It was the day before Christmas when the professor’s phone rang. The screen said “anonymous”, with a small a. That could only mean one thing.
“Hacker!” said the professor.
“Professor!” replied the hacker.
The hacker and the professor had known each other for a while. They had worked together when they were both still working for the police. The hacker called himself a hacker. Not an ethical hacker or a white-hat hacker, just a hacker. And the professor didn’t really know many of these.
Recently, the professor had given a lecture on the need for cooperation between police, universities and businesses. Lots of people had come to listen, and the hacker was one of them.
“You’ll hear about it in the media soon enough, but the University of Maastricht has fallen victim to ransomware,” said the hacker, “and as that actually involves cooperation between the police, the university and the business community, I’d like to invite you for a cuppa coffee.”
If the hacker said ‘cuppa’, he meant a double espresso. However, ‘invite’ didn’t necessarily meant that he was paying.
And so it came to be.
They had barely shaken hands before the hacker had gone off on a tangent.
“This type of software is aimed at getting ransom money. It was planted on the victim’s system much earlier and was most likely tested before it was actually activated. The software encrypts or shifts important data, and the victim receives a message offering to decrypt the data in exchange for crypto currency.”
“How about a double espresso?” the professor asked. After a slight nod of his head that was only obvious to an experienced observer, the hacker hurtled on.
“Even if Maastricht University were to pay, there is a good chance that only a portion of the data could be recovered. Moreover, it increases the chance of subsequent ransomware because the victim appears to be willing to pay.”
The professor noted that weapons of mass destruction refer to weapons of the past, but that weapons of mass disruption have the future.
”But that’s when it gets really interesting,” the hacker went on. “because what does the victim do next? ”
The professor knew that raising an eyebrow was all that was needed.
“I’ll tell you: they’ll hire a commercial party to do an analysis of the damage, and the chances of undoing that damage. This is the most crucial thing for the victim. And the police? They’ll be called in to file a report and run an investigation. But that’s comparable to bicycle theft.”
The professor didn’t have long to think about this comparison.
“It’s more of a formality, I mean. Because I can assure you that any clues in the software code, or the email or IP addresses point to countries where the police are not allowed to investigate! So detection and prosecution is out of the question from the outset.”
The hacker stared at him with a meaningful look in his eyes. Their relationship required that the professor should now ask a smart question.
“So you’re saying that this kind of criminals can get away with everything because they don’t have any natural enemies?” It wasn’t really a smart question, but more of a summary.
“Exactly!” the hacker exclaimed enthusiastically. “The victim is technically no match for the criminal. And the police can’t do anything as they have to stick to conventions or to the rules of professional conduct.”
The hacker was silent. Just for a moment.
“But as a citizen, I don’t have to worry about that. I am on various forums, pretending to be someone else, using pseudonyms and shielded email addresses, buying a piece of software here and there. I don’t do anything illegal, but I do stuff the police can’t do or can only do in very exceptional cases.”
The professor nodded. In their previous lives they had frequently been confronted with legislation that prevented the police from doing what a citizen is allowed to do.
“Meanwhile – I’ve collected a huge amount of data. On groups of offenders, modus operandi , conversations between people and so on. There’s predictive value in all of that.” The hacker continued, “I don’t want to say that the attack on the university could have been prevented with this, but I’m already detecting patterns with my own eyes. So if we apply data science … well then …”
He was looking for the right words and that was a new experience for the professor too.
“… Then we will definitely be better able to predict what’s going to happen.”
Christmas came, and shortly after that, New Year’s Eve. The hacker’s observations lingered in the professor’s head the whole time. When the new decade dawned, he grabbed his phone. 2020 had to become the year of pattern recognition, and that would begin with a double espresso.
He called “anonymous.” With a small a.