Mr. Robot’s Ransom Explained

'Remember, hugs are better than handshakes'

MR. ROBOT -- "eps2.0_unm4sk%u2010pt1.tc" Episode 201 -- Pictured: Carly Chaikin as Darlene -- (Photo by: Peter Kramer/USA Network)

Carly Chaikin as Darlene, Eliot’s sister and the de facto leader of F Society, as Mr. Robot season two begins. (Photo: Peter Kramer/USA Network)

This whole post is a spoiler for the ending of the first episode of Mr. Robot, which broadcast last night on the USA Network. You’ve been warned.

In the Mr. Robot double-header debut, the hacker crew F Society uses ransomware to dupe the show’s villain, Evil Corp, into convincing the public that it doesn’t need money from the government. Here in the real world, there’s a bit of ransomware going around that will happily take your bitcoin, but it never returns your files (it can’t because it didn’t encrypt them—it deleted them).

So in the real world, there’s ransomware that takes your money but won’t do anything for you. On the show, the ransomware was never really after money.

The second season of Mr. Robot opens onto a world where Evil Corp has been trying to reconstruct as much of its lost data as it can (destroyed in season one), begging the government for cash as it does so. There’s a scene where we see an Evil Corp employee tell a former customer that paper records can be forged, then the company gets hit with a systemwide ransomware attack, illustrating how electronic records have their own shortcomings.

What is ransomware? 

First of all, it is very real (back up your files). Ransomware uses encryption to make all of the files on a computer or even a whole server unreadable. The files are all still there, but they have been encoded with a secret key. Without that key, they can’t be read (and forget about your IT wizards breaking the encryption, because they can’t).

If you want to actually see encryption in action, learn to use PGP for email. You’ll send people messages that look like gobbledygook, but they will be able to unlock them with their own key. It’s fun.

See also: Edward Snowden visited Manhattan through a robot to advocate for privacy

So when a computer gets hit by ransomware, the infected user gets instructions for how to pay the ransom, which is typically by sending a certain amount of bitcoin to a bitcoin wallet. Once that wallet gets the requested bitcoin, it sends out the code to unlock the encrypted data.

Weirdly, ransomware hackers take customer service very seriously. Or they did. The honor among this particular breed of thieves appears to be fraying. Ranscam, the real world ransomware that just deletes files and lies, is giving attackers a bad reputation.

How does ransomware infect computers?

Hackers use a trick called “phishing” to get access to people or company’s computers. They don’t “break in” to computers using coding genius. Instead, they trick people who are already inside secure systems to open files that they shouldn’t, usually via email.

Just before the ransomware hits Evil Corp, we see Darlene release the hack on the company. She’s running something called the “Social-Engineer Toolkit.”

Judging by most of the hacks in season one of the show, F Society favors exploiting people’s weaknesses to break systems. The “Social-Engineer Toolkit” is probably the director’s cinematic shorthand for some kind of “spear phishing” campaign. Regular phishing works like spam. Hackers just send out loads and loads of email to millions of addresses, hoping for any sucker anywhere.

With spear phishing, an adversary studies specific people in an organization carefully, then crafts emails or websites designed just for them. This makes the messages seem more credible.

In other words, Darlene probably found someone inside Evil Corp, learned a lot about them, sent them some emails and got access to the company’s systems after the target fell for one of them.

That’s why the best defense against phishing is smarter humans.

Do F Society’s demands resemble real world ransoms?

No. I have never heard of an instance where real hackers demanded that the ransom be burned in a public place.

IRL, victims are asked to convert their money to bitcoin and send it to the attacker. They never ask for an in person hand off. If bitcoin hadn’t made it feasible to exchange money anonymously online, ransomware probably wouldn’t exist. It would be too risky.

Security pros have argued for a long time that if everyone would just quit paying hackers, they would stop phishing for ransomware. On the show, though, we see the Chief Counsel at Evil Corp argue that what the hackers demand essentially amounts to chump change for the company, far less than what they would lose if they tried to fix the problem themselves. So she makes the same argument that lots of executives in the real world also make: that they should just pay it. The trick for making money on this kind of attack is asking little enough that it’s hardly worth it for the victim not to pay.

Because the show goes out of its way to depict hacking realistically, though, it’s a little disappointing that the Chief Technology Officer of Evil Corp didn’t at least say something to the effect of, “There’s something very weird about demanding we drop this money in person.”

He doesn’t, though. He just goes to Battery Park with two gigantic bags of cash and stands there. That’s when F Society sends a courier to give him the order to burn the money, knowing that people will capture him doing it on social media. Evil Corp had been trying to strong arm the US Government into a bailout, but it’s going to have a hard time arguing for that helping hand with one of its executives on video burning money in public.

In the very first episode, Eliot said “I don’t give a shit about money.” True to its founder, F Society ransomed Evil Corp to make a point, not to get paid.

Mr. Robot’s Ransom Explained