Honor Among Thieves

Ransomware is a pain. People open an attachment in an email, allowing a virus to infect their computers. The virus scrambles all their data and they get a notice from the criminals who created the virus that they can either pay a ransom or have all their data erased. The only thing that prevents people from paying is the well-founded fear that their data is lost anyway. The leading ransomware firms are Cerber and Locky, but a new player is rising with a unique strategy: Spora stresses great customer service and public relations. This is not a joke.

Spora is the Apple Store of Ransomware

The metrics of success in ransomware are pretty simple: multiply the number of computers infected by the fraction of successful conversions of infection to revenue. That’s pretty much the same model as most of the Internet, from advertising to services. Infection is difficult because of malware blockers and user awareness that opening attachments you didn’t ask for is dangerous. Black hat hackers are always looking for vulnerabilities. They make the most of them by sharing with each other with open source tools not unlike the ones that free software advocates use.

Conversion is troublesome for a number of reasons. To maintain anonymity, ransomware providers like to use Bitcoin for payment, and very few people use Bitcoin. Pricing is troublesome because providers aren’t very good at assessing ability and willingness to pay. But the biggest problem is trust.

Spora has determined that the best way to convince victims to pay is to have them post reviews for new victims to read, just like they would when choosing toasters on Amazon. We’ve probably all heard of people who paid ransoms and didn’t get their data back, so Spora wants its “customers” to know they’re not like the bad bad guys, they’re the good bad guys, thieves with honor.

This Had to Happen

The Internet is fundamentally insecure because it was designed for a trustworthy community. The early Internet was a research network only accessible to Defense Department employees and contractors in the private and academic sectors. The user population was small, and every user account could be traced, quite easily, to an actual person.

Even this closed community, there were occasional problems. A salesman for Digital Equipment Corporation, Gary Thuerk, sent the first spam to 400 unsuspecting users of ARPANET back in 1978. (Thuerk followed in the footsteps of telegraph spammers who were active 150 years ago, but that tends to be forgotten.) He was disciplined and it didn’t happen again.

Ten years after Thuerk, Cornell grad student Robert Morris created his eponymous worm. It infected a good part of the Internet – still a research network – at a cost of $200 – $50,000 for each computer it breached. Morris was convicted of violating the Computer Fraud and Abuse Act, for which he was fined and made to perform community service.

Spora’s Great User Experience

While Morris protested his innocence – claiming a bug made the worm spread as fast as it did – this is often regarded as crocodile tears. In any event, the Internet is no more secure today than it ever has been, although we do have better tools for dealing with viruses. Because the Internet is fundamentally open, it’s just as welcoming to criminal activity as to legitimate business.

Like a professional bill collector, Spora is very courteous with its victims while interacting with them via chat. It offers services in English and Russian, and keeps track of multiple simultaneous collection efforts.

Victims who lack ability to pay are offered discounts, and the firm apparently will unlock important files while victims are arranging to make payment. Many who read the story may well conclude that the criminals are easier to deal with than some legitimate businesses. Perhaps there’s a future for Spora in customer service.

The Banality of Internet Crime

What are we to learn about the Internet from the fact that a criminal enterprise can develop such a refined system of extortion without breaking any technical barriers?  It’s certainly an innovation-friendly platform. It pays to be courteous and respectful when dealing with clients. And treating people well is a good way to make a name for your business. These are givens.

The story tells me that connecting networks in nations with rule of law and basic standards of accountability to rogue nations may not be such a great idea. Spora appears to be based in Russia, but it could be anywhere. All we know about its location is that the organization feels safe in blatantly violating norms of civilized conduct.

It also tells us that we have, for the most part, given up on the desire to make the Internet truly secure. This means that the task of protecting our data from corruption, our identities from theft, and our networks from violation depends solely on our own efforts as users of the Internet.

The technical architecture of today’s Internet is such that our ISPs can’t protect us from wickedness no matter how hard they true. It’s on each of us to make the Internet relatively safe and secure. And that begins by not opening foreign email attachments no matter how juicy they look.