinnamon.

Mulled wine.

Yes. Santa hats. It's a wonderful thing. Maybe you'd go somewhere Maastricht in the Netherlands. Would you enjoy that? Ever been to Maastricht?

No. No, not me. Can't say I've had the pleasure. I'm sure it's lovely.

And on the 23rd of December 2019, the University of Maastricht was hit by a ransomware attack. The buggers had waited until just before Christmas before unleashing their attack. The Clop ransomware. I love that, Clop. I do. There is something about me which quite the Clop ransomware purely from its name. Whereas you get some ransomware which has really sort of macho names, you know, sort of darkness or black matter and all those sort of things. I think something which sounds a little bit you dropping off kids at the swimming pool. The sound of a clop, I think, is rather good. But, of course, it's not that pleasant. It's not as pleasurable as what I'm describing because the Clop ransomware was deployed to 267 Windows servers at Maastricht University and encrypted all their files and demanded a ransom be paid for their recovery.

So, same old, same old so far.

Same old, same old. Well, there's no such thing as a good time for an organization to be hit by a cyber attack. And the Christmas holidays pose a particular challenge. Many staff had to change their plans. They decided to come in rather than hang out with their families over the Christmas season.

We have to remember, yeah, I was just going to say, we have to remember that we've all gone through that now. But back in 2019, this was a brand new thing. You would have felt very put upon the fact that you wouldn't be able to leave it with your family, wouldn't you?

Well, I think some people, if you've got the prospect of being trapped with your family between Christmas and New Year... Oh, problem in the office? Yeah. Oh, dear. Oh, dear. What a shame. Yes, I'll definitely come in. I'm very keen.

Line me up. Triple pay. I'm there.

So as many as 200 employees, apparently, from University of Maastricht, they came in. They didn't spend their Christmas holidays snoozing on the sofa watching movie repeats. They worked instead. And everyone was pulling together to try to get ready for the return of 19,000 students who were due to show up at the university on the 6th of January.

I wonder if their bosses gave them a roast dinner in a can or Christmas dinner in a can or something just to help them celebrate a little bit.

I'm sure they would have done. They would have come around with a trolley, wouldn't they, and handed out something. A tray of processed meats and cheeses and crackers. Yeah, I'm sure they would have done that. Now, the obvious question arose, should the university pay the ransom or not? And they concluded that they should. They said, our decision, well, they said their decision was entirely focused on the interests of the students, the staff and the institution. They said, obviously, we don't paying the bad guys, but students will suffer. They had little idea as to how students were going to suffer just a few months later because of the pandemic. But they thought students are going to suffer. We're not going to be able to educate them easily. With all this ransomware around, it's locked up our servers. So we're going to pay the money.

We should clarify, though, when you say, you know, they obviously encrypted their files. They also had access to their files, presumably, as well, right? Because they encrypted them. So all that information in there, do you know if it was PII stuff?

I don't know. It's only locked up the computers. I don't know how much was exfiltrated, if anything, or whether that was part of the plan.

And back in 2019, were they doing the double extortion yet? I'm trying to remember when that kicked in, right? Were they threatening to put the information out there in public, or have we not crossed that threshold yet?

Certainly not as popular as it is today as a technique. I think we can safely say that. So the university, they paid 200,000 euros, $220,000 in the form of cryptocurrency ransom. Nice little earner, nice Christmas present for the hackers. And so the university got the decryptor, was able to bring the students back, welcome them back on the 6th of January, conducted their exams for the kids, more or less as planned, little or no irreparable damage. Huzzah, huzzah, huzzah. And you can read about this at the time. And actually, I think the university did a really good job. You can watch a presentation they gave all about what had happened. They were very transparent. They worked with a Dutch cybersecurity firm called Fox IT who are very good. It was a really great example of how to handle it. Although some people won't have liked that the ransom was actually paid. Exactly. And some people don't like that. Yeah, I don't like that. You don't like that. Okay. Well, who needs an education? Right. That's what you're thinking. Yeah. Now of course the story doesn't end with the payment of the ransom because a crime had been committed and the cops would love to collar those responsible as well as the university they want to know as well and it was the following year in 2020 when investigators managed to track down some of the cryptocurrency it was sitting in the crypto wallet of a Ukrainian money launderer.

