I haven't mentioned Arkady Katkov in a while, his story after the jump.
From the New Yorker, May 31:
A few days after Thanksgiving last year, Kurtis Minder got a message from a man whose small construction-engineering firm in upstate New York had been hacked. Minder and his security company, GroupSense, got calls and e-mails like this all the time now, many of them tinged with panic. An employee at a brewery, or a printshop, or a Web-design company would show up for work one morning and find all the computer files locked and a ransom note demanding a cryptocurrency payment to release them.
Some of the notes were aggressive (“Don’t take us for fools, we know more about you than you know about yourself”), others insouciant (“Oops, your important files are encrypted”) or faux apologetic (“WE ARE REGRET BUT ALL YOUR FILES WAS ENCRYPTED”). Some messages couched their extortion as a legitimate business transaction, as if the hackers had performed a helpful security audit: “Gentlemen! Your business is at serious risk. There is a significant hole in the security system of your company.”
The notes typically included a link to a site on the dark Web, the part of the Internet that requires special software for access, where people go to do clandestine things. When victims went to the site, a clock popped up, marking the handful of days they had to fulfill the ransom demand. The clock began to tick down ominously, like a timer connected to a bomb in an action movie. A chat box enabled a conversation with the hackers.
In the past year, a surge of ransomware attacks has made a disruptive period even more difficult. In December, the acting head of the federal Cybersecurity and Infrastructure Security Agency said that ransomware was “quickly becoming a national emergency.” Hackers hit vaccine manufacturers and research labs. Hospitals lost access to chemotherapy protocols; school districts cancelled classes. Companies scrambling to accommodate a fully remote workforce found themselves newly vulnerable to hackers. In May, an attack by the ransomware group DarkSide forced the shutdown of Colonial Pipeline’s network, which supplies fuel to much of the East Coast. The shutdown, which pushed up gas prices and led to a spate of panic-buying, put a spotlight on ransomware’s potential to disable critical infrastructure. A week after the attack, once Colonial paid a ransom of $4.4 million to get its systems back online, eighty per cent of gas stations in Washington, D.C., still had no fuel.
The F.B.I. advises victims to avoid negotiating with hackers, arguing that paying ransoms incentivizes criminal behavior. This puts victims in a tricky position. “To just tell a hospital that they can’t pay—I’m just incredulous at the notion,” Philip Reiner, the C.E.O. of the nonprofit Institute for Security and Technology, told me. “What do you expect them to do, just shut down and let people die?” Organizations that don’t pay ransoms can spend months rebuilding their systems; if customer data are stolen and leaked as part of an attack, they may be fined by regulators. In 2018, the city of Atlanta declined to pay a ransom of approximately fifty thousand dollars. Instead, in an effort to recover from the attack, it spent more than two million dollars on crisis P.R., digital forensics, and consulting. For every ransomware case that makes the news, there are many more small and medium-sized companies that prefer to keep breaches under wraps, and more than half of them pay their hackers, according to data from the cybersecurity firm Kaspersky.
For the past year, Minder, who is forty-four years old, has been managing the fraught discussions between companies and hackers as a ransomware negotiator, a role that didn’t exist only a few years ago. The half-dozen ransomware-negotiation specialists, and the insurance companies they regularly partner with, help people navigate the world of cyber extortion. But they’ve also been accused of abetting crime by facilitating payments to hackers. Still, with ransomware on the rise, they have no lack of clients. Minder, who is mild and unpretentious, and whose conversation is punctuated by self-deprecating laughter, has become an accidental expert. “While I’ve been talking to you, I’ve already gotten two calls,” he told me when we video-chatted in March.
The man who reached out to him in November explained that the attack, the work of a hacking syndicate known as REvil, had rendered the company’s contracts and architectural plans inaccessible; every day the files remained locked was another day the staff couldn’t work. “They didn’t even have an I.T. person on staff,” Minder said. The company had no cyber-insurance policy. The man explained that he had been in touch with a company in Florida that had promised to decrypt the files, but it had stopped replying to his e-mails. He wanted Minder to negotiate with the hackers to get the decryption key. “The people who reach out to me are upset,” Minder told me. “They’re very, very upset.”
As a child, Minder visited his father at the mill where he worked, in central Illinois, and watched him hoist fifty-pound sacks of flour. His mother, who worked for the state, sat in an air-conditioned office with a cup of coffee. He didn’t quite understand what her job was, other than that it seemed to involve a lot of typing. “I was, like, whatever that typing job is, that’s what I want,” Minder told me.
