Cofense - Security Awareness Training & Email Threat Detection

Reality-checking Mr.Robot Ransomware

Share This Article


USA Network’s television show, Mr.Robot, kicked off Season 2 with a BANG!   The program features the exploits of a hacker named Elliot Alderson (Rami Malek) who uses the alias “Mr.Robot” to work with a team of hackers who call themselves F-Society and have as their mission the destruction of a major corporation that they call “Evil Corp,” whose logo calls back to the Big Corporate Corruption of Enron. In this episode, the attack is against the “Bank of E.”

Evil Corp's Bank
Target: Evil Corp’s “Bank of E”

At the climax of the episode, all of the computers within the Bank of E are locked and begin to show a Ransomware notice.

Every computer at Bank of E shows ransomware notice
Ransomware notice displayed on all Bank of E computers

The question that we ask ourselves is, “How realistic is this hacking scenario?” The answer? “Very!” The F-Society hackers are shown creating their attack using tools that are quite similar to the tools used by real-world hackers. F-Society hacker, Darlene (Carly Chaikin), creates her attack using a tool called “The Social-Engineer Toolkit.” By navigating through the menus, she is able to choose how she would like her attack to be delivered.

Social-Engineering Toolkit
The Social-Engineering Toolkit
CryptoWall Payload delivered via SET
CryptoWall Payload delivered via SET

At PhishMe, our intelligence team has a great deal of experience with the CryptoWall attacks, as well as CryptoLocker, Locky, TeslaCrypt, and many other encryption Ransomware attacks.  In fact, in the 1st Quarter of 2016, PhishMe reviewed more than 6 million emails that were designed to infect their target with Ransomware.  Although the “countdown” clock is not as common as it was in early CryptoLocker samples such as the one below, it is still very normal for the criminals to demand that a ransom be paid within a certain time limit … often three days or less.

CryptoLocker Countdown
CryptoLocker Countdown Example

In the Mr. Robot episode, the ransomware sample uses a similar countdown message, with one big difference — when PhishMe sees ransomware, the price to be paid is often between $200 and $4000.  In the Mr. Robot episode, the hackers are demanding $5.9 Million!

$5.9 Million Ransomware Demand
Mr. Robot’s hackers want a big ransom!

But could hackers really cause their Ransomware demand to pop up on everyone’s screen in the entire bank?  It has been done, but usually only by extremely advanced hackers — which is exactly what the show’s F-Society hackers claim to be.  In two published cases, rumored to be conducted by Iran and North Korea, many employee computers were all taken over and displayed scary messages.  Here are two ransomware attack examples, one by a group calling itself “#GOP Hackers” (thought be North Koreans) and the other calling itself “Anti-WMD Team” (thought to be Iranian.)

sony_hack AntiWMDTeam.popups

Like much fiction, the writers of Mr. Robot combine several real world concepts into a single story line.   It borrows the Ransomware countdown from CryptoLocker and CryptoWall, which are normally delivered by email and ask for a few hundred or few thousand dollars in Bitcoin.  It borrows the “simultaneous screen locking” from the nation-state delivered Wiper malware attacks, such as the Sony attack and the Sands Casino attack shown above.  It borrows the very large bank ransom from recent headlines in the middle east, such as the hacker who demanded a $3 Million ransom from UAE’s Invest Bank and threatened to leak customer details to the internet if he wasn’t paid.

The last piece of the story is also borrowed from real life.   After Darlene creates her Cryptowall.exe attack using the Social Engineer Toolkit, she passes a malicious thumb drive to her fellow hacker, who has managed to land a job as an IT Support employee at the bank.   This last piece of the story comes from the legend of StuxNet.  According to news stories from 2012, the StuxNet malware which was used to cause the uranium-enrichment centrifuges to self-destruct, was probably delivered by “a saboteur at the Natanz nuclear facility, probably a member of an Iranian dissident group, used a memory stick to infect the machines there.”

Passing the Flash Drive
Darlene passing the Flash Drive to her Double Agent
The "IT Guy"
The “IT Guy” at the Bank of E

In summary, while the Mr. Robot Season 2 Premiere combines a perfect storm of techniques for the ultimate cyber attack, all of the hacks, tools, and methods displayed in the episode are based on real-world scenarios. Most ransomware is still delivered by a malicious email sent to an employee, and any large bank would deploy internal network segmentation and other defensive measures that would make such an attack impossible in the modern banking world, but the scenario is certainly plausible for computers in many lesser defended sectors of our economy.


We use our own and third-party cookies to enhance your experience by showing you relevant content, personalizing our communications with you, and remembering your preferences when you visit our website. We also use them to improve the overall performance of our site. You can learn more about the cookies and similar technology we use by viewing our privacy policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.