BBC Visits 'Hated and Hunted' Ransomware Expert

In "Hated and hunted," a BBC reporter describes visiting a ransomware expert "who has devoted himself, at huge personal cost, to helping victims of ransomware around the world." They hate him so much that they leave him angry threats buried deep inside the code of their own viruses... "I was shocked but I also felt a real sense of pride," says Fabian. "Almost like, a little bit cocky. I'm not going to lie, yeah, it was nice...." He works remotely for a cyber security company, often sitting for hours at a time working with colleagues in different countries. When he's "in the zone", the outside world becomes even less important and his entire existence focuses on the code on his screen. He once woke up with keyboard imprints all over his face after falling asleep during a 35-hour session.

All of this to create anti-ransomware programs that he and his company usually give away free. Victims simply download the tools he makes for each virus, follow the instructions and get their files back... According to research from Emsisoft, the cyber security company Fabian works for, a computer is attacked every two seconds. Their network has managed to prevent 2,584,105 infections in the past 60 days -- and that's just one anti-virus firm of dozens around the world.... "It's pretty much an arms race," says Fabian. "They release a new ransomware virus, I find a flaw in its code and build the decryption tool to reverse it so people can get their files back. Then the criminals release a new version which they hope I can't break... It escalates with them getting more and more angry with me...."

Fabian accepts that moving around and restricting his life and circle of friends is just a part of the sacrifice for his hobby-turned-profession... He earns a very good salary but looking around his home and at his life it's hard to see how he spends it.
He estimates that he's "upset or angered" 100 different ransomware gangs (based on his analysis of the Bitcoin wallets where they collect their ransoms.) One group had collected about $250,000 (£191,000) in three months -- until Fabian created a countering anti-ransomware program -- which is one reason he carefully hids his identity.

"I know how much money they make and it would be literally nothing for them to drop 10 or 20,000 for like some Russian dude to turn up to my house and beat the living hell out of me."

Hmm

[Ryanrule]

I like to see the national breakdown. I know a few e Europe groups that are permanently butt hurt.

Re:Hmm

[Toth]

I remember when the Bulgarians were the best hackers. They would include the names of viruses they had written on their resumes when applying for a computer job. Many firsts. Are they still in the game I wonder?

Re:Hmm

[Aryeh+Goretsky]

Hello,

While Bulgaria was once a hot-bed of virus activity in the DOS era, the focus on malicious software has spread throughout Russia, Eastern Europe and the Baltic states, to the extent that it has crowded out Bulgaria as being a well-known source of malware. Of course, today malware is a global phenomenon, and you find clusters of development throughout the world, including regional specializations in both Asia and Latin America for targeting domestic banking, for example.

Vesselin Bontchev, one of the first people to document the Bulgarian virus scene via his seminal work, The Bulgarian and Soviet Virus Factories, remains active in the field and would probably be the best source for current information on Bulgaria's position in the threat economy. He can also be found on Twitter, where his tendency towards logorrhea is somewhat tempered by the 280-character limit.

Regards,

Aryeh Goretsky

Live by the bitcoin, die by the bitcoin

[goombah99]

Ironically silk road had a solution for this problem. Just create an etherium payable contract that pays when the ransom where evil doer is killed, as measure by whatever method the contract specified as satisfactory proof the right person received the right result.

Of course this is also a terrible idea. Paying mercs to kill people is going to result in incompetent mercs and dead innocents. Not to mention the whole idea of murder.

Still given human nature if this option were offerend anonymously but widely available I'm also sure the go fund me kitty would swell.

THe only thing one can say is that in the end you'd be both remorseful and gratified and possibly incarcerated

Re:Live by the bitcoin, die by the bitcoin

[piojo]

Just create an etherium payable contract that pays when the ransom where evil doer is killed, as measure by whatever method the contract specified as satisfactory proof the right person received the right result.

Setting aside for now the fact that that's horrible, how would it be implemented? Say it's not about killing someone but about buying a puppy. What is the oracle which tells the system that the requirements have been met?

Re:Live by the bitcoin, die by the bitcoin

[Solandri]

That's not new, and it has a simple solution. You know the "Wanted Dead or Alive" posters you see in westerns? They were only reserved for the worst criminals. The standard wanted poster was for capturing the criminal alive - as in you wouldn't get the reward if the criminal was killed. So all you have to do is give out the reward for information leading to the ransomware author's capture, no reward if he's killed.

Re:Live by the bitcoin, die by the bitcoin

[JaredOfEuropa]

In case of buying a puppy, you could submit a picture of the puppy and the receipt as proof. In case of an open contract on a person, proving the person was killed is trivial, but it might be hard proving that it was you who killed him.

Re: Live by the bitcoin, die by the bitcoin

[Cmdln+Daco]

They are experts on unleashing, not defeating, ransoms.

And that assumes they are even experts, and not script kiddies.

Re: Live by the bitcoin, die by the bitcoin

[Cederic]

No, he was suggesting targeting the criminals.

Re:Live by the bitcoin, die by the bitcoin

[rastos1]

Ask Jim Bell.

killstarter?

