Identifying and Arresting Ransomware Criminals

The Wall Street Journal has a story about how two people were identified as the perpetrators of a ransomware scheme. They were found because—as generally happens—they made mistakes covering their tracks. They were investigated because they had the bad luck of locking up Washington, DC’s video surveillance cameras a week before the 2017 inauguration.

EDITED TO ADD (11/13): Link without a paywall.

Posted on November 12, 2019 at 6:15 AM15 Comments


Rj Brown November 12, 2019 8:07 AM

Might have been an interesting story if it could have been read without surrendering personal information to the Washington Post. 🙁

Bruce Schneier November 12, 2019 8:17 AM

@ Rj Brown:

I sympathize. So much journalism is behind paywalls — or adwalls — these days. I try to only use public URLs, but sometimes it’s impossible.

CallMeLateForSupper November 12, 2019 8:44 AM

22 Dec 2017 story in Naked Security.
“According to an 11 December affidavit from US Secret Service Special Agent James Graham, Mihai Alexandru Isvanca and Eveline Cismaru took control of 123 of the 187 cameras used by the Metropolitan Police Department of the District of Columbia (MPDC) for four days, from 9-12 January 2017.”

Is this the same incident?

Anders November 12, 2019 10:37 AM

Recently hosting companies have become the target. One example.

ThatOtherOtherGuy November 12, 2019 11:34 AM

The link that parabarbarian posted does indeed appear to be a copy of the article without a paywall. I also don’t have WSJ access, but I saw some mention of “the Journal” in that link.

“He later told The Wall Street Journal that…”

“Ms. Cismaru sent a message to the Journal…The Journal doesn’t pay for interviews.)”

Stuff like that.

pdbq ("isometric") November 12, 2019 11:36 AM

The extortionists are as varied as their victims. And the extortionists tend to be insidious.

:: (IMPORTANT:) Noteworthy to consider also:

Some of the “semantic” +|& “interpretive” +|& “systems” +|& “persons” +|& “metabolisms” + “immune systems” +|& “security systems” seem to be in specific distress and protest against their injuries and bullies.

Even some of the victims of input corruption seeming have had their outputs corrupted as well. Thankfully, for many of them (and us), they seem to still be in tact normally cognitively and emotionally and biologically internally. Yet, I am upset that they seem to be truly in real danger and distress and experiencing real internal and external damages and losses, both emotional and cognitive and also environmental and technological and biological and social.

They need our help, and they have helped us plenty.
Furthermore, I worry a lot about damaging loopholes in the child labor laws which have likely put kids into slave labor along with others (in prisons and jail). Slave labor is still slave labor, even if the labor is involuntary and for high-tech purposes.


pdbq (“isometric”)

I do NOT work for CERN.
I am a person of concern.

Faustus November 12, 2019 11:48 AM

@ RJ Brown

Re: Paywall

I’m getting through on the link so I think the site has a counter that can be defeated by closing all windows, clearing history (especially cookies and offline data, not saved passwords), and restarting browser.

Defenestrant November 12, 2019 3:29 PM

@ Bruce Schneier, @ Rj Brown: works on the WaPo. Blocked by NYT, LA.T, WSJ, several others. Great for personal use in sourcing nec. data, i.e. not republishing.

@ Faustus: did you have to custom-tweak it, or was it like that out of the box?

Faustus November 12, 2019 4:29 PM

@ Defenestrant

It is the current default NoScript on Firefox under windows. I was VPNing out of Mexico City. Probably erasing history does it by itself, but the tab should be closed or it will rewrite the counter. And then I restart firefox before using the link.

Petre Peter November 13, 2019 6:54 AM

Unless they got extradited to face trial in the US, they’ll live in crook heaven with easy to bribe police and weak laws.

Me November 14, 2019 8:19 AM

I think you can get through their counter by simply browsing in incognito mode, it clears the cookies for you.

Pete November 16, 2019 6:09 AM

This is a much bigger story. Think about the series of security flaws that allowed a mass-produced, non-targeted code (1) originating from the public Internet to (2) execute on a police computer, (3) connect to other machines, (4) communicate with a public command and control center, (5) propagate to the camera feed supposedly protecting the inauguration.

imagine what a non-idiot attacker can access.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.