How ransomware works

It will likely take days or weeks to fully understand how Keizer’s data systems were held for ransom, but digital strikes on other cities and counties provide some insight into how it all works.

Ransomware is different than what the average user envisions when being hacked. Rather than destroying or downloading data, ransomware makes data inaccessible through encryption that can only be unlocked with a numeric key held by the hackers.

Hackers are typically known to charge ransom based on the number of servers it was able to lock up and payments are made through a web of untraceable digital transactions. Meanwhile in cities with libraries, the hacks meant checking out books with pen and paper logs. For many police departments, hacks resulted in hand-written citations. Emails sent to Keizer city employees bounced back for several days.

According to a malware Wikipedia site, comprised of knowledge gleaned from those who have dealt with ransomware, a strain known as Sodinokibi is the current scourge of cities near and far.

Sodinokibi doesn’t destroy data and many of the users don’t appear to download much unless the victim refuses to pay ransom. Sudinokibi, also known as REvil, is believed to have originated in Russia and has already resulted in roughly $7 million in known ransoms paid.

Ransoms are paid to affiliates of the hacker or group of hackers. The affiliates reportedly keep 60 percent of the ransom paid and that amount increases to 70 percent after three successful transactions. The remainder goes to the actor or actors behind the hack. As of early 2020, there were roughly 40 known affiliates accepting ransom payments for successful Sodinokibi attacks.

While many cases are resolved with the payment of a ransom, some Sodinokibi hackers raised the stakes earlier this month, according to Brian Krebs, a cybersecurity reporter with The Washington Post.

One of the hackers behind the Sudinokibi ransomware began auctioning off data it stole from a Canadian agricultural production company. The starting price was $50,000 for 22,000 stolen files. The Krebs report suggests that auctioning data is one way hackers are diversifying their portfolios given the decreased ability of some agencies to pay ransoms as a result of the COVID-19 pandemic and the resulting economic crisis.

On a final note, Sudinokibi unleashes its economic devastation with a program so small it could fit on a 3.5-inch floppy disk produced in 1986.