Negotiating with Ransomware Gangs

Really interesting conversation with someone who negotiates with ransomware gangs:

For now, it seems that paying ransomware, while obviously risky and empowering/encouraging ransomware attackers, can perhaps be comported so as not to break any laws (like anti-terrorist laws, FCPA, conspiracy and others) ­ and even if payment is arguably unlawful, seems unlikely to be prosecuted. Thus, the decision whether to pay or ignore a ransomware demand, seems less of a legal, and more of a practical, determination ­ almost like a cost-benefit analysis.

The arguments for rendering a ransomware payment include:

  • Payment is the least costly option;
  • Payment is in the best interest of stakeholders (e.g. a hospital patient in desperate need of an immediate operation whose records are locked up);
  • Payment can avoid being fined for losing important data;
  • Payment means not losing highly confidential information; and
  • Payment may mean not going public with the data breach.

The arguments against rendering a ransomware payment include:

  • Payment does not guarantee that the right encryption keys with the proper decryption algorithms will be provided;
  • Payment further funds additional criminal pursuits of the attacker, enabling a cycle of ransomware crime;
  • Payment can do damage to a corporate brand;
  • Payment may not stop the ransomware attacker from returning;
  • If victims stopped making ransomware payments, the ransomware revenue stream would stop and ransomware attackers would have to move on to perpetrating another scheme; and
  • Using Bitcoin to pay a ransomware attacker can put organizations at risk. Most victims must buy Bitcoin on entirely unregulated and free-wheeling exchanges that can also be hacked, leaving buyers’ bank account information stored on these exchanges vulnerable.

When confronted with a ransomware attack, the options all seem bleak. Pay the hackers ­ and the victim may not only prompt future attacks, but there is also no guarantee that the hackers will restore a victim’s dataset. Ignore the hackers ­ and the victim may incur significant financial damage or even find themselves out of business. The only guarantees during a ransomware attack are the fear, uncertainty and dread inevitably experienced by the victim.

Posted on September 30, 2020 at 6:19 AM52 Comments


me September 30, 2020 6:55 AM

Or… get a decent backup and forget about the problem.
disk can break and people can accidentaly delete a root directory.

This doesn’t solve the theft but at least you can be sure that you can access your data.
Stealing & publishing is probably more risky for the attacker and people will probably not pay to that kind of requests

Anonymous September 30, 2020 7:16 AM

About the regulation of Bitcoin exchanges – all the major cryptocurrency exchanges today have a KYC and security measures comparable or stricter than traditional banks. Basically all cryptocurrency transactions are irreversible so the security has to be top notch. Some of the exchanges even offer bank services like issuing VISA cards or providing loans. The times when exchanges were ran by a single enthusiast on a single server are gone.
But yes, exchanges can be hacked. So can be banks.
Of course, one could buy bitcoin or other cryptocurrencies in a dark alley in case one needs it anonymously – but I don’t suppose that big companies would go that way.

jbmartin6 September 30, 2020 7:48 AM

Payment further funds additional criminal pursuits of the attacker, enabling a cycle of ransomware crime

This argument isn’t valid. Would you tell someone being mugged to hold onto their wallet because giving it up would “fund additional criminal pursuits”? The victim should just run away, they probably won’t get shot.

Michael Martin September 30, 2020 7:49 AM

We need to regulate ransomware providers, so we can check their reputations to see whether we can trust them to provide decryption.

rj September 30, 2020 7:52 AM

I guess the only VALID reason to pay ransom would be if the decryption process would be considerably faster that the restoration process — assuming you do have good backups. If you don’t have good backups then you are negligent anyway. But what if lives were at stake, and the restore time was too long to get you enterprise back up, but running decryption on each computer in parallel would be faster than a restore — fast enough to save those lives? I would still say that if your restore time is too long, so that lives could be lost, then your backup/restore process is inadequate, and you are still negligent.

parabarbarian September 30, 2020 8:22 AM

My employer was recently hit by ransomware. They even got the backups so paying was about the only option besides going out of business. Once the ransom was paid (rumor is it was about $1 million) The criminals not only provided the decryption keys but also a list of the machines they had infected and documentation on how to decrypt the files. It was quite an organized effort. They even had an email helpdesk that was, reportedly, very helpful at handling the minor difficulties.

I am a UNIX admin so was not directly involved but the reports I heard was that the decryption software worked very well. These criminals are not just a bunch of Basement Dwelling Wankers after a few bucks. They are well organized and also seem to be ahead of the so-called security experts.

Vesselin Bontchev September 30, 2020 8:35 AM

“Just restore from backups” is not always the best option. I had one case when the customer who was hit by ransomware did have backups – but still wanted to pay the ransom, because restoring would cost more (in terms of lost time and pay to people who would be doing it) than the ransom itself. Admittedly, that was years ago, before the ransomware gangs switched to hunting big companies and demanding millions in ransom.

Another thing – at least in my county (Bulgaria), there is no legit way of paying the ransom. It’s not that it is forbidden, but when the company is audited, they have to have a legitimate bill (receipt? dunno what exactly those are called in English) – well, a document justifying the expense. And the criminals aren’t going to provide that. I’ve had another case when the boss told his employees to request such bills when buying groceries at the supermarket, until the sum on those documents covered the ransom amount. I suppose one could get around this restriction by hiring a ransom negotiator and being billed by them – but those aren’t popular here; at least I don’t know of such a business here.

JB September 30, 2020 8:51 AM

Paying the ransom not only hurts everyone in the long run, it doesn’t help a bit in the short run. Because be definition, those systems and all the data on them have been compromised. So even if you pay, you get the decryption keys, they decrypt the files, you still can’t trust any of it.

The only good that can come from a ransomware attack is learning a valuable lesson in having good backups and good security.

