The arrival of June brings a bittersweet time for the parents of high school seniors. Their “babies” (wasn’t that just yesterday?) are somehow grown up now, and they are walking across the stage: clutching a Diploma and looking ahead to their futures.
This past Sunday, our church held a Graduation-themed service for our high school and college graduates. The service allowed our teens to lead worship (what talent these young people have!), provided a well-deserved Sunday off for our Senior Pastor and gave the stage to our Pastor of Teen Ministry (No wonder the teens love him! Talk about a heart for Jesus!). The overall message was very clear, not only to the graduates, but also to the entire congregation- Be a positive influence on others and make a difference in this world for Christ. While this is sound advice for all aspects of life, it is also very similar to the message that we try to teach when given the opportunity to speak on cyber security awareness in front of children and adults, whether at a local county career center, an educational service center or even teaching Sunday school. The message: Use your God-given talents (in our case Computer Skills) for good and not for evil. While I try to incorporate this message into all my security talks and interviews, late last week I was reminded of the reality that the choice between good and bad decisions is a daily battle.
As a recognized expert in the field of cyber security, I am routinely contacted by radio talk shows, newspapers and other media outlets regarding hot new security stories and asked my professional opinion and comments on them. I received one such email last week from a business writer asking me to validate a lead she had gained from a press release. The press release originated from an organization I was unfamiliar with. The subject of the email she received was “New “Sleeper” Ransomware Hits Hard”, and the actual press release title claimed a new dormant strain of ransomware that “awakens” and causes a surge of trouble. The ransomware was labeled “Locker”. FYI-Ransomware is a malicious application that encrypts specific files on connected drives on the system. The user is asked to pay a ransom (in the form of Bitcoins) in order to recover the encrypted files. This category of malware generated tens of millions of dollars for cybercriminals in 2014, and it is running rampant in the first six months of 2015.
At the time of receiving this editor’s request, I was unfamiliar with said malware, so I proceeded to follow my usual protocol for investigating new malware threats. Initially I checked our suspicious detection reports to quickly see if there was any significant spike in activity. There was not. I then met and discussed the “sleeper” malware with our Viruslab Manager. Within an hour, we confirmed that we did not have a sample on file. This was both odd and very unusual (but don’t call Ripley’s yet…) given Thirtyseven4’s proactive behavior detection systems module that is able to quickly stop, trap and submit new threats such as this for immediate analysis. Following this, I contacted a couple fellow anti-virus researchers- their labs had yet to receive a sample or even heard of the threat. This was even stranger, given the terminology used in the press release “surge of trouble”, “swarmed”, “infecting”, “100s of emails from consultants all over the world”.
The next step in the investigation process was to reach out to the organization that issued the security “alert”. A representative from the organization was kind enough to respond, however, informed me that they didn’t have a sample either and that the alert was generated from communication seen on a public forum. I was told my best bet was to review the particular forum thread and request a sample there. We did this and were able to retrieve the noted files. However, the files weren’t the actual malware but instead component files (just stand-alone pieces) of Locker, so there was no way proper analysis could be done. After a day or so of looking into the threat, my professional advice was to pass on the story.
Fast forward a couple days- a new story is published regarding Locker. The new headlines read that the author of Locker repents, offers an apology and expresses remorse that the malware was ever released. In an attempt to right a wrong, the author (who according to reports goes by the name ‘Poka Brightminds’) decides to offer an automated decryption routine for any system that was infected with Locker. When a further investigation was done into the total dollar value scammed from “infected” customers, the dollar value totaled a mere $169.00. All but a few of the transactions were $.02 or under. I suspect that these amounts were from the author himself while testing his creation and payment system. From the database provided, it appears no more than seven total systems were compromised over a course of eight days.
The question becomes- why would someone go through all the hard work and spend endless hours setting up a command and control network, and develop a new piece of ransomware just to shut it down less than two weeks into it? Could this be a modern day version of Judas betrayal? While they didn’t have Bitcoins back in the Jesus’ day, in Matthew 26 we read how the chief priests and Judas agree to handing Jesus over for thirty silver coins. Fast forward to Matthew 27, we read in verse 3, “When Judas, who had betrayed him, saw that Jesus was condemned, he was seized with remorse and returned the thirty pieces of silver to the chief priests and the elders. 4 “I have sinned,” he said, “for I have betrayed innocent blood.” The allure of money and world gain can make people do hard-to-understand things.
While it is anybody’s guess what the true motive for the author’s change of heart was, my idea is that this was a proof-of-concept creation that for one reason or another was publicly leaked by mistake (maybe accidentally/maybe his infrastructure was hacked). And while repentance may have been the cry of the author, I feel it may also have been the fear of his identity being revealed and the very-real threat of getting arrested which may have changed his course. Because after all, (whether unintentionally or intentionally) the author officially broke the law.
This person obviously had serious talent, and our choices (in my opinion) often all come back to the simple words preached last Sunday to our graduating youth: “Be a positive influence on others and make a difference in this world for Christ”. Use your God-given talents (for many of us reading this article, Computer Skills are one of our talents) for good and not for evil. I feel this message/moral also speaks convictingly to the organization that issued the scare tactic press release. Stirring up false accusations isn’t exactly an example of being a positive influence on others.
Fighting cybercrime is an uphill battle, but we can advance in the fight by joining forces. One angle of protection is teaching/encouraging/praying for young minds in this area to make the right choices with their gifts. We must work together on educating our family, friends and inner circle on the actual dangers in the Security arena and how to stay protected…while at the same time not hitting the panic button without having all the facts. Good lessons for security awareness, graduates and all of us. Congratulations to the class of 2015 and may the Lord guide your steps!