Mikko Hypponen , F-Secures Chief Research Officer was at the Web Summit last month, and he met up with us to discuss ransomware, cybercriminals and how surfing safely online.
Well there’s at least 20 different ransomware families, so it’s not one single problem. We’ve seen different kinds of gangs, make money with this way, and it works so there’s going to be more and more new criminals using the same method of making money. One of the largest, if not the largest, groups in ransomware business is for Russia, they run this small group operation called CryptoWall, and since all the ransom money is being moved with Bitcoins we can actually track to some level on how much money there’s being moved to these Bitcoin virtual wallets. So we estimate that throughout the last three years, this group has received around 300 million dollars or 260 million euros or something like that in their operations. And that’s a remarkable amount of money for a criminal organization.
For me, I’m worried, if you give them your bank details to pay their money, I’m worried they might use that again for themselves.
Well, no because they don’t want your bank details, they want you to do the transaction with Bitcoin, and Bitcoin is the mega trend behind ransomware. Before Bitcoin was around, there was no easy way for the criminals to move money without running the risk of getting caught. With Bitcoin, they will not be caught. The work of tracking down a Bitcoin transaction back to the real world version is very, very hard. That’s why they like it.
Because I’m like, I had it myself a couple of years ago, and they told me, You have to pay some euros, and I figured if you use PayPal accounts, they can actually be re-used again and again by them. And also at times they actually also have installed key loggers. So when you go to use that, when you get back on the computer, and so say, you got in your accounts. The key logger is storing future transactions and your passwords, so you pay them a fee. For a long term, you have got no come back because they have access to all you have.
Once again, it depends on the family. For example, CryptoWall, once you pay their ransom, they will recover your file, and they will remove the malware, and so they actually do what they claim to do. And like I mentioned in my talk earlier today, we believe the reason for that is that they have to have a good reputation, or sort of like good reputation in order for people to pay the money. If people think that paying the ransom wouldn’t work, they wouldn’t pay. That they see that it works for other people, they would have paid the ransom because the money isn’t too big or that huge, it could be a couple of hundred of euros, could be a thousand euros, you mentioned how much data they’ve encrypted. So, for a corporate victim, it could be a lot of money from corporates and people.
You were also saying that some of these guys are from poor social backgrounds and you can’t cure that. But that you can cure security but not the person themselves.
Well, it’s true that many of these online criminals come from backgrounds where they have the skills, but they don’t have the opportunity, so you’ve got to eat. So, if you’re a programmer but you can’t get a job and you’re, I don’t know, somewhere in Siberia or the slums of Sao Paulo, it’s quite obvious what you’re going to do with your skills. You’re going to go into live online crime, and that’s a hard problem to solve. That’s not something I can solve, it’s not something you can fix with technical solutions. It’s a social problem.
I think that if you’re a company and you wanted to be as secure as hell, you hire these guys to be your security. Like if for example, you run a bank and you want to make sure that you don’t get robbed, you actually hire ex bank thieves to go make sure it’s secure now. Surely, these guys, who makes a living in Sau Paolo or Russia, they can work anywhere in the world, they don’t have to be in an office, they can work anywhere you put them with Wi-Fi. And you can, call these guys, and say we want you to protect us and tell us what’s happening. At times you find that some of these hackers will have signatures that will let hackers know who they are and if they know who they are, they will be able to protect you from these guys.
Most banks and other large companies like the idea, but they prefer not to work with criminals, so they work with penetration testing companies and auditing companies, which have the same skills. For example, we do penetration testing, which basically means we come and hack your system but we do it with your permission, and we use exactly the same kind of attacks that real criminals would be doing. And of course that’s much better solution from the point of view of the client because you know that you can rely on who you’re working with, because you’re not working with criminals.
Yeah, that’s true. Now I’m thinking, if you’re a criminal, and we hired you, we can’t fix the social problem that you’re in. But if we can make you use what you did for good rather than evil and maybe change you slowly, you’ll realize there’s work here for me, I can be freelancing this and it’s way of making money without me actually doing any real damage.
I actually had discussions with people who have come to a life of crime who really regret it, who tell the story of how they would give everything if they could switch sides and come and do over, an honest living and actually work in computer security, which is of course their passion because they understand it very well. But for many of them, it’s a hard switch to do after you have a criminal record or after you’ve been on the other side. It’s hard to gain the trust of security people, and it’s sometimes very sad to see these people who are really regretting their life decisions, have a hard time making it good again.