Chelloveck September 30, 2020 9:12 AM

@JB Generally the value of the data far exceeds the value of the hardware. Salvaging the data is the important part. After than you can (figuratively) burn your data center to the ground and start over on new hardware, hopefully with better security and a better backup regimen. Or do you mean you can’t trust that the data you decrypted hasn’t been tampered with? Maybe, but the ransomers aren’t really interested in destroying your business. Quite the opposite, really. They want you to survive because you’ve already proven yourself a good “customer” of theirs! They want you to pay up the next time you’re infected. You won’t be willing to do that if they screw you out of your data this time. Repeat business is important for any entrepreneur, even the illegal ones.

M@ September 30, 2020 9:15 AM

Backups aren’t that useful against a commercial ransomware attack. The cases I’ve worked on were breached for 2+ weeks before they triggered, backups were at best compromised if not subverted, and restoring from month-old offline copies basically means liquidating the business. There have been a couple instances where it was clear the attackers weren’t commercial, and pulled the trigger moments after they breached, and we felt comfortable rolling back 6..24 hours: But those were amateurs.

Clive Robinson September 30, 2020 9:38 AM

@ me, ALL,

Or… get a decent backup and forget about the problem.

That unfortunately does not solve the problem.

Ransomware or Ex-Insider Ransom has been sort of discussed on this blog befor over the years and each time people miss the point.

1, Someone has been in your systems.
2, You have no idea howlong they have been in your systems.
3, You have no idea what they did in your systems.

Read through that twice and give it some thought, then draw up a list of things they could have done.

The first thing to consider is that they may have overwritten the BIOS or IO Flash ROM’s so they now have a backdoor into your system you can not remove.

If you think this unlikely go back and have a look at what Lenovo did a few years ago with regards puting persistant malware in the BIOS in their consumer models so that no matter how often you erased the Hard Drive their little money grubbing nasties were re-installed on your system. The method they used has been a hole in consumer and business grade computer systems for over four decades and is still there (it kind of started with the Apple I and by the Apple ][ it was fully developed and the IBM skunkworks team effectively stole the idea and put it in the PC where the hole still is). But If you want to see what happens to your sanity when such persistance happens go back and look at BadBIOS and what it brought down on Dragos Ruiu’s head was somewhat unfair, and I note few have offered any apology[1] (the lesson of which is evrn technical journalists can not be trusted so avoid talking to them).

But whilst they are trapsing around your systems what else could they do?

How about modifing your backup software so that the backup tapes are encrypted?

There are ways to do this which I won’t go into in depth but[2] what they can do is transparently to you at the “driver level” or “Firmware level” put in the software equivalent of an Inline Media Encryptor(IME have a look at the NSA for the specs on the ones they make).

To your computer every thing looks absolutely fine as the IME transparently encrypts when you write to, or transparently decrypts when you read from the tape drive (or lower if they have got into the backup device firmware). As long as the IME has the correct key it would take a very suspicious or lucky person to spot what has happened.

It’s only when the key for the backup device is zeroed along with the key for the harddrive does the ugly truth come to the light of day by which time it’s well and truely “game over insert another quater to continue”… Only it’s not a quater unless you are talking ofca quater of a million dollars for a large organisation or 2500 for a SOHO or home user…

[1] Dragos Ruiu had a problem that was driving him nuts, it was persistent malware he could not explain. He had seen a whole bunch of things that were not explainable by what he knew. The mistake he made was to talk to a journalist about what he was observing and some hypotheses he had yet to test.

As it turns out I like one or two other engineers could explain nearly all he thought he had seen from work we had done a quater of a century before to network computers up by sound, as back then the hardware even to do the likes of SLIP was eye wateringly expensive compared to the price of the nascent PDA’s like the PSION Organiser (of which I’ve subsequently found I still have the prototype hardware from developing a working acoustic network).

The knowledge I had, was why I was able to knock up fairly quickly a prototype one weekend using the ROM socket on an old 16bit AT card which I discussed on this blog. However the neigh sayers still made claims it was not possible… Then a little while later two university students did a similar thing with two laptops in a corridor and published it… Now we have apps using the same technique via malware in apps to surveil people as they go shopping[2]…

[2] Hence my increasing reluctance to talk about the research I do creating new security vulnerabilities and consequently the defences to combat them.

Etienne September 30, 2020 11:20 AM

I remember the military ordering all firewalls removed inside the LAN’s. Many were maintaining their own firewalls to maintain some span of control, but the whole network was laid open like a fresh cadaver.

“The VLAN’s will protect us”

…as some low-ranking Okie started downloading everything to CD and giving it away for free to Wikileaks.

“Ya gotta be smarter than an Okie” – Bumper Sticker at West Point

Warranty Void September 30, 2020 11:57 AM

Even among security professionals there is a staggering display of arrogance and ignorance surrounding ransomware.

“Have good backups” <- The bad guy will delete any hot backups after they have domain admin. The backup processes you have probably won’t look as good in retrospect
“Paying for decryption is quicker…recovery” <- The ransomware decryption utilities are not always reliable enterprise products designed for ease of use. You still need to decrypt hundreds or thousands of machines, that are at best still vulnerable and at worse still actively compromised upon decryption
“people who pay are … bad … evil … dirty … something something external costs… something something tragedy of the commons” -> Spotted the arm chair infosec pontificator who isn’t in the hot seat for real-world decisions. Imagine what you would do if yourself and 5000 co-wokers are facing permanent unemployment.
“can’t happen to me because … magic unicorn fairy dust” <- Somebody hasn’t seen the results of a recent full scope penetration test. Interested in buying a NYC area bridge by chance?

