*CORRECTED

[music]

Brian Lehrer: It's the Brian Lehrer Show on WNYC. Good morning again, everyone. Last month President Biden signed an executive order to improve our nation's cybersecurity, but you may have seen the more recent headlines circulating about ransomware attacks targeting key players in the US economy. From hospitals, to whole police departments, to meat, to gasoline. These are major targets that affect us all, and it's a global problem. Unlike before, it seems the companies are actually paying the ransom to free their data, rather than putting up a fight and the demands are only getting bigger as a result.

Yet, in the case of one recent attack, maybe you saw that in the news just in the last day. The United States Justice Department says it was able to recover the Bitcoin that was paid as ransom to the attackers, but wait, doesn't that defeat the purpose of Bitcoin? Wasn't it supposed to be more secure? My guest has been following this all closely. Joining us to explain what is going on is Nicole Perlroth, cybersecurity and digital espionage reporter for The New York Times, and author of This Is How They Tell Me the World Ends: The Cyberweapons Arms Race.

Hi, Nicole. Thanks for coming on. Welcome back to WNYC.

Nicole Perlroth: Thanks for having me, Brian.

Brian Lehrer: Is that actually the name of your beat now, digital espionage reporter?

Nicole Perlroth: Yes, I added it since we last spoke because basically, I've spent the last five years moving from the business of cybersecurity to tracking down nation state threats on every piece of our digital economy.

Brian Lehrer: Well, good. It must be a fascinating beat, and you can also help explain right at the outset here to a lot of people who still don't get it, because it's a new concept to a lot of folks. What is a ransomware attack?

Nicole Perlroth: A ransomware attack is an attack where a hacker or even sometimes a nation state will infect your computer with malware, and that malware is designed to do one thing. It's designed to encrypt all of your data, and to flash a ransom note on your screen. Those ransom notes will just say, "Hi, we're so and so, and we have locked up your data, and we demand this amount of Bitcoin to get it back." Usually it'll say, "If you don't pay up by this date, we'll increase the amount of ransom you need to pay to get your data back." More recently, there's been a twist where cyber criminals will say, "Not only are we holding your data hostage, but we'll actually dump it all online, if you don't pay our ransom."

Ten years ago, when I first covered ransomware at the New York Times, usually it was $100 or $200 in fines. They would say, "Go buy a prepaid debit card at this drugstore, and give us the pin and that's how we'll recoup your ransom." Fast Forward 10 years later, because cryptocurrency has taken off, things like Bitcoin and other digital currencies, they can just say, "Pay us this much in Bitcoin," and it makes things a lot easier for them.

The other thing that's happened is these ransom demands have gone up from something like $200 that are just taking over one person's computer, to $50 million to unlock data across your entire enterprise. Whether it's a meat processing plant, or colonial pipeline, the company that that services half the jet fuel and diesel and gas to the east coast.

Brian Lehrer: Because technology now allows them to disrupt operations, so much more sweepingly not just steal data?

Nicole Perlroth: It's a little more complicated than that. Basically, the idea is that we've automated our lives and our critical infrastructure so much that the gap between what is a operation that could be disrupted, and what is on your email, and your billing systems is really murky these days. At Colonial Pipeline for example, the ransomware held up their email systems and their billing systems. It didn't actually hold up the pipeline, but because the company couldn't get any billing data off of the pipeline, it couldn't charge customers downstream. It took the preemptive step of shutting down the pipeline, and that's why you saw so much panic buying at the pump, and gas prices surge and nonstop flights grounded for jet fuel stops and that kind of thing.

Brian Lehrer: I didn't realize that aspect of it. You're telling me that Colonial Pipeline, basically shut down gasoline to America, rather than have to give any away for free for a little while.

Nicole Perlroth: That's exactly right. This is a very old story of a business that didn't want to operate for free.

Brian Lehrer: Listeners, if you have questions about ransomware attacks, or the role of Bitcoin or anything else, Nicole Perlroth from The New York Times is the person to ask as the cybersecurity and digital espionage reporter and author of the book This Is How They Tell Me the World Ends: The Cyberweapons Arms Race. 646-435-7280, 646-435-7280, or tweet a question @BrianLehrer.

How did the Justice Department bust the bad guys and actually recover the money in this latest case?

