110 comments

[ 3.4 ms ] story [ 171 ms ] thread
> Welcome to the new ransomware economy, where hackers have a reputation to consider.

It's not new for organized crime to consider its reputation.

In fact you could argue that organized crime exists solely based on its reputation, and I would certainly argue that for CryptoWall. If nobody trusted that paying them would work, they would lose virtually all reason to do what they do.

I'm not going to defend digital extortion, but it exists because people pay it, and articles like this are part of the problem by making it known to Googlers that paying works.

It's complicated and I think we should think hard about where where we point fingers if we want to fix this.

I don't see any complications or deep thinking required before pointing fingers. It's the criminals who are to blame.

No amount of educating end users will magically fix these kind of attacks, whether or not people write articles about their ransom payments.

I beg to disagree. If you effectively made everyone realize that not paying utterly destroys the extortionist's business model, that does "magically fix these kinds of attacks" overnight. Not that I'm saying educating people about this is practical or even possible.

One thing that I think is destructive though is "blaming the criminals", since a) we don't even know who they are, b) their business model depends entirely on them being promoted as a legitimate threat you can pay to fix, and c) blaming them distracts from finding a real solution.

Since, as you say, educating everyone is not possible, you can't destroy the business model. So let's keep the 'magical fixes' out of the discussion.

How does blaming the criminals distract from finding a real solution? (You haven't yet even suggested a viable solution that we could be distracted from)

While I agree with the essence of your message, it is flawed only because of free will. When given the opportunity an individual will usually think selfishly even in regard to a larger system. Isn't this the basis for "game theory"? Everyone individually thinks they can squeak by, get a little bit of an advantage, pay off the extortionists, no harm done right?

Or in another example, if nobody took a job for a shitty company there would be no shitty companies right? So why are people taking shitty company jobs?

I'll have to find the article later, but I read somewhere that about 1.7% of victims actually ended up paying money to the original cryptolocker guys, yet this seems to be enough to keep them in business. For your plan to work, you would need pretty much 100% compliance, which simply isn't going to happen.
This may sound cliche, but ransomeware truly is plaguing the nation. 3 "phone room" busts here where I live in the last month or so, all of which were the "tech support" hot lines that you called into after you've paid the ransom to "fix your PC."

sure, there are many different levels of extortion. Some outfits are very upfront i.e. "your PC has been locked..." others are much more subtle and appear to come across as a legit operation and it isn't until you speak to your techie son-in-law that you find out you've been hit.

IMHO the best way to nab these guys is the phone rooms. More and more cities / states are requiring these rooms to have licenses and in my city the FBI has set up a temporary shop to go after these guys.

What exactly is a phone room and how will it help stop ransomware?
A phone room or boiler room operation will not stop ransomware - in fact quite often it's another sort of scam in itself.

Here's a short article explaining the process and the Verge covered the subject in length: http://ipensatori.com/2014/05/27/tech-support-scams-what-lie...

http://www.theverge.com/2012/5/10/2984893/scamworld-get-rich...

thank you, exactly. lots of that going on here. 3 years ago it was timeshare sales then timeshare recovery i.e. "helping victims get their money back from the scam, which in and of itself was a scam."
The problem is not the ransomware neither the criminals ... it's the way internet/computer users became completely unaware of what they are using and blindly trusting everything.

Think of this as a natural balance to the ridiculously insecure internet and people's tech culture. If we are all going to live in a world where we use internet and technologies everyday, we should have a minimum of knowledge on how it works and not blindly trust everything.

One other point, it's useless to try stopping these guys, they are selling the software on the blackmarket with source code, the more you catch the more room you give to new criminals and the better breed the virus becomes ...

I think you're right: People are not afraid of computers anymore, and when they are, it's in all the wrong ways.

When I was younger the internet terrified people. I learned all kinds of simple "don'ts" in the 90s that it seems all got completely forgotten within a decade and now no-one learns anything anymore.

I didn't even use my real name online until a couple of years ago. It was like the first rule of the internet: never put your real-life details on the internet.

Now we have Facebook.

News stories and Outlook viruses made it abundantly clear that you should never ever ever click an attachment if you didn't specifically request it and know exactly what it is (And even then, best to double check).

Now there's a whole bloody black-market industry built on attachment malware.

I was told to never re-use passwords, never write them down, and never give my password to anyone.