So, okay, I'm going to guess what happened. Well, well. Because it's still in the crypto wallet now.

Well, let's come to that. So when they found it in this cryptocurrency wallet, there was only about $40,000. So it was a fifth of the total money that the University of Maastricht had paid. But it was something at least. So they got the wallet frozen. So the bad guys couldn't access it. So it wasn't possible for them to take any of that money out. And they initiated legal processes to try and see how they could actually get the money returned to them so they could do something with it. But since 2020, what's happened is that the price of Bitcoin has not remained static. In fact, according to the university, although it was only worth 40,000 when they froze it, it now contains over $500,000. I know Bitcoin prices have fallen in the last couple of months.

That's what I was going to say. So is it like $5 now? Well, that's the thing. It's gone down from its height. But according to Maastricht University, they say there is currently $500,000 in there. Well, sign me up. Right, exactly. So they're using this idea of vulnerabilities, which we're hearing about all the time, and bugs in crypto sites, which we hear about all the time, saying, hey, quick, act fast.

It's such a cesspit of shit, isn't it? It's just... God. So getting back to the story about the university, though. So here's something I'm curious about. So suppose the university pays, what was it, say 200,000 euros in cryptocurrency. Because they paid in Bitcoin. They paid in Bitcoin,

Yeah, exactly. Right, right. What I'm getting to here is, does the university either take the loss or the windfall, depending on the direction that Bitcoin goes, or could they get the original value back of what they had paid? I'm not sure how you would go after them, how the law enforcement folks would go after them.

Yeah, do they take the cream on the top or just go to law enforcement? We'll just take the rest.

I would certainly imagine that Maastricht University would ask for more than the ransom to be returned to them because, of course, they had other costs as well. So even with the $500,000, although that's a nice bump, it won't actually cover all of their costs. Yes, it won't cover all of the other costs which may have occurred. But yeah, it's interesting. And I think we've seen cases before where law enforcement authorities have sort of frozen cryptocurrency wallets or had money transferred to them while it's decided where it ended up. And in the meantime, have made quite a pretty packet. And there are all kinds of opportunities there for some corruption, isn't there? And especially in the dizzyingly complex world of cryptocurrency, which not many of us understand, as to where money could be squirreled away.

It's fascinating to me how one of the selling points that the fans of cryptocurrency will claim is how it is out of reach of regulation and it operates in its own little world. And that seems to be true right up until the moment when it's not. Right? And law enforcement can, as you say in your story here, they are able to freeze it. And so how are they able to do that? I think at the outset, that's probably something that the folks who came up with a lot of these cryptocurrencies thought they were out of reach of law enforcement. And that was one of the benefits. But that's proven to not be true.

And we've seen cases like Colonial Pipeline, where money was stopped from getting to the bad guys. And of course, I don't know if you're aware of this, but criminals aren't entirely trustworthy. So it may be that if more than one person is involved in a particular criminal activity, they may choose to blab a little bit, mightn't they, to the authorities sometimes.

Yeah, not release your data.

You just can't get an honest criminal these days. You know, you can't trust them. There is no honor among thieves these days. Yeah, yeah, it's true. I think it is a breach, but I think you have to assume that there's been a failure of security and the privacy of that data has been breached in some way. It's no longer confidential. Over a billion you said over a billion records. I mean China has about what is it, it's about one and a half billion people I think live in China. It's it's yeah it's astonishing number really isn't it.

It is, it's hard to imagine and they're saying that this is most likely from the Shanghai National Police and you too can purchase this data for about two hundred thousand dollars on the dark web.

