A few evenings ago, a close friend in the crypto community messaged me with a strange request: a provincial college’s enrollment portal had just been hacked and they were asking for help. Their entire database of students had been emptied out and replaced with a single data cell that said: “I have backed up all your database. To recover them you must pay 0.0135 Bitcoin to this adrress 1Q…m. After your payment email me at r..@onionmail.org with your server IP and transaction ID. Emails without transaction ID will be ignored.”
Fifteen minutes later I was in a conference call with the school administrator and her team. They saw the first errors appear on their intranet just four hours ago, and when they poked around the file system they found a lone “readme” table where a complex database full of student records used to be. Their most recent backup snapshot was from way back in June BEFORE they had completed enrollment for the current school year. They didn’t show me any of their application code, but I’m guessing that it was a SQL-injection that got them. (Their application was developed in-house and did not use any standard web frameworks.) Either way, they really needed the current version of their data back.
So I started with the good news. 0.0135 BTC is barely $500, suggesting that these hackers were small-time crooks looking for bite-sized paydays. They were not specifically targeting this college, and there was no evidence that there was any anger towards a person or a group within the college. (When Anonymous Philippines executes a hack, they tend to deface the public-facing website to humiliate the administrators. Here, there was no visible damage.) The software the hackers used was likely bought off-the-shelf from the dark web, not something custom-built. In other words, it was your plain old garden-variety ransomware attack, which meant that there was a good chance that this was a purely transactional crime.
I advised the school against involving the NBI Cybercrime division, because it was extremely unlikely that these hackers were anywhere in the Philippines, and modern anonymization technology makes it so that they would be untraceable anyway. If this were a $50,000 ransom, we’d consider more options, but at the $500 price point, the most straightforward solution was to swallow their pride and just pay up.
However, the school administrator did ask me how they could be sure that their database files would be returned once they paid the ransom. It was a valid question, and in the grand scheme of things, probably the only one that mattered. I explained that you could never be 100% sure, of course. But let’s consider the implications if victims never got their data back after coughing up their money. At $500 a pop, these hackers aren’t becoming wealthy from one victim; they need hundreds. So they actually need the general public to believe that they could get their data back, otherwise, no one would ever pay up and the whole scheme would be pointless. Much like normal entrepreneurs, the hackers are leveraging “positive” word-of-mouth and repeat business. Thus, I believed that there was a greater than 50% chance that the school would get their database back if they paid up.
Unfortunately, all that turned out to be irrelevant when I did a validity lookup on the email address the hacker provided. I’ve concealed it in the pasted message above, but it was a long, software-generated username (r…@onionmail.org). Although onionmail.org is a privacy-oriented mail service, you can still look up the existence of one of its email addresses without sending a message to it first. I tried a couple of different email checking services, and then eventually I gave up and messaged the onionmail.org customer support directly. They all told me the same thing: the email address that the hacker provided did not exist. It appears that this moron had accidentally entered an invalid email address, thus making it impossible for his victims to communicate with him. I tried different permutations to see if any of them would result in an active email, but couldn’t find any that worked.
With no way to message the hacker, the entire discussion about paying the ransom was essentially pointless. I considered embedding a message in a small Bitcoin transaction, because we knew that the Bitcoin wallet address he had provided was at least working. The problem with that approach was that it assumes a level of technical sophistication that I don’t think these hackers possessed. Getting their own email wrong wasn’t exactly an encouraging sign, and I doubted that these guys knew anything about OP_RETURN or BIP70. If I used either of those tactics to message something like “We are willing to pay your ransom for [x], email us at [y]” then I would most likely just receive replies from an entirely different bunch of crypto scammers. That said, it was probably our only card left to play and I was willing to give it a shot if the school management gave the greenlight.
After about 24 hours of deliberation, the school decided that they would just start rebuilding their database from scratch. None of their other options were particularly promising. By the third day, the school had begun receiving reports from their students of strange phone calls. It’s these second-order effects that really tend to amplify the impact of these ransomware incidents: although the original hacker was offering to return their data for a fee, we can assume that the actual contents of the database have already been copied and handed off to other hacker groups for further processing. The school did publish an announcement explaining the situation to their student body and advising caution when responding to any messages or calls from unfamiliar numbers.
During the first half of 2022, an estimated 230 million ransomware attacks were carried out around the world, and sadly, the Philippines is amongst the top 10 countries with the highest number of incidents. About 79% of all victims opt to pay the ransom, and due to its decentralized and easily-anonymized nature, Bitcoin is the default currency for these attacks. I can only imagine how heated their boardroom discussions must have been during the last few days, but it’s painful lessons like these that really shape an organization’s security policies.
Stay safe out there, cryptofam!
It’s really a strange world out there. We can no longer depend on inexpensive website builders and maintainers. Security may be expensive but not having a dependable one can ruin your business.
Cheap scammers abound. Beware!