Ransomware - Part 1: Between a rock and a hard place
Imagine someone entered your house while you were away and changed every door lock, every safe combination. They put padlocks on your fridge, your wardrobe and your bookshelves. They have all the keys; all your belongings are inside and inaccessible. You need to pay one month of your income to get the keys back, otherwise you’re on your own. What are you going to do?
Ransomware - Part 1: Between a rock and a hard place
It started like any other Sunday: nice brunch with your family and friends, followed by conversations on the green grass, enjoying the unexpected early summer.
The uneasy feeling that someone was watching you was gone just as you got outside the house four hours ago. It was too good of a morning. Yet, the inexplicable anxiety returns as you walk back with your family, even while everyone around is enjoying themselves.
As you approach your home with your family, you realise something is outright bad: there is a red paper envelope taped on the door, eye level. Below the envelope, there is a large sticker with a black and white QR code.
You remove the envelope: inside there is one piece of paper with what looks like a letter. The paper is smooth, but too glossy, and the text is printed using nice, legible characters. Under different circumstances you would admire the typography. You read it aloud so that the others who are around you can hear:
Hello,
You are lucky it is us, and not burglars who would have stolen everything and set the place on fire. We are considerate and reasonable; nothing is taken or destroyed in any way.
We changed all your locks, the alarm code, the WiFi password. We padlocked your fridge, storage cabinets, boxes and wardrobe. All the locks are military grade, it is useless to try to pick them. Oh, and it's a bad idea to leave the safe open; we changed the combination after we stuffed it with all the small precious things we could find.
You can have all the keys and the new codes delivered to you in less than four hours. All you need to do is to transfer us the equivalent of eight weeks of your family income. Do not lie about how much you make; we saw your tax returns on the kitchen table.
There is no hurry, yet, every three days the amount for getting back the keys will increase ten percent.
Please scan the QR code to visit a page with payment details or to contact us for help on how to send cryptocurrency.
P.S. If you need an extra reason to act the right way, we pinky-promise to delete all the scans of that box of pictures you keep on the top shelf in your master bedroom. That is instead of sending them to your friends.
Kind regards,
The LockLock Team
As you finish reading, you try to unlock the door, with the hope this is a bad joke. No surprise, though: the lock would not open, the key doesn’t work.
You turn around, to see your family staring at you. Their joy’s gone and they look instead like three stages of grief: Denial, Anger and Depression. It is up to you to take the lead and break the heavy silence:
"We have been hit by a ransomware attack. Most of our earthly belongings are safe, yet inaccessible and we are paralysed. There is not much we can do. There are two options: to do what they say and pay the…"
"But wouldn't this be like paying and supporting the criminals?", Anger interrupts.
"It would, but paying might be the better option. Because the other one, option *B* is to deal with this on our own, without supporting the organised crime."
"No, there must be another way! I left my journal in the room", says Denial. "We have to break a window, we need to get in. My homework is there, I cannot go to school without it."
"Don't worry about the homework, we’ll deal with that. As for breaking a window, it's not that easy and it would not solve that much, as all the other doors and everything else are locked, including your journal, homework, our passports, laptops, all probably in the safe... Who wants to take a picture of the QR code?"
"Me. But shouldn't I scan it instead?", offered Depression.
"No", you reply. "I don't want them to see we got home yet. Let's go to the closest place we can sit and think. There’s a Starbucks two minutes from here."
You arrive in the cafe, and ask the barista for two coffees and two hot chocolates. This will be a long day… As the drinks are prepared, you ask for some sheets of paper and a pen.
Your family found a table and are chatting, waiting for you and the drinks. The wonderful smell of coffee and chocolate, caressing your nose proves that bliss, despair, impatience, anger, joy can visit your mind and soul at the same time. You need to be there for everyone, and fortunately it looks like they calmed down, even resigned a bit.
"Here are the drinks! While we have them, we need to think about what we can do. We can start with seeing what we have on us. Everyone, please empty your pockets and backpacks on the table."
Two mobile phones, one charger, two debit cards, one credit card, one library card, three coins, one banknote, one supermarket receipt, hand sanitiser, and two useless sets of keys. Not much.
"Should we call the police?"
"Yes. But they cannot help too much now. They cannot let us back in our house. We will inform them, maybe they can track the payment or collect evidence to catch the criminals in the future. So, any proposals?"
"Pay them", said Depression who now became Acceptance.
You write that down. `Option A - Pay`
"Fight them!", said Anger.
You write that, too. `Option X - Fight them`
"Why option X and not B?"
