Ransomware is exploding across the globe, costing computer users billions of euros every year. Authorities, businesses and millions of private individuals worldwide have had their computers destroyed by cybercriminals that no one seems to be able to stop.
But thanks to a unique data leak, SVT can today reveal the innermost secrets of the network that has been attacking Sweden with fake mails designed to look like they come from telecom giant Telia and the national postal service PostNord.
“It’s incredibly unusual to get this kind of insight into how the new cybercrime works. This lets us follow their systems from within,” says Kim Zetter, an American author and lecturer who has been monitoring ransomware for some time.
The secret database that SVT News in partnership with Uppdrag Granskning has gained access to contains millions of pieces of data from the attackers’ command centre, which allows us to observe the attacks from an insider perspective. We can see source code, secret messages between the blackmailers and which victims paid up.
Altogether, the network has attacked computers in 31 countries. Apart from Sweden, Australia, Poland, Spain, Italy, Turkey and India are the countries that have been hardest hit, and the database reveals the victims’ desperate cries for help as they beg the blackmailers to unlock their computers.
“Ransomware can be catastrophic for the victims because we have our entire lives in our computers these days,” says Anders Ahlqvist, cybercrime expert with the Swedish Police.
Europol describes ransomware as the biggest threat on the Internet today.
“As long as criminal networks can make big money on this and not get caught, it’s only going to increase,” says Fernando Ruiz, head of the European Cybercrime Centre.
In Sweden alone, the virus has been sent to 1.6 million email addresses. The emails all look as if they came from PostNord or Telia. The message encourages the recipients to click on a link to download an invoice or a dispatch note for a parcel. A few seconds later, the computer is locked. Important documents, diaries and family photos are impossible to open unless the user pays a ransom of SEK 4,000–SEK 6,000 in the digital currency Bitcoin.
“That’s probably why so many people pay so quickly, because it’s not that much money. You’re panicking and it’s cheaper than buying a new computer,” says one victim from Stockholm that we find in the database.
Altogether we discover over 20,000 encrypted Swedish computers. But the leak also contains clues left behind by the anonymous blackmailers. In one list of infected computers, they’ve written comments to each other about bank accounts, wiped computers and how much money they can make. The comments are written in Russian.
And there are more clues pointing towards the east.
When a user opens the downloaded file, their hard drive is encrypted, and log files show us that the encryption program sends the specific key a circuitous route to a server in Russia.
According to the IP address of the command centre, the attacks were orchestrated from a connection in central Saint Petersburg.
The company that owns the connection doesn’t want to tell us who is hiding behind the computers, but several experts SVT has talked to say that the evidence points to Russian organised crime.
“Russia has become a hub of cybercrime in the world,” Kim Zetter tells SVT. “That was where ransomware was invented, and the traditional Russian mafia is now connected to hackers who are making big money on ransomware.”
The leak in brief
Thanks to a unique data leak, SVT can now reveal the innermost secrets of the giant network that’s been attacking the world with ransomware for several years.
Alongside Sweden, Australia, Poland, Spain, Italy, Turkey and the UK have been hardest hit. Altogether, the network has targeted victims in 31 countries.
1.6 million Swedes have received emails from the Telia and PostNord campaigns.
At least 20,000 Swedes have downloaded the virus.
The network receives ransom payments in the digital currency Bitcoin, which simplifies money laundering and anonymity. The victims are asked to pay the equivalent of SEK 4,000–SEK 6,000 in Bitcoins.
The trail leads to Russia and an internet service provider in Saint Petersburg. That’s where the attacks were orchestrated. When a user opens the downloaded file, their hard drive is encrypted, and the encryption program sends the specific key, first bouncing off servers around the world, to a server in Russia.
The network’s latest campaign ended in spring 2017. The server that SVT gained access to is no longer active, but operated between autumn 2015 in spring 2017.