Intel Security Scares Ransomware Script Kiddie Out of Business

tdog17 writes: A criminal coder wrote a kit for ransomware that made it easy for others to encrypt victims' hard drives and then extort money from them in order to get the decryption keys. But when Intel Security wrote about the kit — called Tox — the author got cold feet. Now he or she is trying to sell the whole business. “Plan A was to stay quiet and hidden. It's been funny, I felt alive, more than ever, but I don't want to be a criminal. The situation is also getting too hot for me to handle, and (sorry to ruin your expectations) I'm not a team of hard core hackers. I’m just a teenager student,” the coder wrote on the Tox malware site.

Re:

[Anonymous Coward]

It wouldn't be surprising. A first year student could write a program to open all the files on a filesystem, encrypt them and write them out. Nothing about what the software does is particularly hard or technically complex, it's just a "good" idea that he made into a distributable form for money.

Re:

[gweihir]

Well, a criminal one. And stupid. Sounds pretty much like a student, does it not?

Isnt' that beyond Script Kiddie?

[damn_registrars]

I thought Script Kiddies were defined as being people who ran scripts they downloaded off the internet that were already made for their purposes. The summary suggests this person wrote their own software. You could claim it is derived from other software, or perhaps even just a pipelined bundle of existing software, but it still sounds like it is a bit beyond just running a script.

Re:

[rebelwarlock]

I guess you'd call this person a script kiddie enabler? Supplier, maybe?

Re:

[JazzXP]

Dealer... psst, kid, wanna buy some scripts...

Re:Isnt' that beyond Script Kiddie?

[Aristos Mazer]

I think the term would be "script daddy", yes?

Re:

[operagost]

He's a kiddie scripter.

Re:

[Anonymous Coward]

In the "oh look, wroted a program!" sense, arguable if you can establish that he's done original work. In the "knows what he's doing" sense, not so much. Just look at what he's doing: A me-too (aol! aol! aol!) enterprise with plenty of juvenile self-entitlement. "I don't want to be a criminal" is a line he crossed well before McAfee^Wintel security wrote about it. He didn't have to write it and when he did anyway he didn't have to release it and demand ransom for other people's data, much less offer what he

Re:Isnt' that beyond Script Kiddie?

[Anonymous Coward]

Script Kiddie means (or used to mean) someone that runs scripts they cut and pasted from somewhere without an understanding of how they work or the underlying security mechanism they exploit. Someone else did ALL or most of the work for them, they are just using it for hacking, cracking, or for fun.

Tech people like to overuse the term script kiddie. Why? No idea. Maybe they are afraid to admit that a teenager in high school is capable of writing his/her own code that can take down a lot of systems so they down play the impact or imply anyone could have did it but the only the "script kiddie" actually did.

No Sympathy

[Anonymous Coward]

Get rich quick scheme didn't work out and now that they've been caught, they don't want to face the consequences.

Re:No Sympathy

[Anonymous Coward]

And yet trying to sell the business, not abandon it.

Re:No Sympathy

[Billly Gates]

Get rich quick scheme didn't work out and now that they've been caught, they don't want to face the consequences.

Besides all the rants and angry cries about H1B1 Visas the market for any skilled coders IS HOT!

If you have any coding experience you can make $65,000 tomorrow! Sometimes without a college degree. Add 5 years and more buzzwords to your resume and a degree and you can start pulling close to 6 figures easily if your skills are up to the challenge.

So why take that risk? It is the argument that most drug dealers make less than minimum wage and live with their momma according to Freakeconomics. Seriously, it is the only hope to get ahead by taking that risk if that is all you know. But if you know how to break into systems, corporate security, coding, encryption, networking then you have the skills to get rich by working which is 0 risk.

I do not understand why someone would do this? Those that write these scare encyption malware are Russians who make much less than a western programmer.

Re: No Sympathy

[BlueTrin]

For some people 6 figures ain't enough ... With 6 figures you will still have to work 20 years for your mortgage ?

Re:

[Anonymous Coward]

I make less than that, have a 20 yr mortgage on a $300k house, two cars, have three kids, wife is a stay-at-home mom. Will have it all paid off in less than 15 years, all while putting money away for college and retirement. It's called financial discipline and living within my means.

Re:

[ComputerGeek01]

For some people 6 figures ain't enough ... With 6 figures you will still have to work 20 years for your mortgage ?