"Because I don't know how to fight somebody which neither of us or the police can find. There are no weapons and I don’t know how I could attack or defend. So no fight."
"Oh... right. Well... Try to get our things back without paying"
You write `Option B - Resist`
"I wrote 'resist' because we will have to pay, nevertheless. Not the criminals, but all those who help us resist and recover. Let's see now what we have to do, what steps we need to take, in each case. Option A."
Option A is simple:
0. Inform the Police
1. Pay
2. Wait for the keys
3. Get in the house, unlock everything
4. Change locks.
Total cost: ~2 months of income + changing of locks & cleanup costs
We get back to our lives: 1-2 days + time to recover the lost money
Quite bad, and expensive. You tell everyone: "Before we carry on with other options, I wanted to remind you that the safe we have is the best model. Not only were we told that the locking system is unbreakable, but also any attempt to move or force the door will trigger a release of acid which will destroy the contents. Ironically, for safety reasons."
"How could we be so reckless?"
"And how did they get in? Who was the last to go out?"
You calm them down: "It doesn't matter. Suppose the door was unlocked, nobody should have come in and locked us out. We made mistakes, but we are the victims here, and not at fault."
Thinking of the actions required for the *Option B* proves seriously more challenging. The list is much longer and for sure not final:
0. Inform the Police
1. Call the locksmith for unlocking or breaking the main door
2. Call the construction company to get another door in place
3. Make a reservation to a nearby hotel for at least a couple of days
4. Call work -- ask them for one week off
5. Call school -- tell them no homework or uniform are possible
6. Cancel family trip -- as passports are in the safe and the safe cannot be open without destroying the contents.
7. Ask for replacement passports, driving licenses, house deed, school diplomas, birth certificates, because they were in the safe
8. Buy laptops, two mobile phones (if they are in the safe, too)
9. Get somebody to break into the car and replace the keys (if the keys are in the safe, too)
10. Buy school supplies, toothpaste, toothbrushes
Total cost: Unknown, but estimated at three times the ransom. It will take several months until everything is like before and some of your belonging may never be recovered.
"What about the photos?", you get asked.
"Oh, It's OK with the photos. They are with me in underwear, trying to get a before and after for weight loss. The slimming didn't happen, but the photos are still there. I wish they were not published, but if they are, it is just inconvenient, not Armageddon."
"But if we pay, will they send the keys? They can just take the money and leave. And never send us the keys."
You've thought about this, too, about losing the money twice, so you can answer straight away:
"They could take the money and walk away, indeed. But I think they really want not to do that.. Their business is based on the idea that victims trust they get the keys when they pay, and fast. If this trust is lost, all their efforts and risks to lock you out are for nothing, and they lose a lot. So, yes, I think that there is a high chance to get the keys once we pay.”
There were no other ideas, besides a proposal to negotiate, if option A is chosen. You are trapped, there is no way to win this, the lack of actual options frustrates you. You need to decide, and time is essential.
Paying the criminals is obviously more convenient, and they know that, too. But it is against your principles, values, everything. Supporting organised crime is not something you will do.
What to do? Pay them, or do the right thing? And is the right thing, really the Right thing? What is the *right thing*, what is the price? For you, for your family, for people around you.
* * *
I am sorry, dear reader; there is no climax for this tale, and no happy ending, either. No character or story arc. This is how these criminal attacks work in real life. There is no Bruce Willis to save everyone at the last moment. There is no oxygen cylinder that blows up the head of the sharks that hunt you. No matter what you do, you can only lose.
That day, your family went for the rational option without too much debate: pay the ransom. Because of your excellent negotiation skills you got a discount, so at least changing the locks didn’t cost extra.
With the keys sent in four hours, as promised, you got back in the house the next day, as the Police wanted to check if they found any clues. They found none, and how the criminals got in the house is still a mystery. Somebody said they heard an odd drone-like sound, but could not give any other details.
Seven months later, you were hit by a similar ransomware attack. Same amount, same criminals. They probably appreciated doing business with you, so they did it again, on a Thursday, while everyone was busy with their work and school. On this occasion, you read the statistic that 80% of ransomware paying victims are revisited. This time your safe was closed, so you decided not to pay again.
I hope you enjoyed reading this is (still) fictional story.
Have you considered how much of our life is digital? And that being locked out of your digital life can happen for real? And how our physical lives (houses, cars) have more and more remotely hackable technology?
Next time we’ll look closer at what ransomware is, who is the usual victim, what are its consequences and what you can do to minimise the risk of being hit.
See you soon! :)
P.S. Have you been the victim, or affected in any way by ransomware? If yes, could we chat about your experience?