Now we have apps that conveniently collect every single one of your passwords to provide a single-point weakness where one password unlocks your entire bloody online identity, and the point of even having separate passwords is completely lost. And it's somehow supposed to be 'more secure'.

I don't understand the internet anymore.

The point of services like last pass is that a website with shitty security won't compromise all your accounts on websites with decent security.

The point is you only trust one security specialist company rather than many non security specialist companies.

It's getting to the point where if you don't use something like lastpass, then reusing passwords to some extent is needed - or do you remember 20 different passwords for each site you visit, even when you visit them only once a year?

You're right that the password-vault part is the weakest part of the post, I think, though I'd argue many people probably don't even use (relatively) secure options like LastPass, and probably default to "password managers" built in to browsers or OSes.

I just have this weird cognitive dissonance when I see the 'big threats' that get posted sometimes online. The other day I read a Reddit post about some Dangerous New Threat to Bitcoiners, that amounted to nothing a slightly-more-clever-than-average attachment virus. I don't understand how anyone managed to get as far as even operating a Bitcoin wallet and somehow never learned basics like "don't click blindly on email attachments".

> I don't understand how anyone managed to get as far as even operating a Bitcoin wallet and somehow never learned basics like "don't click blindly on email attachments".

Perhaps you're not the best person to be giving security advice if you don't understand why people - even those who should know better - click on email attachments?

(comment deleted)
I bet you don't know how the power circuit in your fridge works and still you expect it not to burn down your kitchen while you sleep.
Not quite. A better analogy here is this: there is a supplier of fridges that is notorious for unreliable power circuits. People know this, and buy those fridges anyway, hoping that it won't happen to them, because the fridges are popular and have a particular copyrighted layout of the door and shelves so that they don't have to learn anything new when visiting friends or moving to different house. Initially, the fires weren't the people's fault; but when the people kept buying and installing those fridges in spite of the problem, they expressed their disregard for the issue with their dollars. At that point, they began to deserve the consequences. (Of course, the analogy is quite flawed because not everyone knows; there are always some new users who think they are getting a safe fridge, and are cheerfully sold the death trap.)
Just don't be surprised when everything turns into a walled garden.
Could the "one file free decrypt preview" feature be used to sniff out the crypto key required to decrypt all the other files? Or does the virus need to check in with the backend for every single file for unique keys?
> does the virus need to check in with the backend for every single file for unique keys?

As it's based on CryptoLocker, all the files would be encrypted with the same key. After CryptoLocker was busted by law enforcement, "Fox-IT and fellow firm FireEye introduced an online service which allows infected users to retrieve their private key by uploading a sample file, and then receive a decryption tool" (https://en.wikipedia.org/wiki/Cryptolocker#Takedown_and_reco...)

edit: technically the files are encrypted with different keys but those keys are stored on the victim's machine and encrypted with a single key -- http://www.welivesecurity.com/2013/12/19/cryptolocker-2-0-ne...

I wouldn't be so sure this would help: CryptoLocker was using symmetric encryption (AES) for the files while CryptoWall apparently solely use RSA (which creates problems for the pirate, like slow encryption, thus encrypting only small files (.jpeg, .doc...)?). Only the public key seems to be downloaded when the malware installs. (http://stopmalvertising.com/malware-reports/cryptowall-behin...)

If this is the case, I would surprised if they would download the private key for the one free decrypt feature. If they encrypt only small files they might do the decryption on the remote C&C Server?

It's worth investigating anyway.

Great article but I'm sad that it didn't cover what I thought the headline was referring to; how she was hacked to begin with.
And that is why I have the "if you don't have backup, I won't bother to help you with your lost files" policy when friend or family come crying. I make only one exception from this rule.

Cryptolocker is not the problem. The lack of reliable backup is.

15 years into the internet age, and 5 into the cloud you have no excuse.

I would genuinely rather lose all my critical data to cryptolocker than put it in the cloud. Given a choice between my data being accessible by no-one or everyone, I will pick no-one every time.

Data in the cloud /is/ available to everyone that matters.

I'd also like to remind you that it can be impractical to back up some forms of data, especially in the cloud. High definition video (weddings, funerals, holidays) is impractically large.

The problem /is/ Cryptolocker. Anyone with an ounce of practicality will take mitigating steps against it, I have no sympathy for anyone who ignores the risk, but the solution is not massive scale global data duplication, that is treating the symptoms. The solution is to dissuade criminals from this path.