(I’m an IR Consultant who has worked on the recovery of multiple post intrusion ransomware incidents)

Rodney B September 30, 2020 2:46 PM

These are very compelling arguments, but the first one on the list to me is enough if it’s true. The last argument against, “Using Bitcoin to pay a ransomware attacker can put organizations at risk” can actually be prevented. Although, if a company is smart enough to protect Bitcoin transactions, they likely had guarded against ransomware attacks.

Jason September 30, 2020 3:24 PM

I suppose in defense of paying, the ransomware attackers have an enormous incentive to be as helpful as possible once paid.

The simplest way to stop ransomware may be the same as the way airline hijacking was rendered significantly less effective 19 years ago.

Launch a large series of high profile ransomware attacks and do not provide valid decryption keys after getting the money.

If you arent likely to get your data back after an attack there is no incentive to pay. Just like these days air line hijackers will likely be viciously attacked by passengers and crew rayhrr than complied with because we saw spectacularly what happens when you dont on 9/11 after they broke the implicit r I les of hijacking.

Im not advocating for doing it, but while the ransomware guys honour their word when paid and release the hostage people will pay as the least painful option.

SpaceLifeForm September 30, 2020 5:06 PM

If an org was to pay the ransom, I would recommend:

Open bank account specifically for the purpose.

Put the money into that account.

Buy the bitcoin via that account.

Pay the ransom only via bitcoin.

At least, this way there is a paper trail and a Blockchain trail.

It’s probably the only way to catch the crooks.

Pay X when X+Y is laundered.

another me September 30, 2020 10:18 PM

I’ve seen other businesses use custom built malware, delete the customer database of a competitor, after copying it (though not well in some instances, and the data is sometimes recoverable).

If you are backing up and using removable drives (tape drives for example), I’d check you actually have tapes or disks in the backup caddies. Backing up will be really fast without anything to backup to, but there is only so many times you get a laugh at realizing a business has been backing up to the void for the last decade.

How about isolating the database and entering the customer details manually to it, keeping it offline? Keep the email system separate. You will still have humans in the loop though, most of them are idiots, and herein lays the conundrum. Disable all the USB ports. They will still probably get spearphished.

Teaching security would be a good idea at work, at school, but people have been saying that for decades. Maybe ransomware may be the kick up behind for an ever increasingly complicated world. You could not pay, break the ransomware business model. Governments are only just looking at securing their systems, businesses now have some incentive to consider doing the same.

Saying that, I know people that have been stalked by serial killers their entire life and still don’t take security seriously. Which is funny, because the police don’t take it seriously either.

Ross October 1, 2020 3:47 AM

Like any successful parasite, Ransomware hackers have learned to balance their gains against destroying their “hosts”. It doesn’t make sense for them to disable their victims, or anger them to the point of trying to pursue the attackers.
The other reason in favor of paying the ransom is that even if you can restore your data on your own, the hackers may have a copy of it to use against you. Even if the business is completely consistent in it’s operations, there still may be intellectual property that would be damaging if release publicly.

Cyber Hodza October 1, 2020 4:44 AM

It is a nature way of making sure your immune system stays healthy by fighting constant outside threats

Ergo Sum October 1, 2020 4:57 AM

@another me…

Teaching security would be a good idea at work, at school, but people have been saying that for decades.

Second that…

If education of the endusers would be a viable option, it would have worked after decades of trying. Is that cause of the failure the teachers, or the students? It’s either both, or neither, depending on your point of view on the subject.

Neither education, nor the suggested methods of preventing ransomware addressing the underlying cause of spreading the ransomware. The lack of security in the current operating systems and software in general are the culprit.

As someone has quoted in previous blog’s comment:

“Failure is not an option, it comes bundled with Windows 10.”

Replace Windows with any other OS/software, no need to be prejudiced.

Until the underlying OS/software is secure by design, there’s little reason to believe that malware spreads will be under control anytime soon. Especially, when state actors have vested interest to keep it this way…

Anders October 1, 2020 6:41 AM


I know personally that some banks have special bitcoin
account in case of ransomware attack. They want to resolve
the incident as quick as possible and without any
publicity, including hiding it from banking supervision.
So they just pay.

Anders October 1, 2020 8:14 AM

@Vesselin Bontchev

I’m suprised with your customer.
I call this just a bad risk management.

Ransomware is not the only thing that can bring data loss.
There’s also file deleting malware, hardware (HDD) failure,
(updated) drivers that slowly corrupts data, accidental deletion
of data, accidental overwrite of data etc etc etc.
Yes, some of them have smaller impact, affecting only
some servers or workstations, but then again, sometimes
ransomware has also limited impact. And i guess you know
how KillDisk was used in Ukraine and how it spread like
wildfire, yes?

Sorry, but each organization must think of worst case scenario –
all of its computers are infected and needed to restore, from
scratch. It’s doable, with modern tools, fast. Maersk incident
is an excellent example of that. All must learn from them.

Jesse Thompson October 1, 2020 12:31 PM

I am actually kind of mystified why Dead Drop style backups aren’t more common.

  1. Backup system is connected through one Ethernet port with absolutely all ports locked down but one: the file upload backup port. For me “locked down” means firewalled at that VLAN via L3 switch, plus tcpd on the backup server blocking access to all ports but the one, PLUS no services listening on any other ports to begin with.
  2. The file upload service I do allow is FTP/S, but all that matters about the protocol is that the server allows caller to upload a file but does not honor any read requests. ANY. No file listings, no change of directory allowed, nada.
  3. Uploaded files get timestamped and moved out of the upload directory so that uploading the same file again won’t cause any trouble.
  4. No form of SSH or remote access is reachable on this port. Server has internal cron processes to sweep and purge (and possibly time-thin) timestamped backup files.
  5. Iff you need to acquire backups or test backups (we do this quarterly) or need to perform heavily vetted software upgrades on the backup system, you first disconnect its backup ethernet port so that it is completely offline. Next you re-image an airgapped laptop (has had wireless M.2 card removed since it was unboxed) from an airgapped image repo and plug that laptop into the backup server’s second Ethernet port which actually allows remote administration (just SSH, for me) and ability to read out files (SFTP/SCP over that same SSH channel).
  6. To perform backup restore, I get the needed files onto laptop’s hard drive, pull laptop’s harddrive, and then plug that into the live network and plug a blank drive into the laptop for later offline re-imaging. So data gets physically ferried from backup server to network, with no option of any data flowing in the opposite direction.