A good example is the Wolf of Wallstreet, Jordan Belfort, he showed what he did and he was doing something criminal but he just saw it as way of making money, and he didn’t think he was doing anything wrong. He got caught and then turned his life around and said, I want to talk about what I did and how people can avoid with what I’ve done. I think these hackers should be given a chance to do that as well, a sort of rehabilitation.
Well some people successfully had done that, I think that the worldwide best known example is Kevin Mitnick, who was sentenced for several hacking crimes, who spent years in jail, got out and started a successful consulting business, and he’s now doing a security consulting worldwide. So, some people are able to do it.
And like years ago, like people like Steve Wozniak, thirty years ago, he was actually involved in a kind of hacking environment, but these guys managed to turn around and they are the founders of Silicon Valley, they had an opportunity to do that. And then if they can do it, that says anyone can do it if given the opportunity, given the tools and the patience of time.
And I’m all for that, I’m all for like someone who has paid their debt to society and who should be rehabilitated and welcomed back to society, to do whatever they can best do for us. Many of these guys have the technical skills to do security. But the problem is how do you regenerate the trust after you’ve lost it. And that’s the big challenge.
For me, I find that when you’re in security, if you’re a user of security products, you would gladly be able to trust the user, trust the connection you are using, trust your software and trust your hardware. If you can do all that, you’re going to be fine. But along the way, one of those trusts is going to be broken, unless you can guarantee that all those trusts are met, then that’s great, but that will never happen.
Yeah, and it’s hard. Regaining trust is hard. We’ve received it over and over again in our line of business.
When it comes to the home user, what do you recommend that they should actually do when they’re surfing online, maybe when doing shopping and bank transactions?
Well, the very first thing that I always say is always the same, which is back up your stuff. This is it, it’s no brainer, everybody knows they should be backing up your stuff just because somebody could break in and steal your computers, or your house could burn down, or it could be a malware problem. Yet, very few people actually do it right. So, back up your stuff, not just your computer, also your phone, your tablet, back them up so that you can recover them even if your house burns down.. So, if something bad happens, you can bring it back and recover your files. That’s the first thing, that’s where you start. The second thing, patch your systems, make sure everything is up to date, not just the computer, also your tablet, also your phone; not just the operating system, but also your browser, all the applications. Automate it, make it automatic if possible, that everything gets updated, so everything is secure from the patching point of view, as possible. Then choose your devices carefully. For example, now that Windows XP is no longer supported by Microsoft, many people have asked me about their old computers like, you know, should I try to install Windows 10 in this old computer? or what should I do with my machine? But I always ask them the same question, is that, you know, What are you doing with your computer? I don’t know. I surf the web, I pay the bills, I don’t know. Then I tell that you know, ditch the old XP and buy an iPad. It’s going to be ten times faster, ten times better as a surfing platform, and it’s going to be ten times more secure, because it’s much more restricted thing, and since, you know, your computers are much easier to infect than your tablets. And they’re not fool proof either, but much, much better than computers.
Now with tablets, the software is behind a pay wall in Apple so that guarantees that lot less damage could happen.
All the applications come from the App Store and Apple is very careful about what gets into the App Store, so that’s why it’s more secure.
And also, I’ve seen, at times people are using enterprise app, but at times they install them and Apple says you can do that, but at times you’re not sure where the app is developed. And there’s a loophole there, I think it makes me more aware of, if you use enterprise apps and you put them in your machine, make sure you know where they are from.
Very true, and it’s easier to do in mobile platforms than computing platforms. Because these are much more restrictive platforms but they’re also more secure. And then when we go through these steps, we end up with the last step, which is tech securing, using security software, or privacy software like encryption software in your devices. That’s not the first thing to do the first thing really is back up.
If you back up, I back up myself with portable hard disk and also I use the cloud as well. And on my phone here, it’s backed up every morning, at four in the morning in the cloud, it backs up my phone automatically everyday. In that way, I guarantee, if anything goes wrong, it’s safe. And also my phone, uses fingerprints, as well, via a scanner I use so no matter what happens, you can’t get into the phone.
Now the fingerprint reader on those devices are actually very good. It’s a good practical example of biometric security, which actually works.