Widescale international cooperation in finding these people would be a start.

You don't need to backup to the cloud, have people forgotten about physical hard drives?
Yep, a good mitigation plan is a 2tb time capsule. All my precious cat photos are backed up on the regular, encrypted and within reach.
As long as you remember to keep that drive unplugged - otherwise it'll get cryptolocked with everything else.
I do have a physical hard disk for my backups but I also backup some critical data "on the cloud" (actually, some servers of mine). There is always a chance that the pc and the disk are stolen by a burglar or my house catches fire. Then there is the matter of making the encryption and access keys survive any of those events.
Here is a good interview question:

Design a simple system that uses amazon as backend to store encrypted data and the keys never leave your control.

There were 4TB drives at 100-sh bucks for big things.

The problem is not Cryptolocker because there will ALWAYS be malware that targets the data itself. And some people will do it just for fun.

I think Duplicity (http://duplicity.nongnu.org) is what you're looking for. For Ubuntu I know there's a nice GUI that anyone who can use a computer can set up. For other platforms I think cli is the only way, but someone could just write a QT/Cocoa wrapper around it.
Or, don't be dumb and use tarsnap. encypting backups is not an impossible (or even hard) problem.
Indeed, having a recent valid backup turns the cryptolocker variety of virus quite ineffective, you only lose some time to restore vs files you can't replace.

But how is this related to the internet or the cloud in any way? Putting backups into the cloud is a terrible idea and transferring large data collection over a residential Internet connection makes little sense. Backups for home users became a possibility with the advent of cheap storage, first burners and cheap blank discs and now with large hard drives and flash media.

But the issue at hands here is that with the democratization of the personal computer most users lacks the skills to make their own backups and even among technical people it's not until we got bitten by data loss that we start to take backups seriously.

I did not say put it in the cloud. Although it is totally possible to create backup solution that is undecryptable by the cloud hosting provider.
"15 years into the internet age, and 5 into the cloud you have no excuse." Yes, you did.
I'm sorry, but I do exactly what you say is impossible.

  > Putting backups into the cloud is a terrible idea
  > and transferring large data collection over a
  > residential Internet connection makes little sense.
I work with video, music and large images. So my home backup is 3.6 TB. I now use CrashPlan: a cloud backup, who have no problem with the capacity. It took ~ 6 months to store everything, but now it just sends the deltas quietly behind the scenes.

I lost a 1TB drive the other day, and the restore worked well after a bit of jiggerypokery.

Previously I used an LTO2 tape system involving Bacula, a VMWare linux instance and a lot of changing tapes. Cloud backup is so much better

> Backups for home users became a possibility with the advent of cheap storage, first burners and cheap blank discs and now with large hard drives and flash media.

Now your home users need to start regular media rotation with scheduled integrity checks with a full copy stored off-site in a geographically diverse location. Are you starting to reconsider your assertion that “putting backups into the cloud is a terrible idea”?

What you should have mentioned is how many years since the start of the personal computer.

People simply cannot be computer-illiterate in the modern world without eventually being screwed. Nearly every computer ignorant person I know has a virus/spyware/adware ridden PC sitting at home while they're just waiting to find a "computer guy" who can fix it.

And after the backup don't forget to detach the external storage and logout from the cloud storage otherwise they could just encrypt those too.
I'm surprised that no one has fingerprinted the patterns that these apps take to encrypt the files, then created an antivirus definition for them. Surely they can't be that polymorphic that no one can catch them?
Polymorphism typically referred to worms and viruses that changed their own code base as they spread. Most infections, however, happen from phishing emails either with attachments or linking to the payload. Changing the files produced so as to no longer be caught by antivirus signatures is trivial, and you can even create a unique variant for each phish.

Many legitimate programs will seem to act similarly - opening files and overwriting contents with something else. ID3 tag writers for MP3s, file type converters, batch image processing, etc. This means you can't match easily against the types of actions being taken.