Thus, at no point in this process does the backup server have more than a knife’s edge attack surface for intruders to try to assail it with ransomware. Uploading backups via FTP/S and allowing no readback also makes it orders of magnitude harder to eavesdrop on backup contents for further nefarious analysis.

Yes, in principal they could start compromising offered backups weeks in advance, but then the likelihood this would get detected during a quarterly test is pretty decent.

But it also helps for the clean backup server to be able to run automated, offline validity checks on the submitted files. “Is this tjz? can I unbzip and untar it? Do the resulting files have sane file headers? For document types I understand, can I parse them? Whether I understand the filetypes or not, do file contents fail a χ2 test?”

Then Backup server can protest about errors by refusing to accept new backups which trigger alarms both at calling servers trying to push backups and at network usage logs that stop showing large file transfers when those should be happening. Problems can be investigated at leisure via afore-mentioned airgapped laptop.

Yes, they could try to infect the vetted offline upgrade process but that’s a slalom race opening that’s only rarely available for attack and faces far greater scrutiny than four-times-daily automated backups do.

Yes, they could try to attack the file upload channel, but that leads me back to why I’m so confused that this isn’t a more popular practice.

I think what mystifies me most is that I’ve never seen a file transfer protocol dedicated to the dead drop pattern. I always have to hoop something together myself (so far that’s lobotomizing an instance of vsftpd), which is never going to be technically as secure as if the likes of DJB were involved in vetting a well known protocol bespoke to this purpose.

Anywho, this is what I came up with after A> reading about the fall of the Hacker Team, and B> assisting one of our consulting clients who did get hit with a cryptolocker, who did have decent backups but those were handled over simple NFS.

So what are your thoughts? Am I missing some trick that makes this pattern less popular than it is? While I know it involves a non-zero amount of elbow grease to set up and a dollop more to maintain over time, it doesn’t feel like much more work than the tape backups I remember having to do at multiple firms throughout the 90s.

Arclight October 1, 2020 1:21 PM

As a storage engineer, I can say confidently that a lot of these ransomware schemes are easily recoverable if the customer has a combination of backups (ideally some off-line) and storage snapshots. Modern disk array file systems like ZFS and Netapp WAFL (now clustered) are capable or keeping literally hundreds of hourly/daily/weekly/monthly file system snapshots online, and they can be instantly mounted read-only or restored over the current version. Servers and workstations can be bare-metal re-provisioned if the infrastructure is in place, especially if we’re talking about a thin-client environment with a small number of “terminal services” systems that feed them.

Backup and storage systems should always be administered with credentials and security schemes that are kept separate from the standard active directory or other user-space authentication. A concept that is getting popular with backup storage vendors now is a “2-man” rule, where you cannot delete backups from a system without first calling support, getting 2 parties from your org involved and then waiting 48 hours or so.

As others have stated, you really DON’T want the data back, as you have no idea about its integrity or what has been left behind for future use.


Sofakinbd October 1, 2020 2:49 PM


You have:
For now, it seems that paying ransomware, while obviously risky and empowering/encouraging ransomware attackers, can perhaps be comported so as not to break any laws (like anti-terrorist laws, FCPA, conspiracy and others) ­ and even if payment is arguably unlawful, seems unlikely to be prosecuted. Thus, the decision whether to pay or ignore a ransomware demand, seems less of a legal, and more of a practical, determination ­ almost like a cost-benefit analysis.

Brian Krebs seems to disagree with your assessment:
Ransomware Victims That Pay Up Could Incur Steep Fines from Uncle Sam

Treasury Office of Foreign Assets Control:
In its advisory (PDF), the Treasury’s Office of Foreign Assets Control (OFAC) said “companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.”

  • Sofa

SpaceLifeForm October 1, 2020 4:38 PM

@ Anders, Vesselin Bontchev

Maersk got lucky. One of their AD Servers was down due to a power failure.

That was how they were able to recover as quickly as they did.


Anders October 1, 2020 6:01 PM


I guess the total recovery time would still be the
same regardless whether they had the AD backup and
no single working AD or had that one survived real
server and no backup.
10 days, 4,000 servers and 45,000 PCs rebuilt. Every
company must try to repeat this achievement and even
improve it. Next similar incident is around the corner.

SpaceLifeForm October 1, 2020 6:33 PM

@ Sofakinbd, Clive

Of course, an org should contact FBI before they pay the ransom.

But, consider that the hackers may not be foreign in the first place.

The advisory seems to be spinning a tale, that the only ransomware hackers you have to be concerned about are foreign.

Clive Robinson October 1, 2020 11:48 PM

@ Jesse Thompson,

But it also helps for the clean backup server to be able to run automated, offline validity checks on the submitted files

I use a file format integrity check system as part of an “energy gap” crossing system as I’ve mentioned before.

For low complexity protocols such as ASCII not binary files things can be fast enough to do them in real time.

The problem is certain major corporations have used file protocols as “weapons of war” in the “user lock in” game for more than three decades now.

Such protocols are not designed to be robust infact the opposite is usually true.

Thus there are limits on this.