Nicole Perlroth: This is really interesting, and this is really a big mystery to a lot of people. The Justice Department and the FBI came out on Monday, and they said that they had seized some of the ransom that Colonial Pipeline paid to a ransomware group we know to be in Russia called DarkSide. Since Monday, the price of Bitcoin has actually tanked quite a bit. It's gone down about 10%, although I haven't checked it this morning.

The reason it's gone down is because all of these people are thinking, "Does this mean that cryptocurrency is not as secure as we thought? If a government can go into your Bitcoin wallet and take out your funds, doesn't this go against everything we believed about cryptocurrency?" Namely that, it was free from government authorities and regulations, and it's pretty nuanced.

Here's what happened. Bitcoin, it was initially developed as a way to make transactions outside the traditional financial system, with each payment recorded in a permanent fixed ledger called the blockchain. Blockchain to ensure it's completed securely, and criminals have gravitated to it, because they believe they could conduct business without revealing their names or locations. It's become just as popular with ransomware groups and cybercriminals, as it has with these contrarian, libertarians and FinTech pioneers, and that kind of thing.

The thing that people don't realize is that the same properties that make Bitcoin attractive to cyber criminals, which is basically the ability to transfer money instantaneously, without a banks permission, can also be leveraged by law enforcement to follow the money. Only, they can follow the money at the speed of the internet. When you think about how law enforcement has tracked money laundering in the past, they have to track it across various bank accounts, perhaps different shell companies, and that can take a lot of grunt work, a lot of police work, and it can take years. On the blockchain, they can actually follow it using computer algorithms, and they can do it much quicker than they would fiat currency.

In this case, the FBI used some software that traced the flow of Colonial Pipeline's ransom payout. Actually we learned that Colonial told the FBI was planning to pay this ransom, so they knew from the beginning which Bitcoin wallet it was going into. It was immediately moved into DarkSide's Bitcoin wallet, and then from there, it was moved into a subsequent wallet. Then the FBI was able to trace it through a series of 23 different wallets.

The mystery is, how did they get the Bitcoin out of the wallet in the end, and we don't know the answer to that question. I think it has nothing to do with any vulnerability in the blockchain or Bitcoin, I think it has to do with some old fashioned police work.

The various scenarios are this. They could have hacked into the computer belonging to a cyber criminal that contained the private keys to this wallet. They could have hacked the cybercriminals password to their computer, used that password to get their private keys and get in that way. They could have gone to a cryptocurrency exchange that holds people's private keys to their wallets for them as a service and showed up with a search warrant, or they could have had some kind of human assets, some undercover agent, basically pretending to be DarkSide but handing the government, all the information it would need to access these private keys. That's where the mystery lies.

We believe that this has nothing to actually do with any vulnerability in blockchain or Bitcoin or cryptocurrencies. Actually, what we're learning is that Bitcoin and cryptocurrency has been a blessing and a curse for governments. A curse because cybercriminals have used it as an accelerant for ransomware. They went from the prepaid debit cards to demanding $50 million in Bitcoin for their ransoms. At the same time, this allows law enforcement to really trace the movement of these ransom payouts at the speed of the internet.

Brian Lehrer: Fascinating. Daniel in the Bronx has a relevant follow-up question. Daniel, you're on WNYC. Hello.

Daniel: Hey, thank you so much for taking my call. I'm an avid listener of your show, and I follow crypto all the time. My question is since crypto has been very volatile in the past few years, how does an event like this affect the economy and affect the crypto's volatility moving forward? Thank you for taking my call.

Brian Lehrer: Thank you for making it, Daniel. Nicole?

Nicole Perlroth: Thanks, Daniel. This gets to the fact that confidence in Bitcoin and cryptocurrency has slipped over the two days since this announcement was made because everyone's wondering, "How did they do this? Does this mean Bitcoin doesn't live up to the promise we thought it did." Just that it was a way to transact money outside the traditional financial system, beyond the reach of individual governments.

The answer is, it's still what you thought it was. This is still blockchain technology. There's nothing wrong with the blockchain technology that would allow governments to do this. It's just that having this public ledger allows law enforcements and police departments to do what they've always done, which is follow the money. They're just doing it in a much faster way.

Now, it does come down to how you're protecting the private keys to your Bitcoin wallet. If you're storing them on your computer, then law enforcement still has the ability with search warrants to hack your computer and get those private keys off your computer. Also, I should mention, this is not the first time that law enforcement has seized Bitcoin wallets used by cybercriminals. In February, the Justice Department said it actually got in warrants to seize nearly $2 million in cryptocurrencies from North Korean hackers who'd stolen it and put it into accounts at two different cryptocurrency exchanges.

