Broadband Tech > Security > Security > Anatomy of a Bribe |The Symantec pcAnywhere Ransom Saga

Anatomy of a Bribe |The Symantec pcAnywhere Ransom Saga

quote:

---

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Sam Thomas
yamatough
07 February 2012, 02:46:43
10 minutes
html
--====----====----====----====----====----====----====----====----====----===--
We can't make a decision in ten minutes. We need more time.

2012/2/6 yamatough

Since no code yet being released
and our email communication wasnt also released
we give you 10 minutes to decide which way you go
after that two of your codes fly to the moon PCAnywhere and Norton
Antivirus totaling 2350MB in size (rar)
10 minutes if no reply from you we consider it a START
this time we've made mirrors so it will be hard for you to get rid of
it

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Sam Thomas
yamatough
07 February 2012, 00:13:42
?
html
--====----====----====----====----====----====----====----====----====----===--
We've looked into Liberty reserve and offshore accounts. These options wont work. We want to protect our code but we need other options.

2012/2/6 yamatough

your silence considered as No
r we clear?

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Sam Thomas
yamatough
02 February 2012, 04:27:14
say hi to FBI
html
--====----====----====----====----====----====----====----====----====----===--
We are not in contact with the FBI. We are using this email account to protect our network from you.

Protecting our company and property are our top priorities.

We can't pay you $50,000 at once for the reasons we discussed previously. We can pay you $2,500 per month for the first three months. In exchange, you will make a public statement on behalf of your group that you lied about the hack (as you previously stated). Once that's done, we will pay the rest of the $50,000 to your account and you can take it all out at once. That should solve your problem.

Obviously you still have our code so if we don't follow through you still have the upper hand.

2012/2/1 yamatough

Say hi to FBI agents,
It's funny you do not use your corp account anymore =)
We wonder why is that be that way? =)

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Sam Thomas
yamatough
02 February 2012, 00:28:33
sorry
html
--====----====----====----====----====----====----====----====----====----===--
So now what does this mean?

2012/2/1 yamatough

I am afraid we have to cancel the whole deal because our offshore people
wont let us securely get the money because they wont process amounts less
than 50k a shot. Therefore we are afraid we can not proceed with you on the
conditions offered.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Sam Thomas
yamatough
01 February 2012, 02:59:06
please read carefully
html
--====----====----====----====----====----====----====----====----====----===--
Got your message.

We are still looking into Liberty Reserve but we have to figure out how to get our money safely into our Liberty Reserve account through an exchanger.

We will pay you $50,000.00 USD total.

However, we need assurances that you are not going to release the code after payment. We will pay you $2,500 a month for the first three months. Payments start next week. After the first three months you have to convince us you have destroyed the code before we pay the balance. We are trusting you to keep your end of the bargain.

You know how the corporate environment works and we have to treat this like a business transaction.

On Tue, Jan 31, 2012 at 12:26 PM, yamatough wrote:

No offence, nobody's trying to give you a hard time.
We have a clear understanding on how things work inside corp environment.
Do not send us any money (we do not use paypal period) do not send us any 1k etc.
We can wait till we agree on final amount.

Please confirm that you received this message so we are not anxious.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Sam Thomas
yamatough
31 January 2012, 23:54:54
???
html
--====----====----====----====----====----====----====----====----====----===--
We already told you we are doing the best we can. You threatening to release the code is not helping the situation.

We've been looking into Liberty Reserve. Looks like we have to use an exchanger to get money into our Liberty Reserve account.
This is more complicated than we expected.

Our plan was to get you $1,000 by the end of the week as a test and a sign of good faith but we don't know if we can make this work
that quickly through Liberty Reserve.

We've used paypal numerous times and we know how it works. We can definitely send you $1,000 by the end of the week through
paypal until we can get Liberty Reserve setup for a large payment. We will send the paypal payment to the yamatough@terra.com.ve
email address on Friday.

On Mon, Jan 30, 2012 at 5:50 PM, yamatough wrote:

there are no options but :
Liberty Reserve (tell your people to look into their website www.libertyreserve.com and check how it works - its easy we shall give you our account number within the LR system and you send money from your LR acct to ours) To put money on ya LR account you can do by wire transfer within the USA etc. just check the website
this option is nice for you because it leaves the FATF and Anti Terror units behind and raises no suspicions like the Lithuanian transfer would.
Wire transfer to a bank account in Lithuania or Latvia is also an option.

Above mentioned are the only ways to work it out.

We are afraid if you can not comply we proceed with the release.

What are the guarantees that we wont come back for more? - NONE ofcourse, you have to trust us on this one, if we were really bad guys we would have already released or sold your code at the time of exchanging emails with you which is almost a month - AND WE KEPT SILENT all that time and stuck to our word given to you.
So - No Guarantees - Trust Us - We wont come back and wont manipulate the code.
At least it is worth a try and we assure you we are man of honor we keep our promise.
What you are going to get if no agreement reached? - We both know.
Partial release of code - Official Auction Bidding on some of it - 0day exploitation
That happens as soon as we understand your negative call.

As of files sent to you partially - we are getting tired of all this please do not make us more angry than we already are you know we got the full line so please nothing is going to be send to you once again.
Time's up - We are patient to get Positive or Negative from you. You have two options to complete Wire. And name the price. Period.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Sam Thomas
yamatough
31 January 2012, 05:22:24
???
html
--====----====----====----====----====----====----====----====----====----===--
We are really trying to work with you but we can't meet all the deadlines that you keep throwing at us. We need approvals by a lot of people who all have different opinions. This is the first time we've heard of Liberty Reserve and we are hesitant to just wire money straight to an offshore account.