Let's imagine, however, that the antivirus was still able to detect that something odd was happening. If it prompts the user, they will inevitably click 'yes run this file', because that's what they have always done. If it quarantines the file... well, you just add another few lines to the phishing email saying that the attachment is perfectly safe ("scanned by symantec" apparently...) and to go ahead and bring it back out from quarantine

The problem is that the signature-based antivirus model assumes 1980s-speed networking where an attacker releases a single program which has months or years to spread around the world. In the Internet era, the attacker receives the same AV updates when you do and can tweak an executable until it's no longer detected locally before immediately deploying it. This approach can even be automated both to permute the executable until it passes and to stop spreading it after it starts being flagged.
HitmanPro.Alert (http://www.surfright.nl/en/alert) includes a variation of this - it's not looking for fingerprints, it's monitoring for process behavior characteristic of individually encrypting bunches of files.
My wife's father died about a month ago - two days after he died his widow got a call from some bunch of scoundrels saying "we need to fix your late husband's PC so you can get at his tax records"....

Fortunately, he never had a PC (he was in his mid 80s) so it was obviously a scam but we were all appalled at the cheek of such an approach and the for the fact that a lot of people, particularly the elderly in a moment of stress, would fall for such as scam.

This is an update of another scam, wherein scam artists prowl the obituaries and send "brown package material" with embarrassing contents to the surviving family member, claiming the deceased had ordered it.

Their hope is that the surviving member will pay up to avoid embarrassment. Yeah, you have to be a sicko to think this stuff up.

And this is why they tell you to have somebody stay to mind the home during a funeral.
So the title is "How My Mom Got Hacked" and the only thing it actually says about that actual title is:

    The virus is thought to infiltrate your computer
    when you click on a legitimate-looking attachment
    or through existing malware lurking on your hard
    drive, ...
So, there's really nothing about how his mom got hacked.

Don't get me wrong, it's an interesting article, interesting to read about the process that ensues once you've been hacked, and I've up-voted it, but I'm disappointed not to see anything about how it happened.

How her mom. Well read.
Thank you. I read the article in some detail, I didn't read the author's name. The author's gender is not evident from the text of the item.

For what it's worth, I found your comment somewhat snarky.

"... and about dispatching her daughter to the Coin Cafe A.T.M. at the 11th hour."

I agree about the snarkiness though.

True enough - by that stage I'd given up reading word by word and was skimming, so I missed it - well spotted.
How my mom caught a virus that encrypted her personal files - would be a more appropriate title imho.

But anyway after reading the article it's clear what happened. Evil mail attachement --> infection.

> How my mom caught a virus that encrypted her personal files

Just as bad if you ask me. There's still nothing about how she caught it.

This may sound cliche, but click-bate articles truly are plaguing the nation
How is this click-bate?
It might be considered clickbait since the story barely touches (and never actually answers) the how of the headline (i.e. using a somewhat sensationalist headline to increase clicks).
I'm not sure it's really relevant. There's countless ways for normal users to be infected.
It's a common title structure; I don't see anything clickbaity about it. It should be interpreted as "the story of my mom getting hacked".

Think "How I Met Your Mother", which has little to do with the mechanics of Ted meeting his future wife, but rather the story surrounding it.

Jesus. The publisher is the New York Times, writing a story about a real threat to ordinary people. It's not a great headline, but neither is it really misleading either. It effectively communicates what the article is about to SNYT readers.

Apparently anything that is not 100% dull now is clickbait.

It's not about being dull, or exciting, and it's not about click-bait or otherwise. It's about accuracy, reporting, and expectations. The heading was "How My Mom Got Hacked" so I expected to see something about how her mom got hacked.

But I didn't. It was a great story about what happened after her mom got hacked, and it was interesting, and mildly engaging, but it simply wasn't what it said.

Calling it something like "Paying the hackers" or something like that would have been accurate and just as intriguing.

Is it too much to ask reporters to title the article with something that actually refers to what is in it?

Yes! Reporters usually don't get to write their own headlines.

(you can swap in "publications" without really changing what you meant, but I guess it's fair to not blame reporters)

Is it too much to ask that you use some imagination rather than blandly parse a headline?
Sorry, but I really don't understand that comment. I read the article, and commented that the title doesn't match the content. In what sense do you then claim that I've just blandly parsed a headline?
What do you call the opposite of clickbait? I thought the article was more interesting than I originally expected.
> “Whoever these yahoos are, they have some little shred of humanity.”

Not really. Their "business model" is extremely restricted. 99.99 of their victims cannot handle the Bitcoin thingy.