What's interesting about this for me is I know that China has a really good method for getting all the information pieces from all the different governments and agencies that run into one big pot right so that you have then that's why this is quite interesting you have all the medical records the police information the mobile the national ID you have everything about a person.

In a way it's the communist ideal though isn't it it should be that everyone gets treated exactly the same. So if one person's going to get breached, why not breach every single person in the country? It would be unfair if only some people got that benefit.

Yeah. Now, the Wall Street Journal has done some follow-up on this story. They've actually spot-checked a few of the names by calling some of the people whose phone numbers appear in the records that are available, and they check out. So at least the people that they've called, it seems to be authentic. I don't know. I don't know what you do with this. I mean, a billion records. How do you even come at that?

And I was just thinking in my head, what you do is the government buys it back. Right. But then I come back to John Graham's story where I said you should never pay. Damn you. Damn you.

You're thinking the government should buy it with a little bit in the contracts and you agree not to sell it to anybody else. Yes. Because I can see how this could be weaponized. I mean, okay, you may not want to target a billion people, but if there are particular individuals in China you wanted to target, if you know their name and address, well, now you know their mobile number as well. And so you could target some spyware against them, for instance.

No, but also you could probably go through it and go look for the word cancer in the medical records, target them with one attack.

Venereal disease. Sorry, Dave. Why are you mentioning that? Sorry, it's my Tourette's.

Carole, what have you got for us this week? Well, perfect segue because I want you guys to imagine that you're two private dicks. I'm sorry, what? And you have been hired by me because I want dirt on my husband, because I think he's been stepping out on me. But when I ask, you know, he's blank face and reassuring. So as private detectives, what tactics might you employ to find out whether he's… Hang on. That'll all come out in the wash. Okay, all right. I'm thinking Cagney and Lacey or Dempsey and Makepeace or something is the scenario I'm thinking. So what tactics are we going to use to spy on your partner?

Yeah, because I want to find out whether he's mashing his face up against someone else's chest or something, right? So I want to know.

Well, first thing I'd do is I'd put Dave in drag at some sort of bar close to your house. See if he could lure so he could be a sort of agent provocateur.

Yeah, because Dave and I look very different from each other. So, you know, that might work.

Well, especially if I was in drag, I look very different from you. But I would add irresistible. So it would be a good honeypot there to try to catch him for sure.

We could hack into his email or his social media. We could plant a tracking device on his car, maybe.

Yes, that's what I was going to say. The real, the sexy one these days is stick an Apple AirTag on him.

So you guys would definitely consider hacking him to find out.

Yeah.

Okay. So you might look for a hacker for hire, for example. Interesting. Because that's what we're going to talk about. Because Reuters issued last week a long-form investigative piece all about hackers for hire or digital mercenaries. because they got their mitts on a treasure trove of more than 80,000 emails sent by an Indian hacker for hire company. Over a seven-year period, these emails were sent. And Reuters and a few security companies, including Google and Amazon, combed through these emails to come up with a few interesting tidbits. Before we get in, so who are these hacker for hire folks, right? One key characteristic is that there are people, obviously, who are experts in compromising accounts in order to exfiltrate data. And they do this as a service for someone else a bit like you bring your car to the mechanic when something is awry, right? Because, you know, your mechanic is an expert in this stuff and experienced. So the same goes for hackers for hire. Why let lack of skill stop you from hacking somebody? And of course, there's different types of hackers, right? So you have individuals and organizations, some are openly marketing their services to anyone who pays up. And I don't know how that exists. Is it because we just don't know where they are? But you know, they can go out and go, come to us, we'll do it for whatever 100 bucks, and we'll hack whoever's account that you want us to, we don't care.

Yeah, I would think it would have to be that way because otherwise you're going to, well, certainly here in the States, you're going to run afoul of the Computer Fraud and Abuse Act. Right. But, you know, is anyone even looking at these things? I wonder because there's so many of them. Would that be celebrities? Would a celebrity be a high-risk user?

I guess these people tend to be disruptive to a particular geography or people, or they're disruptive because they're telling the truth. Whistleblowers could probably be in there as well.

