See all LastWeekTonight transcripts on Youtube

Speaker 1

00:00

-♪ ♪ -♪ ♪ Moving on. Our main story tonight concerns the Internet. It's a horrible place that everyone hates, which is a little weird, as it's given us almost everything that we were promised in this nearly prescient ad from 1993.

Speaker 2

00:16

Have you ever borrowed a book from thousands of miles away across the country without stopping for directions or sent someone a fax from the beach, you will. And the company that'll bring it to you, AT&T.

Speaker 1

00:43

Wow. That was two-thirds of the way to shockingly accurate. E-books? Check.

Speaker 1

00:49

GPS? Check. Beach fax? Not in this or any other lifetime.

Speaker 1

00:54

Although I will say, if there was 1 company that would go all in on a doomed technology like sand faxing, it would be AT&T. Specifically, though, I want to talk about 1 of the more damaging things the internet has enabled, and that is ransomware attacks. Basically, instances where hackers get into a computer, lock up the data, and then force the owners to pay a ransom in order to unlock it. You may have heard a lot about them recently.

Speaker 1

01:16

Back in May, a ransomware attack shut down a top U.S. Gas pipeline, the Colonial Pipeline, a major artery for fuel along the East Coast. While the company stressed at the time that there was still plenty of gas available, just the very idea that there might be a shortage led to chaos.

Speaker 3

01:33

The lines for gas getting longer from the Carolinas down to Florida. Panic drivers overwhelming gas stations. Across the Southeast, demand is up 40 percent.

Speaker 3

01:45

Prices at the pump inching up, too.

Speaker 4

01:47

I'll spend that extra few bucks. That's the way it is.

Speaker 5

01:51

I just could've heard there was gonna be a run on gas, and we figured I better get it now.

Speaker 1

01:55

Yeah, that makes sense. There won't be a run on gas unless everyone is an idiot, which means there's definitely gonna be a run on gas, so I might as well be a faster idiot." He's not wrong, but it is people like that guy that make everything completely impossible all of the time. So thanks, that guy.

Speaker 1

02:10

Life just wouldn't be the same without you, and I really wish life weren't always the same. The scale of the colonial hack was truly remarkable. And then in July, the IT software company, Casaya, got hit with an even bigger hack. And since its job was to push software to other companies, that meant that hundreds of Casaya's clients and its client's clients, like a grocery store chain, a public broadcaster, schools, and a national railway system were also compromised.

Speaker 1

02:36

And if you're thinking, hold on, is it just me, or did there not used to be a massive ransomware attack every 2 months? You're actually right. Over the past few years, it's gone from a trickle to an absolute flood. The estimated total ransoms paid quadrupled to $350 million last year, and that is definitely an undercount.

Speaker 1

02:56

Because companies often don't publicly disclose ransomware attacks for fear of negative press or lawsuits. And it's not just companies involved here. Everyone is vulnerable to ransomware. Even this woman.

Speaker 6

03:08

Ina Simone is retired. She's a mother and grandmother from Russia who now lives outside of Boston. In the fall of 2014, her home computer started acting strangely.

Speaker 6

03:17

Ina saw dozens of these messages. They were all the same. They read, your files are encrypted. To get the key to decrypt them, you have to pay $500.

Speaker 6

03:27

All of her files were locked, tax returns, financial papers, letters, even the precious photos of her granddaughter Zoe. Tuesday afternoon, the full ransom was sent to the hacker's account. Ina inserted 1 short message to the criminals with her payment.

Speaker 4

03:40

I wrote, I wish you all will drop dead.

Speaker 1

03:46

Yeah. You almost forgot that woman was gonna be Russian for a moment, didn't you? And then, she's really Russian. She is enjoying herself.

Speaker 1

03:54

You can tell that this isn't the first time she's wished death on someone, and also, this wouldn't be the first time her wish came true. So, if it is so pervasive that it's affecting pipelines and grandmothers, we thought tonight we'd take a look at ransomware, why it's on the rise, and what, if anything, can be done about it. And let's start with some history. The first ransomware attack actually occurred back in 1989, when a man named Joseph Popp mailed 20,000 floppy disks to public health researchers that he claimed contained AIDS research.

