When Paul Le Roux released a piece of software called “Encryption for the Masses” in 1997, he probably didn’t anticipate it would one day be used against the people it was designed to protect.
Le Roux’s software—which relied on technology that, at the time, was mostly used by academics, businesses, and the military—wrapped photos, documents and other sensitive information in a protective layer of encryption that no one but its owner could access. It was like a bank vault or safe for your digital life. Concerned about the growing threat of digital surveillance by everything from governments and intelligence agencies to private corporations, Le Roux wrote that “Strong Encryption is the mechanism with which to combat these intrusions, preserve your rights, and guarantee your freedoms into the information age and beyond.”
Years passed, and the source code for E4M, which was freely available on the internet for anyone to modify and use, was incorporated into another piece of software called TrueCrypt—famously used by whistleblower Edward Snowden, and which even the NSA is reportedly unable to crack. So strong was the technology underlying TrueCrypt, in fact, that it eventually caught the attention of criminals. But it wasn’t their own data they were interested in hiding.
This past May, a cyber attack knocked the University of Calgary’s email servers offline. For ten days, staff and faculty were mostly incommunicado. “All of a sudden, in our meeting rooms, people were making up paper schedules to do the scheduling or tacking sticky notes on people’s doors to pass along messages,” said University of Calgary computer science professor John Aycock.
The same technology meant to protect people’s digital lives has instead been weaponized.
It soon became clear that this wasn’t any old malware infection—the sort that might steal passwords or take control of your machine—but a nasty variant known as “ransomware.” As the name implies, computers infected with ransomware are effectively held hostage, data locked and rendered inaccessible—encrypted—until the criminals responsible are paid off in exchange for the key. Linda Dalgetty, the university’s vice-president of finance and services, said the school had paid the equivalent of $20,000 in the digital currency Bitcoin to regain control.
In essence, the same technology Le Roux once imagined would protect people’s digital lives has instead been weaponized—and the University of Calgary is just one of many targets in a recent spate of such cyber attacks.
“There are some technologies that are what you would call dual use technologies,” says Aycock. “There are both good and bad applications.” Nuclear fuel, for example, can be used to power homes—but in the wrong hands, it can level a city. That also holds true for encryption, which secures the photos on your phone and the purchases you make online but also makes possible crimes like the one carried out at the University of Calgary.
“You would be absolutely amazed and shocked at the level of business efficiency that criminals are conducting these attacks with,” says Mark Nunnikhoven, who works at the software security company Trend Micro. He describes ransomware as a numbers game, where payments may only average $300 to $500, but quickly add up as users are spammed indiscriminately and en masse. In other words, anyone can be a target—individuals, NASA, your vet—but larger organizations with deeper pockets, such as hospitals and schools, are increasingly the subject of more strategic attacks.
A typical case of ransomware looks something like this: First, a person opens a malicious email, or visits an infected website. Sometimes, the user is tricked into downloading and then opening a seemingly innocuous file—say, a notification from customs regarding a recent Amazon order. Other times, merely viewing an email or visiting an infected website is enough. It can happen in less than a minute. Once the infection takes hold, the ransomware sets to work, indexing files, hidden from sight, until a notification appears, to the effect of: “Your family photos, your financial records, that essay you have due tomorrow, have all been encrypted, and only we have the key. Pay up. Or else.”
“Any technical writer in the industry would be envious of how clear these steps are to get you to pay,” says Nunnikhoven, adding that some ransomware authors even translate their instructions into different languages. Criminals have learned they have to make the process as easy as possible if they hope to get paid—a far cry from ransomware’s earliest days, when software spread physically through floppy disks and payment was demanded via mail.
In a strange turn of events, Le Roux went on to become a criminal himself, a cartel kingpin in the shadowy world of online drug trafficking. But the ransomware business would have been just as lucrative—the industry netted criminals over $200 million in the first three months of 2016, according to the FBI. What makes ransomware so profitable—and insidious—is that once a victim’s files are encrypted, the process is nearly impossible to reverse without the key.
For some, that’s not a feature, it’s a bug. Recent terrorist attacks in Paris and San Bernardino have bolstered calls from police and politicians for encryption legislation, a means of defeating the technology’s protections when the law requires it—a so-called “backdoor.” Famously, the FBI took Apple to court over access to an encrypted phone. But to undermine encryption, which is what makes ransomware possible, would undermine all the other things we hold secure, and means victims like the University of Calgary have little choice but to pay up. It’s just how encryption works. Arguably, the good outweighs the bad.
“You can have computers and smart people working away until the heat death of the universe, and you just won’t be able to crack the encryption,” Aycock says. And that’s generally a good thing—except when those algorithms are turned against us.