Whistleblowers, you can imagine political activists. I mean, obviously, we have seen celebrities hacked in the past, sometimes by newspapers to try and get scoops. Yeah. And of course, there's also corporate espionage and industrial secrets. Now, thanks to this lengthy investigation headed up by Reuters, it turns out that lawyers and attorneys are now at significant risk because hackers are hired to target them ahead of anticipated lawsuits or during litigation. Oh, I'm seeing one here. It says time traveling is possible. American scientists simulate time travel with photons. That

would totally get me. I would open that. Yes, of course.

Who wouldn't? But they also saw loads targeting law firms, right? And legal eagles. So it was like Forbes issues top powerful lawyers US or lawyers who lead by example. Wall Street Journal asking about logistics solutions in law practice. So it's almost like, hey, you have a press inquiry.

I'm curious, Graham, as a cybersecurity person of some note, does it happen to you quite often or occasionally that people come to you and say, oh, Graham, could you help me get into my spouse's phone? Or, oh, we've lost our password? Or do people reach out to you for that kind of service?

Several times a week. Yeah. Okay. If I could make some money by referring them to this hacking company in India, if I could earn some commission, that'd be terrific.

Do you know, Graham, that's how we became friends, you know? Was it? Yeah. Because remember, I had this guy, it was like, I think it was around Valentine's Day and I had somebody sending me all these woo-woo messages. Oh, you had a

Romeo, didn't you? A Romeo chap. that

was the email address too is Romeo something at Gmail or something like that yeah and I wanted to know who it was yeah and because they started getting a little bit like I don't know if they work here I don't you know I thought I knew who it was and then they kind of indicated that wasn't that person and I started freaking out and then I was like I have to go talk to that big mouth guy oh god and then they'll look at us now look

at us now hacking brought us together. What a delightful meet cute story. Yes. And it wasn't me sending you the emails just to stress that. I

never learned. Right. How can I get Carole to come talk to me?

So what can you do? The answer, of course, is things like multi-factor authentication, password managers like Bitwarden, for example. But I have one I wanted to ask you guys about actually before we go. So what I think makes email dangerous is that if they got into it, most people have, what, decades of email in an address. So would it be smart for people to just clear out everything? I mean, how often do people look at emails that are over a year old? Maybe 1% of the time?

Well, I certainly know some of the tabloid newspapers in the UK were very keen to delete some of their old emails. Because there might be evidence that they've been hiring hacking companies and private investigators.

I just wonder whether people should think about exporting those messages. If they don't want to, you know, press the delete forever button, they could just put them on a local hard drive and only access them, you know, in a different way. And just have a much smaller amount of emails, you know, a smaller treasure trove.

If you're going to do it, do it in coordination with your IT department because there might be rules and regulations regarding keeping some past messages and things. But it's so easy to be a digital pack rat these days because data storage is practically free. Certainly when it comes to your email and if you have like a Google Drive or something like that, it's so cheap that there's really no downside to just hanging on to things except for exactly what you're saying here, Carole, that it can come back to bite you.

Exactly, because you may be smart now about security, but were you 10 years ago when you were using email? Well, just saying. But anyway, good story. It's nice to see the other side. And we're not nice to see it the other side. So be wary out there. It's all about phishing emails. I wonder what's going on with my brain today. Now, you all know that we are big fans of password managers at Smashing Security because it's an important tool for generating and saving secure credentials for every online account. Bitwarden makes it easy to stay secure and for businesses to share logins with team members and departments. Bitwarden is transparent and secure using end-to-end and zero-knowledge encryption with source code that can be scrutinized. Now you can go to bitwarden.com slash smashing and try it for free across devices as an individual user or you can start a free trial of a team's enterprise plan. And the thing I like about this, a good password manager is robust and cost-effective as it can radically improve your chances of staying safe online all without requiring super high-tech expertise. Go to bitwarden.com slash smashing. Start your free password manager trial today.