Speaker 1

04:24

But when they inserted the disk, their computers were infected with malware, their files were locked up, and the program demanded they mail $189 to a PO box in Panama. That's right, this is a cybercrime so old, it used to require a bunch of floppy disks and 2 physical mailmen. Oh, and fun fact, after being arrested, Popp claimed in court that He had planned to donate that ransom money to AIDS research, which is a little weird because he had stolen that money from AIDS researchers in the first place. He's like Robin Hood.

Speaker 1

04:54

If Robin Hood had gone around taking money from the poor and promising the poor, then he'd definitely give it back later. But obviously, ransomware doesn't come in via floppy disk anymore. Instead, it gets into your system through the internet with a message like this.

Speaker 7

05:09

This is what it looks like when you get attacked. It says, your network has been infected, right there in big red type. Your documents have been encrypted, and now to get them back, you have to pay, is what this ransom note is telling you.

Speaker 7

05:22

There's a countdown clock there, letting you know you have just limited time here to take action and pay these hackers, or else the price is going to go up and you might not get your data back.

Speaker 1

05:32

Yeah, and that is not a message you want to see on your screen. And while they are scary enough in that form, some attacks can be cartoonishly terrifying. Here is 1 featuring the Annabelle doll.

Speaker 1

05:43

Here is 1 with the puppet from Saw. Nobody wants to see that. And here is 1 with Thomas the Tank Engine screaming, fuck you, and saying, the only way to unlock your computer is to send him at least 10 nudes. Which I'm pretty sure is a reference to the unaired final episode of Thomas and Friends, where they introduced Thomas to the concept of pornography, and he became so crazed by it, he had to be forcibly disassembled.

Speaker 1

06:05

They say if you wander the Sodor scrapyards at night, you can hear the wailing of a thousand scattered pistons still alive and howling for dick pics. So That is what ransomware looks like. But how much harm can it do? Well, depending on the target, a lot.

Speaker 1

06:21

Ransomware has caused chaos in city governments like Baltimore and New Orleans. And hackers have also hit school districts, police departments, and even hospital systems.

Speaker 8

06:30

Last month, a cyber attack targeting the hospital chain, Universal Health Services, caused a major computer failure, with some of its hospitals forced to use pen and paper to file patient information.

Speaker 9

06:41

So this is a perfect storm hitting the hospitals, and there's actually never been a better time. If you're a ransomware syndicate and you want a fast payout, this would be the time to strike.

Speaker 1

06:53

Hey, Teresa, can I talk to you for a second? Look, I'm no stranger to inadvertently giving unscrupulous people new ways to prey on the vulnerable. This season alone, We've done stories on predatory nursing homes, PACE loan scams, and basically told you how to set up a fake religious health insurance company.

Speaker 1

07:08

This show could easily be called Getting Rich for Sociopaths with John Oliver. But I will say, at least I've never looked dead into a camera and told hackers, it's a great time to take down a hospital. Until, I guess, just now. What have you gotten me into here, Teresa?

Speaker 1

07:24

And to be fair to her, hackers don't need much encouragement. Last year, over 500 healthcare facilities were hit by ransomware attacks in the U.S. Alone. 1 of which was in Vermont, where clinicians were forced to turn away hundreds of cancer patients who needed treatment after they lost access to medical records.

Speaker 1

07:41

And the thing is, hackers don't necessarily have to work too hard to do this. About 85 percent of hospitals don't have a single qualified cybersecurity person on staff, which does feel like it's just asking for trouble. In fact, lax security is a problem across all industries. The Colonial Pipeline was compromised because an employee had used the same password across multiple services, and the company did not use multi-factor authentication.

Speaker 1

08:08

So, when that password was breached in an attack elsewhere, there was a direct way in. And when pressed on exactly what happened, Colonial's CEO wasn't particularly reassuring.

Speaker 10

08:19

In the case of this particular legacy VPN, it did only have single-factor authentication. It was a complicated password, so I want to be clear on that. It was not a Colonial123-type password.

Speaker 1

08:32

Well, hold on. Nobody said that it was. I don't know whose expectations you think you're meeting with that answer.