Yes, this is why we call it a 20 year loan... Loans are not like credit card debt, there is no actual reason to pay them off before they are due. This idea of "living debt free" is just some idiot idea that gets spread around from people who A.) Don't understand the concept of liquid assets (which your credit most certainly is) or how to manage them or B.) are pathological fuck-ups and even though they appear to have things in hand at the moment, they know that eventually they are going to default on everyt

Re:

[Anonymous Coward]

The Global Financial Crisis has been pretty awesome, actually. Interest rates are rock bottom. I'm actually buying a new house that I'll be able to make a tidy profit on in a few years once it has been fixed up a little.

Oh, you mean the people who couldn't do math and let someone else tell them that they could afford something that simple math skills could have told them they could not afford? Yeah. Sucks to be them. Learn math and basic budgeting. Stop blaming the banks. Everyone always assumes the

Re:

[ChrisMaple]

A mortgage is secured by your house. Fail to pay, lose your house. Credit cards are unsecured, and it's much more difficult for the lender to get its money back.

Re:

[ComputerGeek01]

...the fact that you can't continue borrowing on a loan.

That is the exact fact that I was referring to. It's a lot more significant than you seem to think.

Re:

[azcoyote]

It's easy to think that poverty or other disadvantages are the only things that lead people to steal from others, but that simply is not the case. (After all, how many wealthy businessmen still embezzle and exploit others?) Human beings are easily enticed by the dream of getting rich quickly, not to mention the mystique of succeeding in something that is forbidden. Even if all of us are not tempted in exactly the same way, all of us are tempted. Poverty simply makes it even easier to give in to the temptati

Re:

[tnk1]

Many of the poor are some of the most honest people out there. Obviously, some have troubles that cause them to steal, but I'm just as afraid of some asshole in Washington stealing my money as I would be of a burglar. At least being burglarized has been a rare event in my life, I'm getting ripped off in taxes on every paycheck.

Re:

[TheCarp]

> So why take that risk? It is the argument that most drug dealers make less than minimum wage
> and live with their momma according to Freakeconomics.

This. also, most drug dealers I don't think see themselves as criminals. I mean when your supposed victim calls you up, drives over to you, and hands you money, its hard to call him a victim, especially when he is buying from you the same stuff you use yourself. Shit, drug dealers are probably some of the most honest salesmen out there, they actually bel

Re:

[slew]

I do not understand why someone would do this? Those that write these scare encyption malware are Russians who make much less than a western programmer.

Apparently you do not understand the role that terrorists and anarchists play in the political equation. They generally don't do this for money, they do this to further their agenda. In the case of the typical teenage anarchist, their agenda is to prove they are smarter than the "man".

Not everything is done for money.

Re:

[TheDarkMaster]

Simply kill the piece of shit, no questions asked.

Saturday Night Specials

[Anonymous Coward]

I used to build lots and lots of Saturday Night Specials and dozens of people died. It's been funny, I felt alive, more than ever, but I don't want to be a criminal. The situation is also getting too hot for me to "handle", as somebody from the police did notice all those dead people, and the way they were murdered. I'd like to sell my completely legitimate business plan now, ok?

Worst analogy ever

[foreverdisillusioned]

+4 Insightful? Seriously, do you people even know what a Saturday Night Special is? It's a gun that poor people can afford. That's all. I'm not sure exactly what the AC was trying to imply, it's not some kind of bizarre black market chopper thing, nor have they ever been especially popular with criminals.

Re:

[operagost]

Well, you'll have to excuse anyone under 40 for having grown up in a world where it's settled that inexpensive handguns were outlawed because they were being used mostly by criminals, though in reality they were in the hands of poor urbanites. It made the ruling elite nervous that large numbers of their subjects were mad as hell and not going to take it anymore, so they created the narrative that gun dealers were cranking out cheap guns for murderers, robbers, and drug dealers. This allowed them to create

Re:

[Megol]

No they were outlawed because (for some models) it was almost as dangerous to be holding the cheap gun as being in front of it.
Seriously - some were made in poor quality zinc alloys for critical parts! Not that good quality control on the zinc alloy would have helped much...

Re:

[cwsumner]

No they were outlawed because (for some models) it was almost as dangerous to be holding the cheap gun as being in front of it.
Seriously - some were made in poor quality zinc alloys for critical parts! Not that good quality control on the zinc alloy would have helped much...

For "zip guns" made out of water pipe, maybe so.

But for inexpensive guns made for self-defense by low-income people? They work fine, as long as you don't try to fire them every day.

