Demanding a ransom for stolen merchandise is, of course, illegal. And most of us assume that people who demand ransoms will be caught and prosecuted. But that's not always true.
I learned this the hard way recently while searching for Internet photos for a Design News online slideshow. On a story deadline and under pressure, I broke all my own unwritten rules about visiting unknown sites, responding to security questions, and closing out in the event of an apparent malicious attack. The truth is that no one broke into my computer. I opened the door and offered them a cocktail on the way in.
All this would be pretty routine stuff, if not for what happened next. The following morning, my laptop display was loaded with popup warnings from my security supplier. And some of the machine's data folders contained chatty letters from my new visitor. The letters, inserted by a program called CryptoWall, explained the situation in friendly terms that a corporation or an agency might use in helping navigate a website.
"What happened to your files?" the attackers asked rhetorically. "All of your files were protected by a strong encryption with RSA-2048 using CryptoWall." It went on to explain that, if I wanted to open my files, I would need a private encryption key. Delving deeper, I learned that the private encryption key would cost $400.
"Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed," the letters said. "If you really value your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist."
I liked the use of the word "alas." Nice touch. Very literate.
The malware authors make a good point when they say no solutions exist. "The password is 256-bit encryption -- very long and very complex," Chadi Adas, owner and president of Tech City, a computer sales and repair store in Park Ridge, Ill., told us. "You could spend years randomly generating strings of characters and not make a dent in the armor of this thing." Computer experts can easily remove the CryptoWall virus from any machine, but that doesn't solve the problem of the already lost data.
At this point, most normal people would ask how anyone could hope to get away with a crime like this. They would argue that the malware author's websites could be traced, as could any electronic payment.
But the hackers are getting away with it -- sometimes brazenly. A case in point: NBC News reports that CryptoWall recently attacked a police department in Durham, N.H. The town vowed to pay no ransom, but police officials were apparently helpless in dealing with faceless cybercriminals who could be anywhere in the world.
As for the idea of tracing the payment, forget it. In my case, the hackers demanded payment via MoneyPak, an easily obtained prepaid card that's essentially untraceable.
Some CryptoWall victims -- typically small-business owners who desperately need their files -- ultimately pay for their data retrieval. Four Tech City customers have paid the ransom, Adas said. Three got their data back; the fourth had a technical glitch, causing the data to be lost.
"I hate to say it, but these guys have been pretty honest about what they promised to deliver," he said. Nevertheless, he discourages customers from paying, because there are no guarantees.
In the end, victims of this scam likely won't ever be able to prosecute or get their money back. The scammers typically do business over a Tor browser, a peer-to-peer Internet browser designed for anonymity. Large government agencies and corporate IT departments might be able to track traffic over a Tor network, but it's unlikely that a small business or an individual would be willing to spend the time and money to do it.
"For most people, $300 or $400 is a lot to pay," Adas said. "But it's typically not worth local law enforcement's time to try to track it down."