I think even in August, the Justice Department unsealed a complaint that showed that they had tracked North Korean hackers, who'd stolen $28 million off of cryptocurrency exchange and routed it through something like 280 different cryptocurrency wallets. The thing you have to remember is, the blockchain itself, this doesn't expose any vulnerability in the blockchain itself in the way that that works. What it does expose is that Bitcoin and cryptocurrencies have the same cybersecurity challenges for individual wallet holders as everything else does.

If you're transacting in Bitcoin, you really need to make sure you're protecting your private keys and those private keys can be accessible to law enforcement or other cybercriminals if they know how to hack your computer, or if they show up to one of these services that hold your private keys with a search warrant.

Brian Lehrer: We're still bringing a lot of people along whenever we talk about Bitcoin and the blockchain. Can you just define the term blockchain so that more people get what that context is for how Bitcoin and where Bitcoin and other cryptocurrencies are traded?

Nicole Perlroth: Yes and you know what, I'm also still trying to follow along [laughs] with what blockchain is, so I really empathize with your readers-

Brian Lehrer: The last honest person, go ahead.

Nicole Perlroth: Yes. Bitcoin is this cryptocurrency that any transaction is recorded in a public ledger called a blockchain. What that means is all of those transactions are out in the open, in full view. This ledger, this blockchain can be viewed by anyone else on the blockchain or on a myriad number of websites, I think it's called blockchain.com, that trace every transaction. Bitcoin holders basically have a string of numbers and letters known as a public key for transacting with others, as well as a private key that keeps their account secure.

Tracking down one Bitcoin holder's transaction history is easy. It's just a matter of figuring out, what their public key is and then seeing every transaction that they've made, but seizing their assets requires that someone gets their private key, which is more difficult. How federal agents were able to get DarkSide's private key this week is still a mystery.

Brian Lehrer: Sharon in Bushwick, you're on WNYC with Nicole Pearlroth from The New York Times. Hi, Sharon.

Sharon: Hi, thank you for taking my call. Hope you both are well. I would like to know how a citizen like myself can protect myself from hijackers. What can I do to make sure that this doesn't happen to me, and if it does, does the government work as diligently to help me recover stuff like they did with big organizations?

Brian Lehrer: Sharon, thank you very much. Let me back that question up one step. Who should be afraid of a ransomware attack in the first place? Would it only be big companies like Colonial Pipeline or might we as individuals have our bank accounts with let's say relatively modest means hacked for ransomware and have to pay it over to somebody?

Nicole Perlroth: Everyone is vulnerable to ransomware attacks, period. The reason you are seeing ransomware groups come for these large multinational corporations is because those corporations have the ability and the insurance coverage really to pay tens of millions of dollars in ransom payouts. It's no longer worth it to ransomware criminals to go after you, the individual computer user in New York. That's why we're seeing so many of these big businesses, entire cities, hospitals, universities held hostage right now.

Now, the best way for you to protect yourself from these attacks is to do all of the things that cybersecurity experts have told all of us to do for years. The number one thing you can do is assume that all of your passwords have been stolen. Constantly change your passwords. Use different passwords for different websites. You can go to a website called *Have I Been Pwned: https://haveibeenpwned.com/. You can enter your email address, and it'll show you all of the businesses that have been breached and where your password might have been stolen from.

All of those passwords are available on the dark web for sale to ransomware groups and other cybercriminals. The best thing you can do is protect your passwords and the best way to do that is come up with different long passwords for different sites. I'm very vigilant about my passwords for my email, for my work accounts, for my bank account, and my PayPal account. Others, I can be a little less vigilant about, but I use different passwords, that's the number one thing.

The second thing you can do as a backstop is, turn on two-factor authentication right now, wherever it's available. That is that system where if you enter your password to a website that you haven't logged into for a while, or you're logging in from a strange unrecognized device, it won't let you in. It'll send your phone a second password or a code that you need to type in to get into your account and that will actually knock out about 80% of the threats you face.

There are other things too, like don't click on phishing emails. Don't automatically click on a link or attachment in an email. Don't hand over information to retailers that you don't need to give them like your email address. For the most part, watch your passwords, [chuckles] watch your back, turn on two-factor authentication, and you will be better off than about 80% of the people in businesses out there.