That said the basic ASCII file formats such as CSV are good for transfering “data” but not “pretty printing” formatting which can require an entire programing language (Postscript and PDF files are technically “stack based”programing language source files). So as I always want the data not the pretty printing ASCII file formays from my point of view is advantageous.

But data is becoming more complex and some documents have data encoded into the positioning of blocks of text etc. For a simple argument list with pros in the left half of the page and cons in the right is very easy for a human to process, but as for protocol recognition is concerned it passes by as it’s at a higher level. Thus something like “markdown” conveys meaning whilst staying effectively hidden in the text and potential can go missing in lower level format translation.

So the process can sometimes be difficult.

Clive Robinson October 2, 2020 3:58 AM

@ Another me, Ergo Sum,

Teaching security would be a good idea at work, at school, but people have been saying that for decades.

Our host @Bruce Schneier, identified that there is a conflict between security and getting work done. It’s a variation on “Security-v-Efficiency” and the problem originates with managment and the rot very quickly spreads downwards.

Put simply Security has an upfront cost in resources that will like all defence spending never show a return on investment[1]. However those same resources spent on improving process throughput etc show an almost immediate and measurable return on investment (assuming customers exist for the process output).

Peoples remuneration is mostly measured by “productivity” which is a form of over optomised efficiency. Thus security appears to them as anti-productivity, or anti-remuneration…

Untill peoples efforts are measured in some other manner than “productivity/efficiency” then security will at best get payed lip-service.

[1] Justifing defence spending is always difficult. Put simply you never know if you have spent to much, but often you will find out when you’ve spent to little, because down the road you get attacked[2].

[2] When people get attacked often does not appear related to anything, which is one of the reasons “best practice” is frequently a compleate joke. The reason for the apparent lack of relation can be put down to a couple of things,

1, It’s a very target rich environment, so when you get attacked appears almost random.

2, The attacker could spend days or months once inside your defences mapping out the “lay of the land” and evaluating what is and is not worth stealing prior to deciding you are only worth a ransom[3].

[3] Intruders into systems have been slow on the uptake on how to monetize their skills, and to be frank they have been fairly lousy at it over the past quater century. As we can see things have only moved on a little bit since “bot-nets and CC-numbers” were the way. When you think about it “Ransomware” is not realy that much better. However it is “easy if risky work that pays”. Those more advanced in the arts of the likes of APT, know that the information you can obtain is far far more valuable. The French Government have for more than half a century regarded industrial espionage as way way cheaper than R&D, and have stated so publicly.

So it’s not unreasonable to think many other countries with the capability would likewise “gain an edge” with some others going for a litle income as a side line…

Clive Robinson October 2, 2020 4:22 AM

@ SpaceLifeForm, ALL,

The advisory seems to be spinning a tale, that the only ransomware hackers you have to be concerned about are foreign.

Whilst the “noisy ones” have been mainly originated from a place abroad, that may be for legal or other reasons.

If you have a think about it there are places in the world to launch mal / ransomware from and receive payments to that in effect get you considerable protection.

Thus it’s best to look like you are operating from there one way or another.

It is after all not to dificult to set up a small computer to act as a gatway to the Internet and connect to it via a POTS line “dial up” or over a radio link. Very cheap in resources to the point of being “change from 100 bucks”.

The point is you do not require anything more than a 300baud (30cps) serial TTY line to not just control it but pick up and receive / send email to and view with an old Command Line mail client.

Such hardware could be put anywhere and be effectively out of site. Your real issues are,

1, power to the unit.
2, Control link to the unit.

Neither of which are terribly difficult to do.

After all it’s known that in North Korea people have used cell phones to get Internet service from China. Likewise people on holiday in Europe have in the past discovered that whilst being in one country they had low cost roming charges to, their phone actually connected to an adjacent countries cell service and they got hit with big charges on their return.

Quite a few “day boat sailers” no they can have Email and limited Internet connectivity by HF radio for a fee. However there are Amature Radio operators who do it for free and get connectivity from the US to the middle of Europe etc.

And now many amatures (and others) have if they wish to use it connectivity via a geo-stationary satellite (QO-100 Es’hai) across a quater of the globe covering africa most of Europe and into Asia…

We know from “drug lords” behaviour in South America “pirating satellites” especially US Navy ones is something they more than have the capability for. So it’s reasonable to assume that the more technically sophisticated can do the same.

Which of course brings up “The question of deniability”, as I mentioned in my previous post various nations are known to steal IP as a matter of buisness, and one might also assume that the might consider “Ransomware” as a “strategic tool” for embarasing other nations via their leading companies. We’ve seen a number of ex-Russian states suffer from “mysterious” infrastructure attacks, likewise Saudi Arabia, and I assume one or two others.

But at the end of the day the most vulnerable nations to these sorts of attack are Western Nations that significantly use the Internet as an “economic enabler” one of the most prominent being the USA which has spent more time on “offense” thsn it has “defence” over the past decade or so…

Something that politicians should think about is the old saying “Those who live in glass houses should not throw stones”.

At the end of the day a goat herder in the hills of Afghanistan is going to be uneffected by the loss of the Internet, likewise his customers and their customers and most others in Afghanistan. Even a minor blip in logistics in Western Countries can bring chaos to food and other short term supplies. Most logistics these days are carried out across the Internet. Where as back a quater of a century ago and before it was mainly done by faxes and in the 50’s through 80’s the Telex network.

Few realise that infact many telecommunications suppliers now carry much of their voice traffic on exactly the same physical IP based networks they carry data on that gives us the Internet to our homes, shops, offices and factories…

Clive Robinson October 2, 2020 4:40 AM

@ Sofakinbd,

Brian Krebs seems to disagree with your assessment

It all hinges on what you do and do not know, or more precisely “intent” that can be demonstrated by a prosecutor.

