It's happening to the biggest companies.

The cyber weapon NotPetya started in Ukraine

in June of 2017.

It quickly spread, paralyzing major companies

and causing more than $10 billion in damage.

Government computers in 22 Texas towns

are being held hostage by ransomware.

But it's also happening at super low levels,

where you have people

ransoming individuals for small amounts of money.

And the thing that was most interesting

and the thing that sort of set us down this path

is this thing called ransomware as a service.

And as soon as you hear that phrase,

I mean, I want to read about that.

The idea that people could buy ransomware the same way

they buy Salesforce software or anything else.

And so then we decided to send Drake out into the dark web

to procure some ransomware service.

With a story like this,

all the reasons not to do it

are actually the reasons to do it.

My name's Drake Bennett.

I went on the dark web, I bought some malware

and I used it to attack and extort my editor Max Chafkin.

The original idea

was just to do something about ransomware.

The city of Baltimore was having this huge

sort of battle with some hackers.

Thousands of Baltimore city computers

frozen by hackers demanding ransom.

Baltimore's government computer systems

recently faced a ransomware attack.

Are you seeing these attacks become more sophisticated?

The more I learned about this world,

the more frustrated I got.

It seems hard to know what you can trust here.

There's a lot of anonymity.

The more I thought about it,

the more it seemed like

it might make sense to try it myself.

He wanted to do something participatory.

It's really a cool way

to explain a really difficult technical topic.

And then that also has the added benefit

of testing out a hypothesis I'd begun to have,

which is that this stuff has gotten so easy

for a variety of reasons

that almost anyone could launch one of these attacks.

And as it happens,

I'd be a particularly good guinea pig for this

because I'm particularly technologically illiterate.

You got to have a hacker, and that hacker despite his,

I'd say modest computing skills,

is Drake and the victim was me.

And our idea was that Drake could, you know,

he's sending me attachments all the time,

so the way we decided he was gonna do it is he was gonna

pretend to send me a draft,

but that draft was gonna be ransomware.

- What were some of the legal concerns and how did you get around that?

Okay.

Legal concerns.

What we figured out in consultation with a very amused

and maybe slightly confused Bloomberg lawyer, was that--

All of the laws that are on the books

require not only the possession of malware,

but the intent to actually launch an attack

against an unwitting victim.

Max, my victim was complicit in the scheme,

so we figured that kept us on the right side of the law.

And I do think there's a really strong

public interest argument for doing this kind of thing

because if somebody as unsophisticated

as a magazine journalist

can get really dangerous ransomware

without spending very much money,

that's something that I think

the public needs to know about.

So once we kind of talked to a Bloomberg lawyer,

we then got two burner laptops,

we got two cheap Dell laptops.

Max and I both work for a company

that takes data security very seriously for obvious reasons,

so we made sure

that we kept all this off Bloomberg's network.

Then we decided to send him

onto the dark web to procure some ransomware service.

So there are these dark web forums

that work sort of like they're chat rooms,

but they're also these kind of malware bazaars

where you can go and people are hawking

different forms of malware and also different ways

of getting that malware onto computer systems.

The market has now kind of advanced

to the point where there are these services,

they're called ransomware as a service,

and it's a play on this idea of software as a service

or SaaS, which is something you hear

in Silicon Valley all the time.

And so I found a couple,

some of them turned out to be bogus,

some of them seemed to be defunct.

People just didn't get back to me.

But there was one where the guy got back to me

when I got in touch with him

and answered the few questions I had.

And it was cheap, it was just 150 bucks,

so I figured it was worth a try.

So the first thing I did is I reached out to the vendor

and I used ProtonMail, which is an encrypted email service.

And at that point I had gone ahead

and set up a Bitcoin wallet,

so I paid the $150 that was the subscription fee

for the service and that gave me a login for this website.

And it was a pretty simple looking interface.

There was a series of tabs at the top of the screen.

One of the tabs took me to the quote unquote dashboard,

which is where I'd be able to manage the various attacks.

There was another tab

that took me to what was called the builder,

which is a page that allowed me to input a few pieces

of information about the kind of malware I wanted.

Stuff like what kind of operating system

would be on the target computer or what kind of encryption

I wanted or what's the email address

that my victims should use to contact me

once they realize they've been attacked.

So I input those few pieces of information

and it spits out a piece of software

that I could then download onto my computer.

So it became obvious pretty quickly

that I didn't have particularly top shelf product.

And that's not surprising.

A lot of the conversation on these dark web forums

is about whether this or that product

is reliable or how well it works.

The person that we bought the ransomware from

turned out to be not the most sophisticated.

Almost as unsophisticated as we were.

And it kind of started to become unclear

whether he was trying to con us out of more money,

and I kept saying to him,

"We got to be really careful

that there's not an additional layer to this scam,

that he's not gonna ask us to wire him some more money

to make the software work better,"

which is what he was trying to do.

So there's just like so much con artistry.

And there does seem to be a wide range

in quality reflected partly in the wide range of price.

There are other ones that are much more high end

where it's not even an annual fee model

it's more like you have a gang of hackers

with different specialties

and they just divide up the pot between them.

So I wrote my email to Max, which basically said,

'Hey Max, here's the draft of my latest story.

Sorry it's taken so long.

The draft is attached'.

Even though I had a really bad laptop,

it immediately sniffed out the potential

that this attachment that Drake was sending me,

which looked super suspicious to me, was going to do harm,

and there were a bunch of warning boxes that opened up

saying, "Are you really sure you want to load up this file?

Are you super sure?"

And of course I said yes, yes, and infected myself.

And then Max looked away for a second

and looked back at his computer

and there was this ghoulish image of a hand

reaching out from a cloud of smoke and a message that said,

"All of your files have now been encrypted."

And, so I was sitting there waiting for this thing to happen.

We had a photographer there.

All of the documents,

you know I had to load the laptop with a bunch of documents

that I wasn't afraid to lose.

So I didn't have anything important on there.

And there's still something really scary

about seeing that message on your computer

that says that they own you now,

that the attacker has your files

and is gonna do with you what he wants.

And it really makes you realize

how easy it is to become a victim.

The communities of people who are in this world

range from the most sophisticated hackers,

so like, state-supported,

connected to the military or intelligence operation

of some of the most powerful countries in the world,

all the way down to literally a bored teenager.

After all this was over I did reach out

to my ransomware providers and announce myself

as a journalist and you know,

they consented to be interviewed

and basically what they told me,

they didn't say much about themselves

but they did say that they were a group

of 18 to 26-year-olds with different specializations

working as a team to create this stuff.

A lot of these chatrooms where these products

are bought and sold are Russian language chatrooms.

Some of them have actually been geofenced or coded

in such a way that they'll work anywhere

except in places like Russia, Ukraine.

But I don't know where particularly

my providers were located.

I also think it was surprising in a good way

that we really had to work to make this work

in terms of me ignoring warnings

that my computer was giving.

In terms of Drake having to work with an expert

to get the ransomware to work perfectly,

but it's just kind of like a scary reminder

of how all of this kind of,

there are all these sort of bad actors and creeps

and con artists kind of lingering just below the surface

of the internet and just creepy how close they are

and how you're not that far away from downloading something

that can kind of mess up your digital life.