Brian Lehrer: Such great advice. Shawn in Maplewood, you're on WNYC. Hi, Shawn.

Shawn: Hi, Brian. Thanks. Just to add on to what Nicole just said about clicking on links, because it is the link clicking that has gotten people into trouble. I wanted to share with everybody this one acronym that it will be easy to remember and will help guide you to not click on bad links, and the acronym is email, examine message and inspect link. if you do that-

Nicole Perlroth: I love it.

Shawn: Yes, it's a framework for like, "What's this crazy email I got? What's up? What is the message really saying? Would they really be emailing me?" Hover over the link, "Wait, that link isn't going to chase.com, it's going to blah blah blah.ru or something."

Anyway, I just wanted to offer that as a little framework for your listeners. I wanted to ask Nicole about something that seemed to be fairly common in the news recently, where I think it was Robert Rice on Facebook, I saw the other day said, "Well, what we need to do," and I agree with almost everything Robert Rice says, but I didn't agree with this one, "Maybe we just need to ban Bitcoin." I think that it is actually impossible to ban Bitcoin.

My own experience, I threw a couple $1,000 into bitcoin in 2016, on the advice of a friend, and then became so obsessed with 2016 to 2020, and you know what I'm talking about there, that I never even looked at my account or anything. I finally looked at it back in February, it's like my $2,000 had turned into $19,000. Then I said, "Okay, I'm going to learn something about Bitcoin." Since February, I've read like eight books on Bitcoin. I've listened to a ton of podcasts. It's a really strange, interesting world, but here's my question.

Brian Lehrer: It's also gone down by 50% since then, right?

Shawn: That's true. Right. That $19,000 is probably more like $10,000, or something like that. Definitely has gone down, but if you look at the historical rise of the price from the beginning, it's still pretty amazing. Anyway, here's the thing that I've learned about, or at least I think is true, and I want to hear what Nicole says. That is that, I don't think you could actually ban Bitcoin, because it is an inorganic life form that exists on the internet. There is no CEO of Bitcoin. There's no CEO headquarters. There's no articles or incorporation. It's this decentralized thing. As long as the internet is pumping out data and is alive, I think Bitcoin will be alive too. I want to ask Nicole, could Bitcoin literally be banned?

Nicole Perlroth: I'm with you and I also sympathize after covering so many ransomware attacks, my knee-jerk reaction is, let's get rid of Bitcoin. Let's get rid of the blockchain. This is too much. [chuckles] We can't stomach anything else. Let's get rid of it. I think you're right. I think it's too late for that. I think you're right. It is a decentralized form of transacting currency, and it's almost like the internet. No one has a patent on the internet. No one owns the internet. We're left to deal with the internet. It's a crucial part of our lives at this point. I think blockchain and Bitcoin are headed that way.

That said, there are a lot of people who flock to Bitcoin and the blockchain to do illicit activities. What do we do? Well, we don't ban any new technology that comes out because of the risk, but we do put the hammer down with regulation and law enforcement when it's used for nefarious purposes. In this case, ransomware is not the Achilles heel for Bitcoin proper, but I do think it could be the Achilles heel for a lot of these cryptocurrency exchanges that haven't bothered to follow know thy customer laws. I think we're going to see a lot of regulation come down there that require these cryptocurrency exchanges, to know their customers, so that if someone is using the blockchain and using Bitcoin for illicit activities, like human trafficking, and drug trafficking, and ransomware, it'll be really easy for law enforcement to catch them.

Brian Lehrer: This story is not going away, and as you can hear, it has so many tentacles into our lives in so many ways. Nicole, you're just going to have to come in every week for the next two years, and we'll follow this.

Nicole Perlroth: [chuckles] It sounds like I'm going to have to go read eight books on Bitcoin and blockchain technology and listen to all the podcasts.

Brian Lehrer: Right. It sounds like the last caller did but once he started to read up on it, it went down by 50% so I don't know. Nicole Perlroth is cybersecurity and digital espionage reporter for The New York Times and author of This Is How They Tell Me the World Ends: The Cyberweapons Arms Race. Thanks so much.

Nicole Perlroth: Thank you so much, Brian.

Copyright © 2021 New York Public Radio. All rights reserved. Visit our website terms of use at www.wnyc.org for further information.

New York Public Radio transcripts are created on a rush deadline, often by contractors. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of New York Public Radio’s programming is the audio record.