Many data owners have chosen not to pay the ransom and have instead gone to small “data recovery experts” who will recover it if they can, but then often subcontract the work out often in other countries to other recovery experts…

Which means in some cases the subcontractor pays the ransom as the fastest way to recover the data and get payed.

The original data owner has no idea that this has been done, what they are aware of however is the fees at a substantial amount more than the original ransom demand.

It falls under what many governments chose to call “Plausable Deniability” and at the end of the day there is little or no point chasing the data owner as in effect they have no proof that they or even the data recovery service they used were complicit in “paying”.

Oh and in some cases it’s not even the data owners that contract to the data recovery service but their insurance providers, who want to minimize their payout.

José-Antonio SANCHEZ-VEGA October 2, 2020 8:23 AM

For those reading french, read the ransomware guide written by ANSSI (French National Information Security Agency):

Very briefly, the suggested prevention measures are:
– Backup your data
– Keep your systems and apps updated
– Use an updated anti-malware
– Segment your network
– Limit privileges to your users and applications (strict need-to-know approach)
– Know your Internet accesses
– Monitor your logs
– Evaluate if you need to get cyberattack insurance
– Shape a cyber-crisis communication policy

And also some suggestions on how to manage very first hours:
– Set a log of all your remediation activities
– Unplug backup drives as soon as you verify they’re not infected
– Isolate infected systems (unplug them from wired and WiFi networks)
– Isolate your systems from Internet, so attackers cannot reach infected ones anymore. Potential data exfiltration will also be avoided so. Manage exceptions in a case-by-case basis
– Look for IoC in the logs and set-up filters at network layer (firewalls, IPS, WAF, mail gateway, …)
– Do not power-off infected systems, do better put systems on-hold / frozen so memory is kept (could be useful later)
– Do not power-on any system that was powered-off at the time of the attack
– Forbid using removable storage devices, USB, external hard-drives, …
– Keep copy of the encrypted files as there’ll may be a method to decrypt in the future
– Have a look to “No More Ransom” web site

… and much more in this great document.

Anders October 2, 2020 9:12 AM


You forget one thing – operating on HAM bands you can’t
use any encryption. Everything must be plain text and readable.
Otherwise you get into trouble with authorities fast and
they revoke your license, if you are lucky. In more repressive
countries you can get into a LOT more trouble.
So you must consider – when you send or read email – everyone
sees it.

Even SSTV was problematic here in the beginning. Authorities
couldn’t read/interpret it and thought it for some special
kind of encryption – so you are SPY!

Anders, HAM.

Clive Robinson October 2, 2020 11:07 AM

@ Anders,

You forget one thing – operating on HAM bands you can’t use any encryption.

Has always been a bit of a joke outside of war time. And theoretically and in practice with the use of “One time phrases” is impossible to recognize let alone stop.

But the same is true even for what is recognizable as “message obscurity”. Put simply it’s not as easy as people think to monitor Ham Operation and it’s very expensive to do so.

With so much experimentation in digital modes it becomes effectively impossible, anyway.

As was seen recently in the US a provider of “email services” uses a propriety system that has the same effect on transmitted and recieved signals as encryption. The FCC has chosen to look the other way despite a valid complaint.

In the UK the regulator OfCom admits it nolonger monitors the bands, which is why when the “power to the plate” is limited to 400W quite a few amateurs are runing linear amplifiers for the US and Russian markets that can easily exceed 2kW. I’ve also built HF equipment in the 5kW range for “commercial broadcast” uses that has turned up second hand and been purchased by amateurs.

As far as I’m aware OfCom is aware of this and has chosen not to do anything about it. That is, if it does not cause significant interference then it does not get investigated…

But think a little more on amateur satelites QO-100 uses 2.5GHz up and 10GHz down both of those frrquencies are “highly directional” and pointing at a patch of sky over the equator over Africa.

Many such satellites are actually “transponders” not “repeaters” which means what ever appears in the input bandwidth appears in the output bandwidth. Thus almost any transmission mode will go through them.

Thus a “Direct Sequence Spread Spectrum”(DSSS) or “Frequency Hopping Spread Spectrum”(FHSS) or similar “Low Probability of Intercept”(LPI) signal will get transposed through them. Get the spreading signal and power right, and you will have very secure communications that few others will ever see let alone find the source or destination for.

I know for a fact that a number of amateurs are experimenting with very narrow band modes similar to JS8 that work well as LPI communications methods.

Thus the question of “legal or not”, realy does not matter when it can not be detected in use and the intended use is for illegal activities any way.

With technical crime, the difference between “in theory” and “in practice” is probably at it’s widest when talking about what is legal or not.

Anders October 3, 2020 4:46 AM


“In the UK the regulator OfCom admits it nolonger monitors the bands,”

Do you have any link where they openly admit that?

Here in ES region things are little bit different…lot of
HAM’s are older and still remember how KGB monitored them.

“As contacts with the “capitalist world” were definitely a constant “ideological threat” to the Soviet ideology and propaganda machine, then hams in the USSR were quite closely followed and checked. So it happened that some innocent remarks or a certain on-air acquaintance could serve for more serious consequences and not so very pleasant meetings with KGB or similar institutions. Single cases are known when an Estonian ham had to spend certain time in jail because of too close relationships with the world outside.”

FA October 3, 2020 6:41 AM


Get the spreading signal and power right, and you will have very secure communications that few others will ever see let alone find the source or destination for.

Indeed. Linear transponders are a real ‘invitation to abuse’. But for a platform that should support experimentation with arbitary new waveforms they are more or less the only option.

But you don’t need a transcontinental link to hide your ‘remote computer with internet access’.

For someone ‘knowing the art’ it has probably never been so easy as today to set up a covert, low bit rate (just enough to use a text terminal) radio data link over a distance that’s long enough to be an effective cut-out, and that’s all you need.