How Ordinary Everyday Moms and Dads Are Being Introduced To The Exciting World Of Bitcoin!

(though today they can certainly get ... cheap coins)

>Their "business model" is extremely restricted. 99.99 of their victims cannot handle the Bitcoin thingy.

Its actually pretty interesting how this developed. Some of guys running variants of cryptolocker realized how much money they were missing out on and established customer support channels to help their victims figure out how to pay.

Apparently CryptoWall does a dumb copy of the files before encrypting them and do not zero-out after deleting. If it still proceeds this way, that makes it fairly easy to do some recovery.

Source: http://www.wyattroersma.com/?p=108

You'd think Putin might be persuaded to take action against some of the guilty parties. I know that has not been the Russian tradition but things could change.
The guilty parties (where known) are local heroes. The US has a bad reputation in much of the world.
Has anyone ever done a serious technological evaluation of one of these programs? I'd be very interesting in learning more specifically about its encryption mechanism. For example, To be able to decrypt (edit: used to say encrypt) the files, it has to store the private key (and obviously the public key) somewhere on the computer, whether in memory or elsewhere to decrypt the files. In addition to this, if this is a variant like mentioned in the article, where you can "decrypt one file for free", then the software obviously has to access both keys to decrypt that, meaning with the right tools you should be able to capture those keys if you can capture the program in the action of decrypting a file.

While an obviously viable solution to this is good backups and educating people about computer security, that won't put these people out of business, which is what would really stop this.

Either way though, if anyone here knows of any material delving into hacking ransomware like this let me know, I'd love to read about it.

It doesn't have to know the private key, just the public one, woth the private being on the virus-owner's side.

Furthermore, it's possible to encrypt each file with a different key so one public key would only deceypt one file.

Oh, and a fun fact - with the newest cryptography algorithms it's even possible to modify the files without knowing what they contain. If I'm not mistaken it would even be possoble to create a software that can conpute checksums of files without knowing the file contents.

> Oh, and a fun fact - with the newest cryptography algorithms it's even possible to modify the files without knowing what they contain. If I'm not mistaken it would even be possoble to create a software that can conpute checksums of files without knowing the file contents.

To my knowledge, this is only true in a purely academic (not practical) sense at present. There do exist homomorphic encryption schemes but current implementations are ridiculously slow.

> To be able to encrypt the files, it has to store the private key (and obviously the public key) somewhere on the computer

Why do you say that? The very purpose of public-key crypto is so that you can send only the public key, have the other end encrypt with that, while you hold onto the private key which is the only thing that can decrypt it.

No guarantee this uses public key for the crypto though. From what I know, a symmetric key is more suitable to encrypting huge amounts of data. Could be wrong about that though.

My mistake. I said encrypt when I should have said decrypt. You are correct though, symmetric key encryption would be better for this, and utilizing the answer giving by kolinko below, I wouldn't be surprised if they did use a different key for each file.
You only need to decrypt once the payment has been received, so the private key doesn't need to be sent to the infected machine before that. Encrypt/Decrypt, it seems to be a moot point.

The "decrypt one file for free" feature seems to be specific to CryptoWall which, some have reported, do not use symmetric encryption like CryptoLocker. CryptoLocker stores symmetric keys for each file on the infected machine, encrypt those with a public key and when the payment is received, send the private key from the C&C Server. I would say it's very unlikely CryptoWall would store remotely a private key per file. That could mean a lot of information to be transferred over the wire. Probably because of using only asymmetric (slow) encryption, CryptoWall apparently only encrypt small files completely, and only a piece of the larger ones. One way the "decrypt one file for free" feature might work is by actually uploading the file (or the the encrypted piece of file) to the C&C Server, decrypting it remotely and sending it back. But the feature is definitely worth investigating.

https://blog.fortinet.com/post/cryptowall-another-ransomware...

http://stopmalvertising.com/malware-reports/cryptowall-behin...

> From what I know, a symmetric key is more suitable to encrypting huge amounts of data.

Symmetric key encryption is more efficient, but the typical approach when using public key encryption with large files is to use symmetric key encryption, then encrypt the symmetric key with the public key, and then transmit that over the wire.