Some of those guns are still around. And are well known to gunsmiths. Some better than others, but they did their job.
The stories of dangerous designs was "propaganda" to justify banning them, using "a little bit of truth" from the actual water-pipe zip-guns.

Re:Saturday Night Specials

[AmiMoJo]

Incredibly a captured ISIS fighter was on the radio making pretty much that exact argument just yesterday (BBC Radio 4 PM programme IIRC).

He claimed that he joined ISIS for the money as someone who planned and helped execute suicide bombings. He said he had been involved in 8 such bombings, but wasn't a murderer and would never kill anyone. It was the suicide bombers killing people. Therefore he shouldn't be punished too harshly. Seriously.

Re:

[FireFury03]

Incredibly a captured ISIS fighter was on the radio making pretty much that exact argument just yesterday (BBC Radio 4 PM programme IIRC).

He claimed that he joined ISIS for the money as someone who planned and helped execute suicide bombings. He said he had been involved in 8 such bombings, but wasn't a murderer and would never kill anyone. It was the suicide bombers killing people. Therefore he shouldn't be punished too harshly. Seriously.

That argument seems to work fine for government/military officials

Re:

[140Mandak262Jamuna]

It is not a crime to help people build their own firearms or assist them in evading tracking by federal and local police. The current law is, every US citizen has the right to unlimited number of untrackable weapons, they have no obligation to assist or help any government agencies in any crime involving any fire arm.

If some regulation or a law or some enforcement of any law would help the agencies find lots of criminals and solve lots of crime, but for every thousand crime solved, one law abiding citizen

Re:

[drinkypoo]

It is not a crime to help people build their own firearms or assist them in evading tracking by federal and local police.

So how much of the work does the eventual owner have to do on the firearm? If you want to register a kit car as a custom vehicle you have to have put a certain number of hours into it, as I recall, or maybe a percentage of the total hours.

Re:

[Kilroy_here]

So how much of the work does the eventual owner have to do on the firearm? If you want to register a kit car as a custom vehicle you have to have put a certain number of hours into it, as I recall, or maybe a percentage of the total hours.

The part that gets the serial number from the manufacturer is considered the firearm. In the case of an AR style rifle this would be the lower receiver, For a 1911 handgun this would be the frame. As to how much work has to be done .. 20% or more. This is why many companies will sell 80% complete parts along with the jigs and drills / mills to complete them. So for an AR the upper receiver, stock, buffer tube, trigger group, bolt carrier group etc can all be purchased complete and as long as you do the 20%

Oh I didnt want to be a criminal

[Osgeld]

I just engaged in criminal conspiracy

what a twatwaffle

Re:

[penguinoid]

What, you think you aren't also a criminal?

Re:Oh I didnt want to be a criminal

[Oligonicella]

There's certainly a moral and ethical difference in engaging in it purposefully as opposed to breaking some obscure laws.

Re:

[penguinoid]

Well he didn't say he didn't want to be immoral and unethical. Just that he didn't want to be a criminal. Like an investment banker.

Dear Pukeface

[fnj]

You don't want to be a criminal? Well, you ARE one, dearie. Should have thought of that. I hope you spend your entire life behind bars. It will give you time to think about your fail.

Re:

[Livius]

If they are a minor, they can be treated as such according to the criminal law of their jurisdiction -- after they identify themselves to law enforcement and provide proof of age. Until then I'm not buying it.

Re:Dear Pukeface

[Anonymous Coward]

Writing ransomware is not "facilitating" it, it's writing it.

Oh yes, please tell me about all the other "legitimate uses" this software has.

"No, officer, I wasn't planning to burgle anyone, I always walk through this neighbourhood at 2am wearing a balaclava and carrying a crowbar and a large duffel bag."

Re:

[ChrisMaple]

"Fail" is a verb. The word you need is "failure".

Re:

[Toad-san]

Dear FBI:

1 - Buy.
2 - Identify
3 - Arrest
4 - Prosecute

Re:

[moeinvt]

You think he should get LIFE in prison for complicity in encrypting some data and demanding a fraction of the payment extorted for the encryption keys? Seriously? There are rapists and murderers who get off with lighter sentences than that. There are Wall St. executives who have done far more (like 10E8 times more) financial harm and have never even been investigated, let alone prosecuted.

Ridiculously disproportionate sentences are a contributing factor in the insanely large USA prison population. He sh

Re:

[bill_mcgonigle]

You don't want to be a criminal? Well, you ARE one, dearie. Should have thought of that. I hope you spend your entire life behind bars. It will give you time to think about your fail.