And welcome back. Can you join us at our favourite part of the show? The part of the show that we like to call Pick Of The Week. Pick Of The Week. Pick Of The Week. Pick Of The Week is the part of the show where everyone chooses to say that it could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security-related necessarily. Better not be. Better not be. Well, in stereo, my Pick Of The Week this week is not security-related. Carole you're a fan of the cat Le Chat by Le Chat I don't mean William Shatner of course Dave are you a fan of cats? No no I You detest them? Yeah. Yeah.

Because there's not enough cats on the internet. Here's yet another way.

Because Franz Dieter will take your picture of your cat and will turn it into a giant cat. Will

she? Wait, will she do that with my now dead cat? Yes. Can I send her a pretty picture? For about $10, they will do it. Will you do it for me as my friend? feel wrong did it He did.

said it. Very good. Yeah. Well, I will endeavor to do better than that, as difficult as it may be. So I will have the story of two-time Academy Award winner Emma Thompson.

Oh, love Emma.

I love Emma, too. We all love Emma, I think. Doesn't everyone love Emma? Everyone loves Emma. Wouldn't you love to have her as a friend?

Yes.

She'd be just so much fun to hang out with. She's funny. She's charming. She's smart. She is sexy.

Yes.

Yes. She's all things. She is just the whole package. So she just came out with a new movie. It's on Hulu. It's called Good Luck to You, Leo Grande. Have you seen it?

Yes, I watched it over the weekend.

Exciting. And in it, she plays a retired school teacher who has decided she's a widow and she has decided she needs to make up for some lost time and have a little adventure in her life. So she hires a sex worker who is played by Daryl McCormick, who is just about a perfect specimen of a human being. I

was just going to say, you wouldn't kick him out of bed for eating crackers, would you?

No, you would not. No, you would not. And it's just a delightful movie. It is funny. It is serious. It is sad. It is sexy. Of course, Emma is fabulous and the range of emotions that she takes us through, the interpersonal relationship of these two as they get introduced to each other, as they get to know each other, the evolution of their intimacy. It's really delightful. I enjoyed it very much. And of course, watching Emma Thompson do anything is time well spent. So I highly recommend it. Not for kids. It is a little bit sexy, but for the grownups in the audience, check it out.

There's a little bit of nudity I heard, I think, in this movie. Would that be correct?

There is. There is. And actually, you know, it's an interesting thing because Emma Thompson is being lauded for her bravery of the amount of nudity.

Yes.

No longer being a spring chicken. She's getting a lot of credit for the nudity. And I don't know how I feel about that in that it seems to me a shame that that needs to be something that someone's brave about. I mean, so does

Daryl McCormick get his tackle up?

He does. He does. I would be much more worried about.

Yes, I think I'd find that rather unnerving to get that out on camera, I think.

Not if you look like Daryl McCormick, Graham.

No. Yeah, it's true. There was a New York Times article featuring Emma Thompson about this whole movie, and she said it was the scariest bit of her life. There's apparently a scene where she has to stand naked in front of a mirror for a while. And she said that was the hardest thing she ever had to do in her whole acting career. I

have to do that most mornings. It terrifies me.

Are you doing that on YouTube, though, as a live stream?

Only for Patreon supporters. Oh,

God. That explains the numbers.

But it's all handled in a very delightful way. And it's one of those films. This could be a play. It's shot as if it's a play. It's really just the two of them in the hotel room together. But it's funny and it's moving and it's touching. So that is why Good Luck to You, Leo Grande is my pick of the week.

Beautiful. Terrific. Sounds great.

Carole, what's your pick of the week?

My pick of the week is a twofer. So number one is a podcast. Now, not an audio drama. So in fact, Graham, Dave, I think actually you both might like this one. Despite the name, because it is called This Is Love, created by Lauren Spohrer and Phoebe Judge. Now, Phoebe Judge, does that ring a bell for either of you?

Yeah, you've mentioned her before. How do I know her?