Speaker 1

08:39

The only people I'd even suspect of using Colonial123 as a password are the staff at Colonial Williamsburg. And that is only because aggressively sucking out cybersecurity would at least be historically accurate. And here's the thing, even organizations that are scrupulous about backing up data so that it can be easily recovered can still be vulnerable Because hackers are now not just encrypting data, they're also threatening to release files or personal information publicly. This happened to the D.C.

Speaker 1

09:08

Police recently, when hackers released the personal information of 22 officers. And a few years ago, HBO was hit too, with hackers demanding around 6000000 dollars or they'd leak unaired episodes of Game of Thrones, which to be honest, is a pretty weak threat. If HBO's gonna be publicly humiliated, it'll be by releasing the last season of Game of Thrones on its own terms. Thank you very much.

Speaker 1

09:30

And if having your data locked or leaked were not already scary enough, it actually gets worse. Because we're increasingly hooking physical objects in our lives up to the Internet. Things like TVs, refrigerators, and ovens. And they can be vulnerable to ransomware, too.

Speaker 1

09:45

Back in 2016, hackers made the first ever ransomware for smart thermostats, cranking the temperature to 99 degrees until the owner paid up. And last year, researchers found a vulnerability in an internet-enabled chastity cage. Basically, a high-tech penis prison that could be cock-locked until the person in junk jail paid up. And interestingly, the researchers who discovered that felt compelled to go public with it because of the next product that the company was about to release.

Speaker 4

10:12

Hi there. We're introducing you to Pear Flower Anal Plug. Compatible to various teals and leash, you need to select to be Key Master or Wearer.

Speaker 4

10:22

Wearer can add friends in the app and invite friends to be Key Master. This invited Key Master has right to give permission to Wearer for unlocking. Wearer cannot unlock without permission from Keymaster.

Speaker 1

10:34

Yeah. That product could essentially give the internet control over your anus, which doesn't seem great. Assholes are like opinions. Letting the internet be in charge of yours is a really bad idea.

Speaker 1

10:47

Now, incredibly, at this point, I legally have to tell you that that butt plug does come with a physical key for emergencies, which I'm not sure is completely reassuring. Keys do get lost, don't they? Just picture the last time you searched for your keys around your house and now, raise the stakes significantly. The point here is, the costs of ransomware keep getting higher, even as, crucially, the barrier to entry has gotten much lower, because the explosion in ransomware has basically been the result of 3 major developments.

Speaker 1

11:19

The first 1 is the emergence of something called Ransomware as a Service. Basically, hackers will develop ransomware programs and then sell them to anyone who might want to launch an attack and split the profits. What this means is basically anyone can launch an attack, even if they are not particularly tech-savvy. In fact, just watch as a cybersecurity expert walks through the features offered by 1 ransomware vendor.

Speaker 11

11:43

They actually provide you with basically a chat room where you can ask questions to the people who maintain this architecture for you.

Speaker 2

11:52

Frequently asked questions for criminals.

Speaker 11

11:54

Exactly.

Speaker 2

11:55

Tom Pace logged on to the site and used it to encrypt a network of his own.

Speaker 11

12:00

So all of the files that are on this system have now been successfully encrypted.

Speaker 2

12:05

So this took you just slightly over 5 minutes and you didn't write a single line

Speaker 11

12:12

of code. Correct.

Speaker 2

12:14

Off the shelf.

Speaker 11

12:15

Off the shelf. Ready to go.

Speaker 1

12:17

That is alarmingly easy. Ideally, no 1 would launch ransomware attacks, but my next preference would be that launching 1 should require significantly more work than simply clicking add ransomware to cart. If it's beginning to seem like ransomware is just a typical business but staffed by criminals, you're not entirely wrong.

Speaker 1

12:36

This can be a very professional enterprise with customer care for both the criminal who bought the ransomware product and the victim on the receiving end of it. 1 expert even said, honestly, I wish my Internet service provider had customer service the way these guys do, which does seem a little unfair, since ransomware hackers are criminals, and Internet service providers are fucking monsters. You can't hold them to the same standards. And for just a sense of the customer service that they offer for victims.

Speaker 1

13:03

Remember that grandmother from earlier? The people that hacked her were more than happy to help guide her through the process of payment.