So are you. [amazon.com] Assuming you're a non-hypocritical law-abiding citizen, please do the right thing and turn yourself in for Federal incarceration (and don't drop the soap).

If you need help identifying a felony for which you ought to confess, please respond here and we'll be happy to help.

Why believe this?

[Antique Geekmeister]

Is there any reason to believe this criminal about anything, especially the claim that they're getting out of the business?

Re:

[sumdumass]

There is a way to find out. Have law enforcement purchase the business and use said purchase as rvidence for his prosecution. He'd be out of business pretty quickly.

Re:

[gweihir]

You mean like believing the government? Or the press? Or any corporate statement?

Just partner with Sourceforge

[penguinoid]

Partner with sourceforge, make it part of the EULA. "Not responsible for any damage caused by using this software, including possible loss of data."

Re:Just partner with Sourceforge

[mwvdlee]

And what do you think SourceForge would do with the scripts?
Hijack the most popular projects and bundle them with malware?
Oh wait...

writing a kit

[CreamyG31337]

Is not a criminal act

Re:

[The Rizz]

When it is done for the express purpose of facilitating a criminal act, with no realistic non-criminal applications, yes it is.

Re:

[EEPROMS]

Knowingly assisting a person or persons in any way to commit a criminal act is illegal, his software has no legal function so he can't even plea his case when caught.

Re:

[ChrisMaple]

Non sequitur

The intent of building a road is that it be available for innocent use. Generally, for an act to be a crime requires criminal intent.

Re:

[ChrisMaple]

If you think females can't be sophisticated thieves, you've never heard of divorce.

Re:

[TCM]

Let me guess: Good American Christian?

Re:

[gweihir]

Let me guess: Good American Christian?

From the amount of hate and violence, probably. Makes one wish Christians were actually right about how the world works, as this person would spend an eternity in hell.

Not much sympathy

[Anonymous Coward]

I almost had a bit of sympathy there. A kid realising he's done wrong, wanting to get out of the business. Except that if he actually realised he'd done wrong the appropriate course of action would just be to destroy the software, remove the online presence he uses to sell it and generally just grow the hell up. Instead he's just trying to sell it on so that other people can use it.

The only trace of sympathy I have is if he's done this in America, which locks up a greater proportion of its citizens than pretty much any other nation on earth, often for excessively long periods, and with minimal realistic chance of rehabilitation.

He'll release the keys...

[Viol8]

"If nobody's going to buy the database, in one month I'm releasing the keys, and victims will have their files automatically unlocked.â

Oh , how heart warmingly magnanimous of you! I can see how contrite and sorry you are about what you've done... well apart from still wanting some money for the DB.

Tell you what you sorry little turd, how about you release them anyway and give these poor people their data back? @rsehole.

Re:

[Anonymous Coward]

And their money.

Re:

[Registered Coward v2]

"If nobody's going to buy the database, in one month I'm releasing the keys, and victims will have their files automatically unlocked.â

Oh , how heart warmingly magnanimous of you! I can see how contrite and sorry you are about what you've done... well apart from still wanting some money for the DB.

Tell you what you sorry little turd, how about you release them anyway and give these poor people their data back? @rsehole.

In addition, he's said "I am part of a criminal conspiracy and am will to sell the tools I used as part of this conspiracy. Oh, BTW, I also probably violated money laundering and income tax laws as well. That part where I deleted files related to the conspiracy? That's not obstruction of justice is it? Also, please believe me I never infected any computers while testing it so I didn't violate and computer crime laws." When he sells it he'll probably ask the buyer to verify he or she is not in law enforcemen

Re:

[Anonymous Coward]

I wonder how quickly he would release that database if it was discovered that one of the victims is a crime boss in some syndicate somewhere... Bet the tune would change very, very fast... They definitely don't care if you are a minor, doing it for a lark, or just trying to make a few bucks...

Dear Criminal Coder:

[DiEx-15]

I hope this letter finds you getting cuffed and stuffed as I write this. I just wanted to let you know what is in store for you as you are being carted away.

1) Real life is way different than your mom's basement. You'll soon discover that when you are in a prison cell.
2) Getting your ass beat up and pummeled will be a daily norm. Only difference is that you will actually get beat and feel every last inch of pain while you really get tea bagged.
3) Saying "I was just trolling" or "LOL Internet" will not

cue the "slashvertisement" comments

[t_ban]

Okay, how much is the kiddie paying you???