There is now so much QRM on the HF bands that anything that looks like coming from a switched-mode power supply or flat-panel TV will probably be blissfully ignored by whoever is monitoring the bands.

On UHF, one option is to hide a DSSS signal below a digital radio or TV broadcast signal. You could even use the broadcast signal itself as a carrier.
Digital broadcast systems typically use some form of OFDM which provides resistance against multipath. So receive the original signal, modulate it in some way, and retransmit it at low power. With the right form of modulation it will just look like one more random echo. A normal receiver won’t be affected, but one knowing how to look can isolate your signal and recover the data. Combine with directional antennas and you could set up a point-to-point link that with high probability would remain unnoticed even by dedicated monitoring, as it doesn’t cause any interference to start with.

Clive Robinson October 3, 2020 8:19 AM

@ Anders,

Do you have any link where they openly admit that?

I actually posted a link to it a week or so back.

A senior at OfCom sent a letter to the Radio Society of Great Britain (RSGB) over the issues of the use of broadband equipment being put into use in the UK that should “never have gone on the market” (it’s certification was presumably fraudulant by BT and others).

For political reasons OfCom and the individual in question were sitting on a report that showed that the equipment BT Openreach was installing was failing and causing not just significan Radio Frequency Interferance(RFI) but was also very susceptable to interference from other devices.

It’s the same equipment Openreach installed in that Welsh Village that lost internet connectivity at 7AM when a man turned on his television.

Clive Robinson October 3, 2020 9:04 AM

@ FA,

But you don’t need a transcontinental link to hide your ‘remote computer with internet access’.

From a technical point of view no… But the equipment is relatively inexpensive and available from many sources. And if found in your possession is not in the slightest suspicious. Because many amateurs have exactly the same equipment, appart from the “spreading” mechanism which for FHSS can be entirely software in origin using any one of many “Software Defined Radio”SDR devices and a Raspberry Pi etc.

And that’s the point if you do not get “caught in the act” one press of the reset button and decent “memory test” on boot up and the evidence is gone…

But from the legal side being a half continent away alows much in the way of deniability and if you set things up right will send an alarm the moment somebody approaches or disturbs the equipment. Thus being across a national boundry gives you quite a bit of insulation from investigation. Being in one of very many would need specialised investigatory equipment and techniques, most of which would not be available to Law Enforcment Agencies and only maybe one or two National SigInt agencies. Such SigInt agencies have upto now shown little interest in getting involved with such investigations except where they have “Political Advantage” such as the US current political favourit of their four Orwellian “distant propaganda enemies” ie China, Iran, North Korea, Russia.

For someone ‘knowing the art’ it has probably never been so easy as today to set up a covert, low bit rate (just enough to use a text terminal) radio data link over a distance that’s long enough to be an effective cut-out, and that’s all you need.

Well it depends on how cautious you are in the past I had involvment with “Pirate Radio” and it was not unknown to use a “Band I” low VHF FM transmitter in the old 405line TV frequencies to link to the actuall “Band II” FM band.

The downside of Band I was it was possible to DF it at ground level and back in the days the UK DTI did do so. What they could not DF was 11GHz wide band FM links that could be made with the Doppler radar units used in burgler alarms and for traffic lights and satellite TV receivers.

Thus Two RF links were used. However in Northern Ireland as home Broadband became readily available the “studio” was linked over the Internet from the North to the South and back again and then “up the mountain” via VHF and Microwave links.

The funny thing about it was that those doing this actually worked as “engineers” for Sky Television. Oh and atleast one went to work at OfCom…

With regards,

On UHF, one option is to hide a DSSS signal below a digital radio or TV broadcast signal.

At one point this was known as “White Space” signalling and way back in the last century I was involved with looking into it. One result was with the old analogue vestigial AM system you could hide a fairly powerfull Spread Spectrum transmitter actually in the TV channel and not effect the TV. On advantage of doing so was that it had little or no effect on “Long Distance” and “Poor Coverage Area” reception which was a real issue back in the 1970’s and 80’s.

As they say “happy and exiting times” sadly though some of those involved even though younger than I am are nolonger with us.

Anders October 3, 2020 9:19 AM


“I actually posted a link to it a week or so back.”

Considering that posts here are deleted intermittently
please post it again. I want to share this among ES hams.

Also, do you know any more active and working
internet-over-HAM bands projects besides the ?

FA October 3, 2020 11:41 AM


The funny thing about it was that those doing this actually worked as “engineers” for Sky Television. Oh and atleast one went to work at OfCom…

Which reminds me of something related…

Many years ago, a full-page advertisement apparently from the BBC looking for HF engineers, appeared in the April issue of Wireless World. It even included a picture of a Range Rover driving up to an antenna tower visible in the distance.

It turned out to be a hoax. What I don’t remember is who or what was behind it. Do you have any memories of this ?


c1ue October 3, 2020 2:53 PM

It is clear which commenters have actually dealt with real world ransomware vs. armchair quarterbacks.
Government prosecution for paying ransom – idiotic also. Attribution is incredibly unreliable for online crime – prosecuting a company for paying a ransom just adds a new TTP to the attacker’s arsenal: pay us or we’ll say you paid North Korea or Iran.
What deters attackers isn’t the lack of ransoms – because there will never be a lack.
What deters attackers is successful prosecution. So hop to it!

Clive Robinson October 3, 2020 4:17 PM

@ FA,

Many years ago, a full-page advertisement apparently from the BBC looking for HF engineers, appeared in the April issue of Wireless World

I’m assuming it was an “April Fool” joke, but no I don’t remember it.