Speaker 6

13:10

In their ransom note, the hackers wanted to be paid in Bitcoin, the largely untraceable digital currency, and have it put into their anonymous account. Ena had never heard of Bitcoin, but the hackers, in 1 of their many touches of what you might call customer service, provided all sorts of helpful facts and links and how-to guides about Bitcoin.

Speaker 1

13:30

It's true. They had to teach Ina how to use Bitcoin. And that is genuinely way more impressive than carrying out a ransomware attack.

Speaker 1

13:38

Think about it. If you had to teach your grandma to use cryptocurrency in order to make $500, Are you confident you'd walk out of there with $500? Let's say you had infinite time and infinite grandmas. You have to understand Bitcoin, and then you have to teach a grandma, any grandma, to use it.

Speaker 1

13:55

Are you seriously getting $500 out of that situation? Deep down, I think you know the answer to that. But the Bitcoin part of that story actually brings us to the second major driver of ransomware attacks, and that is the rise of cryptocurrencies. They have made it much easier to make money from ransomware, and much more difficult for law enforcement to recover payments, Because if ransoms were paid in wire transfers, companies could find a way to claw that money back.

Speaker 1

14:22

But with cryptocurrencies, it's nearly impossible to undo. And while the federal government actually did manage to recover some of the Bitcoin used in the colonial pipeline ransom, there are other cryptocurrencies designed to be even more anonymous. Take Monero, which in its ads, seems to be aware of just how attractive it is to criminals.

Speaker 12

14:41

There's no safe place to conduct private transactions. Well, there wasn't 1, until now. Meet Monero.

Speaker 12

14:49

Monero is a secure, private, untraceable currency. With Monero, you are your own bank. Only you control and are responsible for your funds. Monero is private.

Speaker 12

15:01

This means businesses can keep their suppliers in secret, as well as citizens escape government repressions and nosy neighbors are crooks.

Speaker 1

15:10

Oh, come on. There is a pretty clear subtext to what they're selling there. It's like seeing a cheerful ad for...

Speaker 1

15:19

This isn't for anything in particular. There's all sorts of human body-sized things that you can put into 1 of these sturdy tubs. Also, they're scream-proof. No matter how much sound something makes inside, You'll never hear it.

Speaker 1

15:30

Now, we're not telling you what to do with our product, though. We're simply leading you to a very specific conclusion. Although, interestingly, despite the fact hackers now have the ability to make their financial transactions in secret, it is not always that hard to figure out where exactly the money is going.

Speaker 7

15:47

This shows an alleged member of a Russian cyber gang known as Evil Corp. Showing off an expensive Lamborghini in a parking garage.

Speaker 1

15:55

-♪♪

Speaker 7

15:57

This is video of Evil Corp. Members allegedly doing donuts and obstructing traffic in downtown Moscow.

Speaker 5

16:03

Videos and photographs released by investigators show the alleged hackers living large, posing with arms full of cash...

Speaker 13

16:11

Oh, stop.

Speaker 5

16:11

...And showing off a pet lion cub.

Speaker 13

16:13

This is 32-year-old Maxim Yakubets with his Lamborghini Huracan and his personalized number plate, which in Russian, reads, thief. Wow!

Speaker 1

16:23

These guys are douches! It is bad enough to be sitting in a traffic jam watching some arsehole do donuts in the middle of the street without having to wonder if there is a lion cub throwing up in the car. Come on, guys.

Speaker 1

16:34

Leave lions out of this. If you absolutely have to have a weird animal, get a big snake. I could give 2 shits about a big snake's quality of life, and you could tell any big snake I said that. But there's actually a reason that those hackers felt so comfortable driving around with license plates that are basically an admission of guilt.

Speaker 1

16:51

And that brings us to the final factor increasing ransomware attacks. And that is countries providing safe havens. Because multiple governments, and Russia in particular, will look the other way for hackers so long as they do their work outside of their borders. Cyber security experts say the don't work in dot RU stricture has become an unwritten rule in the Russian-speaking hacking community to avoid entanglements with Russian law enforcement.