You didn't provide all the files requested last time. What assurances can you provide that once we pay, you will actually destroy the code and not ask for more money?

Finance is asking us what offshore account it is and also how we could make a payment through liberty reserve. Send us that info to give to them. If they shoot these options down, do you have any other ways to accept your payment?

We are willing to do what it takes to get our code back and protect our customers but we've never been in this position before. Please be patient and we will find something that works for both of us.

2012/1/30 yamatough

you have 24 hours for a definite answer

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Sam Thomas
yamatough
30 January 2012, 21:12:24
monday
html
--====----====----====----====----====----====----====----====----====----===--
Before we can discuss a dollar amount, we need to figure out how the payment is going to be made.

2012/1/25 yamatough

We expect answer by monday.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Sam Thomas
yamatough
26 January 2012, 01:13:10
procedure
html
--====----====----====----====----====----====----====----====----====----===--
Bottom line, we need more time, at least 2-3 days. This is not a simple process on our end.

2012/1/25 yamatough

We have a rule - and we always follow it:
If you are the owner - you have the right to be the first one
asked. That is why we kept silent at the time of negotiating with
you.
We stick to the word given and nothing is going to happen to the code
if we complete the deal.
Were we not that way we would have already sold your code to that
willing many.

SO - you told us a week ago that you've being requesting a
response from Fin dprtmnt. We got no answer for the below question
so far:
?How much do you consider ENOUGH to pay us in order to
work all the issues out?

Name the price,

Clock's tikin

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Sam Thomas
yamatough
25 January 2012, 23:49:38
ON SALE
html
--====----====----====----====----====----====----====----====----====----===--
We are not trying to trick you. You said you had the PC Anywhere code and we were just being cautious. What would you have us do?

We really don't want our code out there. How do you want to proceed.

2012/1/25 yamatough

If we dont hear from you in 30m
we make an official announcement and put your code on sale at auction
terms. We have many people who are willing to get your code
Dont f*** with us

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Sam Thomas
yamatough
25 January 2012, 05:38:08
problem
html
--====----====----====----====----====----====----====----====----====----===--
we are having network issues with ftp on the standalone computer. we think we can have it ready tomorrow and will send you login details.

On Tue, Jan 24, 2012 at 9:05 AM, yamatough wrote:

roger that

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Sam Thomas
yamatough
24 January 2012, 05:39:49
problem
html
--====----====----====----====----====----====----====----====----====----===--
we are trying to setup a stand alone computer so this doesn't affect our network. we only want to ensure our environment is safe. we will send you the ftp details tomorrow.

2012/1/23 yamatough

If you are trying to trace with the ftp trick it's just worthless.
If we detect any malevolent tracing action we cancel the deal.
Is that clear?
You've got the doc files and pathes to the files
what's the problem ?
Explain

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Sam Thomas
yamatough
24 January 2012, 01:15:05
it's monday
html
--====----====----====----====----====----====----====----====----====----===--
in the process of setting up a secure ftp site. should be ready today or tomorrow.

2012/1/23 yamatough

It's monday...

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Sam Thomas
yamatough
21 January 2012, 03:54:28
updates samplez
html
--====----====----====----====----====----====----====----====----====----===--
the gmail account and the internal account are deleting the attachments. working on another way to get these from you. hopefully will have a solution over the weekend or on monday.

On Fri, Jan 20, 2012 at 5:20 AM, yamatough wrote:

/depot/pcAnywhere/pcA-NG/Thin/site/deploy/remstart.exe
/depot/pcAnywhere/pca32/trunk/Design/12.5/Design - Smart Card Authentication.doc

/depot/pcAnywhere/pca32/trunk/Design/12.0/Design - pcA Connection Server UIs.vsd
/depot/pcAnywhere/pca32/r12.0.2/Design/12.0/Design - pcA Connection Server UIs.vsd

In case you did not get the first email

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Sam Thomas
yamatough
20 January 2012, 08:37:52
updates samplez
html
--====----====----====----====----====----====----====----====----====----===--
Give us through the weekend to figure out how to get these from you. We don't want these docs posted on a public site.

2012/1/19 yamatough

your google acc rejects attachments so we sent it to sym addie

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Sam Thomas
yamatough
20 January 2012, 00:32:11
updates2

--====----====----====----====----====----====----====----====----====----===--
We need assurance on PCAnywhere. Because our email system strips large attachments, send sample files to this address where we can get attachments: sam.thomas.sym@gmail.com
Send the following sample files:
ft_advanced.rec
Design - Smart Card Authentication.doc
design - pca connection server uis.vsd
remstart.exe
1151up.pcg
We want:
1) Actual file
2) Path where you found file

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Sam Thomas
yamatough
19 January 2012, 22:04:59
updates

--====----====----====----====----====----====----====----====----====----===--

Management needs assurances. Your last email before today said “PCAN and NU got pub” - where did PCAN get pub?

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Sam Thomas
"yamatough@terra.com.ve"
18 January 2012, 03:11:37
up to you
html
--====----====----====----====----====----====----====----====----====----===--
Have to check with Finance people. We will contact you tomorrow.

---

reply to Noah Vail
I doubt Sam Thomas was a Symantec employee and more likely a Fed on a fishing trip.

Blake

reply to Link Logger

reply to Noah Vail
Bribe? I don't see any bribe here.

reply to Link Logger

reply to aannoonn