After college, in the early nineties, he got a tech-support job at a local Internet-service provider. Within a year, he was promoted to assistant systems administrator, a job that entailed keeping tabs on the server logs. He began to notice a strange pattern, which he eventually realized was evidence of hackers. “They would use our routers as what we would now call a pivot point—bouncing off them to attack someone else, so the attack looked like it was coming from us,” he said. The attackers were typically hobbyists who were more interested in showing off their skills than in wreaking real havoc; Minder found the cat-and-mouse energy of outsmarting them deeply satisfying.
By that time, hackers had proved that they could inflict serious damage. In 1989, twenty thousand public-health researchers around the world received a floppy disk purporting to contain an informational program about AIDS. But the disk also included a malicious program that is now considered the first instance of ransomware. After users rebooted their computers ninety times, a text box appeared on the screen, informing them that their files were locked. Then their printers spat out a ransom note instructing them to mail a hundred and eighty-nine dollars to a post-office box in Panama. The malware, which came to be known as the AIDS Trojan, was created by Joseph Popp, a Harvard-trained evolutionary biologist. Popp, whose behavior grew increasingly erratic after his arrest, was declared unfit to stand trial; he later founded a butterfly sanctuary in upstate New York.
Popp’s strategy—encrypting files with a private key and demanding a fee to unlock them—is frequently used by ransomware groups today. But hackers initially preferred an approach known as scareware, in which they infected a computer with a virus that manifested as multiplying pop-ups with ominous messages: “SECURITY WARNING! Your Privacy and Security are in DANGER.” The pop-ups told users to buy a certain antivirus software to protect their systems. Hackers posing as software companies could then receive credit-card payments, which were unavailable to those deploying ransomware. In the early two-thousands, ransomware hackers typically demanded a few hundred dollars, in the form of gift cards or prepaid debit cards, and getting hold of the money required middlemen, who siphoned off much of the profits.
The calculus changed with the launch of Bitcoin, in 2009. Now that people could receive digital payments without revealing their identity, ransomware became more lucrative. When Minder founded GroupSense, in Arlington, Virginia, in 2014, the cybersecurity threat on everyone’s mind was data breaches—the theft of consumer data, like bank-account information or Social Security numbers. Minder hired analysts who spoke Russian and Ukrainian and Urdu. Posing as cybercriminals, they lurked on dark-Web marketplaces, seeing who was selling information stolen from corporate networks. But, as upgrades to security systems made data breaches more challenging, cybercriminals increasingly turned to ransomware. By 2015, the F.B.I. estimated that the U.S. was subjected to a thousand ransomware attacks per day; the next year, that number quadrupled. Mike Phillips, the head of claims for the cyber-insurance company Resilience, told me, “Now it’s ransomware first and only, and everything else is a distant second.”....
....MUCH MORE
And Arkady?
Back in 2010, during the height of the Somali ship hijackings, we posted "Dealing with Pirates (and terrorists) Russian Style":
Starting in 1982, and continuing for the remainder of the decade, approximately 100 people were kidnapped in Beirut by various factions of Hezbollah ('the Party of God').
William Buckley, for example. He was the CIA station chief, kidnapped on March 16, 1984.
He was tortured to death. They did it slow, he died in June 1985.
The U.S. did the same thing after his kidnapping that they did after the Marine Corps barracks at Beirut International Airport were bombed in October 1983, killing 241 Marines and Sailors.
Nothing.
On September 30, 1985 four Soviet diplomats were kidnapped and Arkady Katkov was shot in the head by Hezbollah's head of security, Imad Mughniyeh.
The Soviets gave the kidnappers 48 hours to return the hostages and dispatched some guys they call Spetsgruppa A (Alfa Group).
The kidnappers and their relatives were identified by supporting KGB operatives working with the Druze militia, and some of the relatives were taken hostage.
Following the standard policy of 'no negotiation', Alfa proceeded to sever some of their hostages' body parts and sent them to the perpetrators with a warning that more would follow if the Russian hostages were not released immediately. The tactic worked and no other Russian national was taken hostage in the Middle East for the next 20 years, until the 2006 abduction of Russian diplomats in Iraq.
Among the body parts was a decapitated head and some testicles.
You can do your own digging if you wish more detail.
The Russians did not kill Mughniyeh, some say he ended up working for
them, but in February 2008 a joint US/Israeli operation blew him to hell
on the streets of Damascus.
Mughniyeh was the man responsible for the drawn out torture and finally, murder, of Buckley.
He got better than he deserved.
"Money-go-round: The booming cottage industry behind ransomware"