Speaker 1

17:17

Basically, Russian hackers know, as long as they don't make trouble at home, they won't be punished for what they do abroad. And when you put all of this together, with cybercriminals able to buy ransomware off the shelf, get paid in a currency that's hard to trace, and work free from state interference, is it any wonder we have such a massive problem on our hands? Which brings us to the key question here, what can we do about all this? Well, here's a terrible idea.

Speaker 14

17:44

We ought to pass a law immediately that makes this kind of hacking subject to a death penalty. And the law should include a provision that the president, through a judicial process, should be able to order the killing of anybody overseas who's doing this.

Speaker 1

18:01

Wow. That is both incredibly harsh and also endearingly naive, because I hate to break it to Newt, but America doesn't exactly concern itself with a judicial process to kill people overseas. We very much take the Santa Claus approach. See them when they're sleeping, know when they're awake, make a list of who's been bad or good, and then kill some bad ones and whichever good ones happen to be around them.

Speaker 1

18:23

You know, for goodness sake. So that is 1 extreme way to handle this. The current administration, however, has so far taken a different tack. In the wake of the colonial hack, this was the message that they were publicly sending.

Speaker 15

18:35

We recognize that victims of cyber attacks often face a very difficult situation, and they have to just balance, often, the cost-benefit when they have no choice with regard to paying a ransom. Colonial is a private company and will defer information regarding their decision on paying a ransom to them.

Speaker 1

18:52

Okay, so you'd like them to pay the ransom then. You'd like the gas back, and the easiest way to get the gas back is to pay the ransom, so you'd like them to pay the ransom. It's a pretty strong hint there.

Speaker 1

19:01

And you also get the feeling if that hint doesn't work, Joe Biden's just gonna take their computer and pay for them. If that Russian grandma can figure out how to use Bitcoin, there is a 30 percent chance that Joe can too. But there has to be a middle ground between just kill them and just pay them. Because most punishments, and this is true, fall somewhere between death sentence and a cash reward.

Speaker 1

19:23

And the problem is, the more we pay, the more these kind of attacks will be encouraged and the more well-funded they'll end up being. So, so much more needs to be done here. And I will say, on the government level, there are some encouraging signs. The Justice Department recently formed a task force to curtail the proliferation of ransomware attacks.

Speaker 1

19:42

It does feel a little late to be forming a task force like that, but it's definitely better than never. Also, the infrastructure bill includes a billion dollars for improving the cybersecurity of local governments. But the thing is, it's not just up to the government to take cybersecurity a lot more seriously. Companies and private individuals have to step up too.

Speaker 1

20:02

And there are some basic things that we should all absolutely be doing here. First, set up multi-factor authentication. Seriously, do it right now. Second, keep your computers up to date, and also, don't click on suspicious emails.

Speaker 1

20:16

Now, I know that those measures sound small when we're facing something so terrifying, but in a world where most people's doors are unlocked and wide open, just locking your door might be something of a deterrent here. The fact is, It is in everyone's interest to get this under control, because right now, it really, really isn't. To the point that it may well be time for a new ad campaign to drill home just how vulnerable we all are. -♪ ♪ -♪ ♪

Speaker 16

20:44

Have you ever lost access to your medical records?

Speaker 4

20:47

What the fuck?

Speaker 16

20:48

Or had to work out how to make a Bitcoin transfer just so you can see photos of your grandchildren again? Or send a fax from the beach? Like, what, to do some kind of beach business?

Speaker 16

21:00

Have you ever opened your laptop to see a clown's face demanding $300,000?

Speaker 4

21:06

You know what? All right. What the fuck is going on?

Speaker 4

21:08

What's happening?

Speaker 16

21:09

Or had your butt plug unexpectedly taken over by Ukrainian hackers?

Speaker 2

21:13

Oh, no. You will. No.

Speaker 2

21:16

Not that.

Speaker 16

21:18

Unless, that is, we all start taking the issue of ransomware a lot more seriously. So please, use two-factor authentication to secure all your medical records, e-mails, and buttplugs.

Speaker 5

21:32

Hi, tech support?

Speaker 16

21:33

Especially those buttplugs.

Speaker 5

21:35

It is happening again.

Speaker 16

21:38

Because if you think you can ignore this problem and won't ever be the victim of ransomware, trust us.

Speaker 1

21:45

You will. Oh, yeah. You