I imagine that the process used in this software is the following:

1. Generate symmetric key

2. Encrypt symmetric key using (known) public key (the private key remains on the malware owner's servers)

3. Delete the unencrypted symmetric key.

If these three steps are done before the user is told that their files have been held hostage, then by the time that they know they are infected, it's too late to do any analysis of the program, sniff memory, etc. (at best they'll be able to recover the public key and the encrypted symmetric key, which is useless without the corresponding private key). As soon as the ransom is paid, the malware owners will decrypt the symmetric key (using their private key), and send that back to the victim[0].

This could, of course, also use a different symmetric key for each file as well, in addition to the above.

[0] In theory, the malware owners don't even need to store anything per-victim, since the encrypted symmetric key can remain "safely" with the users the entire time. All they need to store is the single master private key.

@logn cites a couple links explaining how CryptoLocker worked[1].

Each file gets its own key, and those keys are stored on the victim's computer, encrypted with a single key.

DeCryptoLocker can defeat the encryption and restore your files[2].

Symantec says CryptoWall similarly uses public-key encryption with a 2048-byte key[3], but no indication if it can be defeated like CryptoLocker was.

[1] https://news.ycombinator.com/item?id=8834012

[2] https://www.decryptcryptolocker.com/

[3] http://www.symantec.com/security_response/writeup.jsp?docid=...

Also, wouldn't it be possible to recover the files on most filesystems, assuming the disk is too not full?

The program has to encrypt them, unlink the files, and save the encrypted files / archive. If the filesystem needs more space later, it writes over those (discarded) files, right? Everything else would increase disk wear and decrease performance.

Edit: of course excluding SSDs with TRIM/discard enabled.

The problem is that "needs more space later" can occur as soon as the malware moves on to the next file to encrypt.

Also, overwriting discarded files can happen even before the filesystem runs out of space; it depends on the allocation strategy. To maximally preserve the possibility of undeleting files, there would have to be a policy of using the least recently freed blocks for new allocation. That could be pessimistic in other regards, like minimizing fragmentation and seek time.

It would be fun if one of these extortionists was a victim and had his files locked by a rival.
I work for a school district in the US and we see this occasionally. We just wipe the computer and restore files to the Users network drive from backup.

I personally think getting into a good backup regimen is a better use for the money than paying some scumbags.

Isn't this a pretty strong argument against Bitcoin and other cryptocurrencies? (I am being serious.)
Not really. Most useful technologies can be used in crime and we'd get nowhere if we allowed that fact to be used as an argument against the technology.

Pre-Bitcoin, the scammer would have her call an expensive foreign premium-rate phone number or mail cash to a foreign address.

How about when in a few years time there's a scalable, functioning market for hits/murders with bitcoin as payment?

I love the elegance of the bitcoin protocol, but I am worred that the civilized world will have to clamp down on it. You just can't have a place where anyone with enough money (a few k EUR/USD) can perform murders without any reasonable risk of being exposed. This will effectively turn us into a bandit country like Russia. I also think it will become harder to effecticely clamp down on cryptocurrencies as time passes, so time is of an essence.

> You just can't have a place where anyone with enough money (a few k EUR/USD) can perform murders without any reasonable risk of being exposed.

Your 'reasonable risk of being exposed' is when you plan and execute the hit. It's pretty difficult to do. Also, when your target winds up dead, the first investigation is into whether anyone might want that person dead (motive), not the money trail.

Any hitman worth his salt will already today know to get paid in cash or similar liquid assets. As opposed to the ransom situation, the payment of a hit can be arranged long before investigators start looking, so you can easily ship a boxful of cash to a dead drop and avoid ever meeting the hitman in person.

And even if there was a money trail, you couldn't hope to get to a hitman by following it unless you have the other end to start down - ie. you know the "customer", who's the bigger criminal anyway.

> This will effectively turn us into a bandit country like Russia.

No, the availability of anonymous payments is not the defining difference between Russia and 'us'. The rule of law is.

> You just can't have a place where anyone with enough money (a few k EUR/USD) can perform murders without any reasonable risk of being exposed.

I strongly suspect that we will see a whitelist-endorsed-by-some-reputation-broker approach sometime in the future. The suggestion of this kind of thing usually creates a big backlash among many Bitcoin supporters (for good reasons IMO). But eventually there will be many folks using Bitcoin without any ideological attachment to it, and they'll be lured by the appeal of interacting with agents endorsed by some other party.

> Pre-Bitcoin, the scammer would have her call an expensive foreign premium-rate phone number or mail cash to a foreign address.