So she's the host. She also hosts another podcast called Criminal. And I think she does a story at bedtime or something. I don't remember the exact name of that one. But I'll argue she has one of the greatest radio voices I've heard. So I've put a link in the show notes so you guys can have a listen and see what you think.

That's when you're throwing down the gauntlet when we have Dave Bittner on the show, Carole.

Well, Dave, I think you'd agree. I think he'd agree. She's caramelly. There's an anthropologist named Dr. Helen Fisher. She studies love. She's been at it for more than 40 years. And she says love is very simple. She said timing is important. Proximity is important. Mystery is important. She tries to understand what it means to be a love. Oh, my God. Yes, I

could listen to that. It's very nice. I mean, it's not Emma Thompson standing in front of a mirror nice, but it is nice. It's not James Mason either. Wow.

No, definitely not James Mason. So this podcast, This Is Love, okay? It's like a bunch of vignettes or stories. And the stories are peppered with little interviews. And they're all about communing. So it's not just lovers. There's, of course, stories of lovers, but there's also people that become friends or connecting with the world or family members. It's kind of just on the border of Fromageville or Cheesetown without stepping over the line.

Are they places in Canada?

Yes, that's right. So it's where we get our poutine from. And it's perfect for when you're maybe walking the dog or you need a little story before bedtime and you don't want your brain to go into a tailspin afterwards. So the podcast is called This Is Love, and you can find it wherever you get your podcasts. It's great. But I said I was sneaking in another pick of the week. Well, on one of these episodes, it's an episode called Cain's Jawbone. Does that ring a bell to either of you that term? Cain's Jawbone.

Don't look it up, Graham. No, no, no. I can't remember. No, this does ring a bell. I think we've talked about this maybe before, okay.

Detective book written in 1932 and its big thing is that all the pages are out of order and your job is to put the hundred pages in the right order and find out who the killer is or are. And if you do, you are to send the information to the publisher and only three people are known to have solved it.

Only three people could be asked.

Gotta have a gimmick. It kind of fell out of publication or kind of favor, but it got revived. Surprise, thanks to TikTok. Can't imagine why. And I learned all about it on This Is Love because there's an episode called Cain's Jawbone, and it's fascinating. And I'm buying the book for my husband because that's something he's good at. He's going to crack this before he dies. Is he going to have to tear the pages out of the book? Yes, they have. Apparently, they're not perforated anymore, but they have little lines. I just think PDF, right? We need a PDF of this because then you

Just print it out. I find it fascinating that you're buying this for someone else to solve. It's typical. Graham, you can totally see that he has the right brain. Apparently, there's loads of cryptic crossword clues in it as well, right? It's totally for his kind of brain. A hundred percent. I think he'd love it.

Terrific. Well, that just about wraps up the show for this week. Dave, thank you so much for coming on the show. We really appreciate it. I'm sure lots of our listeners love to follow you online and find out what you're up to. What's the best way for folks to do that?

Well, you can find me on Twitter. It's at Bittner, B-I-T-T-N-E-R. And everything else is over at thecyberwire.com.

Marvelous. And you can follow us on Twitter at Smash Insecurity, no G, Twitter on the last ever G, and we also have a Smash Insecurity subreddit. And don't forget, to ensure you never miss another episode, follow Smash Insecurity in your favourite podcast app, such as Apple Podcasts, Google Podcasts, or Spotify.

And huge, huge thank you to this episode's sponsor, Bitwarden, and to our wonderful Patreon community. It's thanks to them all that this show is free. For episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 281 episodes, check out smashingsecurity.com.

Until next time, cheerio. Bye-bye. Bye. Bye-bye. Bye-bye. This is what I normally

Have to listen to, people. I saw the Elvis movie over the weekend, by the way.

Oh, really? Now tell me about

That. It's all right. It's a bit long and a bit of a mess. But I like Baz Luhrmann as a director. I think he's very bold and so I tend to like his style. And I enjoyed that.