That said not all “BBC HF Engineers” were employed by the BBC. Some were “emoloyed through the BBC” they were in effect employed through the Diplomatic Wireless Service(DWS) out of various places including Poundon Bucks for training etc. The DWS were the follow on from MI8 and also did stuff for SiS/MI6. When the DWS got “reorganized” they ended up at Hanslope Park which was reputed to be the MI6 “technical” center, though it did become their main computer site for sometime.

Basically many of those “World Service” HF transmitters saw double duty, carrying programs for the World Service then more interesting “numbers” and other style services on different frequencies for the FCO and SiS (look up “Lincolnshire Poacher” and “Cherry Ripe” histories).

Satellites and Government cut backs saw the DWS shrink and the need for the BBC World Service transmitters fall. The net effect was that in many respects those transmitters and those engineers became “superfluous to requirments…

If you want to know a bit more,

SpaceLifeForm October 4, 2020 1:27 AM

@ c1ue, Clive

“What deters attackers is successful prosecution. So hop to it!”

Let’s say I am in US, and my business gets attacked.
But they leave some fingerprints, and I trace them back to

Optikov street, 4, building 3, Lakhta-2 business center, Lakhta, Saint Petersburg

No way to prosecute.

Even if I have names, faces, logs.

No extradition.

Anders October 4, 2020 6:43 AM


You can always buy Novichok from the black
market and hire someone to put it on their
doorknob at that address 🙂

c1ue October 4, 2020 4:16 PM

Sadly, you clearly don’t understand that Russia can and has cooperated with the US to prosecute hackers.
Not all hackers, but then, the same can be said for the US and its recruitment into cyber warfare corps.
The notion that Russia is a haven for the cyber criminal is nonsense; the majority of the so-called Russian gangs are actually Eastern European: Ukraine, Moldova, Romania, etc.

Clive Robinson October 4, 2020 8:42 PM

@ c1ue, SpaceLifeForm,

The notion that Russia is a haven for the cyber criminal is nonsense

Both yes and no.

The Russian legal and due process systems are not what many would hope for (but just recently the same could be said of the US and UK).

In the specific case @SpaceLifeForm gives the address of a well know organidation (the so called “Internet Research Agency”).

What went on there by who and for whom and why was sufficiently common knowledge that it had been published by journalists long before it became “infamous” with regards US Politics.

In essence, a minor Russian oligarch was trying to curry favour with President Putin, in an extrodinarily ham fisted way, and effectively “on the cheap” and had been doing so for some time.

Simple basic journalistic leg work had found out most of what was to be known long before the US MSM started to take interest.

But that said just a few hundred yards from where I live, a Russian was “suicided” in his home by whom is not in the public domain but who benifited from it is in little doubt as he was due to appear in a UK court on the morning he was found murdered.

He was one of a quite significant number of Russian’s who have died unexprctedly in the UK and the UK authorities under then Prime Minister Mrs May did less than nothing in stopping them.

One issue with Russian originated actions is you never know what involvment others have. Put simply power is by patronage, and this not only has a high degree of deniability it also attracts significant numbers of “chancers” looking to rise within such a system.

There are three basic outcomes for chancers after they carry out an action,

1, They get an advancment.
2, Their action is tolerated.
3, They get sanctioned in some way.

The thing is whilst there is many actions there appear to be very few sanctions. In fact the few sanctions appear only to happen to those who were simply enriching themselves not in any way seeking favour. Also where they did not “pay their dues” to others.

Back in the early 1990’s I had reason to take a significant interest in the more unplesant side of “Russian Business Practices” and my advice to those that were paying me at the time was “stay well clear” advice that they followed.

The price others paid for getting involved in one case was being savaged to death by dogs… Which is light compared to the fate of some others.

Russia is still not a place I would do business with directly, however through the right intermediaries business is possible but still carries significant risks.

MarkH October 5, 2020 4:45 AM


“Eastern European” is a pretty fuzzy term, but commonly refers to territories including European Russia … so the vast majority of Russia’s population and organizations are Eastern European.

It’s plain that Russian-speaking cybercriminals are operating in other states which belonged to the communist bloc. If you have data on breakdowns by country, I’d be interested to take a look.

Russia can and has cooperated with the US to prosecute hackers.

When? How many? Any references to cite? I don’t recall such a case, but I might easily have missed it.

If such cooperation is Russian policy, then somebody didn’t get the memo:

(Note: after some seconds, the article was blocked by a sort of overlay message. I found it helpful to click the browser cancel button as soon as the article loaded.)

The Wall Street Journal article, from 11 months ago, describes extraordinary actions the Russian government has been taking to shield Russian cybercrime suspects from extradition to the U.S.

The Russian tactics include arresting nationals of the “third country” which arrested the suspect, in order to pressure that state into a prisoner exchange; and fraudulent extradition requests to send the suspect back to Russia.

Cooperation? Perhaps Russian cooperation is to ordinary cooperation, as Russian roulette is to ordinary roulette.


PS to SpaceLifeForm: I passed through Lakhta a couple of times, but didn’t get as far as Optikov street. I had little interest in this drab neighborhood consisting (as far as I could see) of purely post-war development.

It’s now home to the tallest skyscraper on the European continent; that project was just breaking ground when I was last there.

SpaceLifeForm October 5, 2020 5:17 PM

@ c1ue, Clive, MarkH

“Sadly, you clearly don’t understand that Russia can and has cooperated with the US to prosecute hackers.”

Actually, I do understand.

Thanks for playing.

They will entertain spy swap.

From 2019-11-06.


“Russia has never extradited one of its citizens to face computer crime charges abroad.”

MarkH October 6, 2020 3:00 AM


Well done, to provide a citation.


What say you, c1ue? Have you a source to the contrary?

Or perhaps you have in mind other kinds of cooperation, short of surrendering Russian nationals for prosecution?

I’m not dogmatic, I’ll take a look at any sourced information.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.