A foreign address is still an address, which if used to perpetrate crime on a large scale, would represent a point of vulnerability for the criminals even in a somewhat lawless country. Bitcoin's role in these crimes is analogous to an alternate universe, lawless by design, where criminals can retrieve ransoms anonymously and with impunity.

Isn't this a pretty strong argument against encryption?

Isn't this a pretty strong argument against cash?

Isn't this a pretty strong argument against email attachments?

> Isn't this a pretty strong argument against encryption?

No; totally different arena.

> Isn't this a pretty strong argument against cash?

Cash is a lot more traceable than bitcoin transactions.

> Isn't this a pretty strong argument against email attachments?

? :)

> Cash is a lot more traceable than bitcoin transactions.

This is extremely false. How did you get this idea?

The article doesn't seem answer the question raised in the title. How did Mom get hacked? Actually it's buried in there:

> "So what can we all do to protect ourselves? Keep our computers backed up [...] and most of all, Beware the Attachment."

Ah, so the Attachment is what got Mom!

You know, the above should really be "Beware the Attachment processed on a Microsoft Windows box using the default and/or most popular handlers for its file type."

Also: "beware of letting naive users use the same Windows PC's for Internet-based consumption activities net surfing and e-mail, and for production/retention of important content."

That's effectively saying that non-experts should only use something like iOS or maybe ChromeOS. The same class of attacks works against any user using any operating system which allows them to install arbitrary code - Mac, Android, Linux, etc. all have past examples of successful attacks which started with an email attachment, browser drive-by, etc.
That actually may be a very good idea. It's not that non-experts should be forbidden from using these thing it is that we should stop handing people guns that they end up using to shoot themselves in the foot with.
Agreed – I'm not cheerful about the implications of making things less user-serviceable but … it's not like we don't know how well that's worked out.

If you haven't already read it, SwiftOnSecurity's “A story about Jessica” is rather good for illustrating how badly we've failed as an industry to produce devices which are safe for non-experts to use:

http://swiftonsecurity.tumblr.com/post/98675308034/a-story-a...

Thats a cool article.

On the other hand, WTF is up with that blog?!?

It started as a parody Twitter account (https://twitter.com/SwiftOnSecurity and e.g. https://imgur.com/a/1PDRJ) but got more serious over time. The author really came into their own around the time of last summer's celebrity iCloud attack when so many people were jumping to blame the victims for assuming that big tech companies were good at security.
(comment deleted)
my neighbor also had this. was not really able to fix it. felt pretty bad.
I don't see any mention here, but as someone who deals with front-line response to users regularly, take a look at CryptoPrevent from FoolishIT (yes, really, https://www.foolishit.com/vb6-projects/cryptoprevent/) and HitmanPro.Alert (http://www.surfright.nl/en/alert) with CryptoGuard. The first does a bunch of local policy setup to restrict where executables can run along with some optional subscription signature watching;the second does more watching for encrypting behavior including on a host sharing files via SMB.

I also recommend making sure that shadow copies are turned on and allocated plenty of space - including on a separate partition or drive if the user in question regularly comes close to filling the drive. It's not a backup, but it is much faster to restore from a shadow copy than from an offsite backup.

edit: added links

CryptoWall apparently delete shadow copies with a simple vssadmin command.

http://stopmalvertising.com/malware-reports/cryptowall-behin...

Good to know; I've only dealt with a couple and they were on workstations that encrypted files on mapped network shares - vssadmin wouldn't have any access to remove shadow copies on the file server, and in all but one of those cases we had both shadow copies locally on the file server and offsite file backups in place (backups only for the last).
Yes, I meant try to delete... My first impression about CryptoWall is that it was hacked together quicker than CryptoLocker. It doesn't bother with generating a symmetric key per file but rather seems to use a single asymmetric key. It also apparently make a copy of the file before encrypting and doesn't zero-out after deleting the plain text file (see another of my comment in this thread)
" The main difficulty in stopping cybercriminals isn’t finding them, but getting foreign governments to cooperate and extradite them."

Sorry, but no, fuck off please. US extraditing people from other countries is an abhorrent practice which should not be happening, ever. Imagine if you got an extradition request from Saudi Arabia, because you broke some of their laws on the Internet. Every single country in the world would tell them to sod off. Yet when US does this it's somehow ok? Absolutely not.