[goombah99]

When they go low, we aim high

Re:killstarter?

[Cmdln+Daco]

Oh, I think more positive proofs can be provided, in the form of DNA samples from the grease spot where the former ransomware distributor was standing.

Re:killstarter?

[kaatochacha]

I saw that movie too!

aka

[phantomfive]

alternate headline: "Assassins pay BBC to find address of ransomware expert."

Re:aka

[jellomizer]

The BBC is one of the worlds most respected media outlet. Normally when there is a polarizing debate, where I find both side to be exaggerated (which is easy to get on American News, and flipping sources to weed out the truth from hyperbole) I find that the BBC give a much more level headed explanation on the topic.

Now the BBC could be banking on its good Karma, and work with the ransomware makers, but you can burn good Karma much faster then you can build it up. Besides Ransomware really doesn't bring in that much money.

Re:aka

The BBC is one of the worlds most respected media outlet.

They were, at one point, but certainly not since #PanoDrama.

Re:aka

[phantomfive]

Normally when there is a polarizing debate, where I find both side to be exaggerated (which is easy to get on American News, and flipping sources to weed out the truth from hyperbole)

That's the distance giving them perspective. The BBC can be completely biased when it comes to British news.

Re:The first murderer.

[phantomfive]

How do you know Abel was good?

Building a decrypter?

[quantaman]

“It’s pretty much an arms race,” says Fabian. "They release a new ransomware virus, I find a flaw in its code and build the decryption tool to reverse it so people can get their files back.”

How does this work? There's probably some government agencies with the ability to crack various encryption schemes, but a dev at some anti-virus company?

I'm sure he's pretty good at what he does, and there's probably a handful of instances where the ransomware folk did something dumb. But file encryption is pretty standard stuff, and I can't imagine it's too hard to generate a unique decrpytion key for each victim and to stop that key from persisting on the victims machine.

So is the story mostly hype and the guy just cracked a couple crappy tools? Are the ransomware folk really that incompetent? Or am I missing something?

Re:Building a decrypter?

[AHuxley]

Look at an average PC CPU and storage media on an average laptop/desktop computer.
How fast can all the contents be encrypted to keep it secure from any/all expected decryption efforts?
Then have it revert back to a working computer with the correct code?
The idea is that the speed of CPU needed and that a lot of people use the same often used code set/example.
The other idea is to detect a rapid, understood and unexpected for the users system code use of all CPU power.
The spin up of CPU use for encryption by code that's very different to average users OS/software.
That the OS encryption acts in a set way and its start can be detected in CPU by advanced AV software .

Re "government agencies with the ability to crack various encryption schemes"
1. Thats is done with design weakness in every generation of software shipped under a support role offered by a "brand" to a gov.
The software/OS crypto sold/offered is junk as the staff like/have to support the gov/mil.
A gov/mil weakness is created by design over all generations of that code.
Junk crypto over decades of OS and software.
2. By installing a key logger first and then waiting for the next use of encryption by the user. Networked software to get the next use of a password.
Hope the user has the same long password again and again.
Find out if the password is created with software on the same computer thats doing the encryption. Copy out the password as its used.
3. After arrest a legal offer to decrypt is suggested. With many more years if deception is not done.
Depending on the part of the world and the legal system. Concurrent and consecutive reduced years when decrypted.
4. The use of informants to get near a person and place key logging software.
5. The use of a super computer given the junk brand/OS crypto. The crypto is not that good but its still trusted. A gov/mil weakness is found over all generations of that code.
ie the gov/mil works to get decryption for free and in real time over decades of OS/network users/use of informants.
Gov methods don't help much if the encryption used is not common, not well understood and is not OS/commercial weak as sold.

Re:Building a decrypter?

[quantaman]

That the OS encryption acts in a set way and its start can be detected in CPU by advanced AV software .

Which would be a method for blocking a ransomware attack in progress. This article is about something completely different. Decrpyting a ransomware attack that was already completed.

Gov methods don't help much if the encryption used is not common, not well understood and is not OS/commercial weak as sold.

Whether or not some major government agencies can crack encryption doesn't really matter to this story. An AV researcher isn't going to be able to crack commonly available encryption algorithms. If he's releasing decryption tools he's doing it through other mechanisms.

Re:Building a decrypter?

It's pretty simple. If the attackers are 'honest', than a decryption key actually exists. In that case, it is the malware authors who are playing 'defence' for once, and all the regular 'attack' vectors apply:

1) The malware authors could have bugs in the implementation of the encryption just like every other program.
2) They could store the keys on the client's machine, like many bad programs do.
3) They could store the keys on a central server, which could get compromised just like any normal server.
4) They could use the same key, in which case eavesdropping on one client who paid ransom would find it.

In short, a malware is just a program in the end, and malware authors aren't better than normal programmers. Normal programs are full of bugs. Why do you expect malware authors to do better?

Re:Building a decrypter?

[The-Ixian]

One angle you are perhaps missing is that this guy works for an AV company. Which means that he probably has access to some pretty good telemetry from several different systems attacked by the same malware. You can imagine that if something is seen once and reports it back to the mothership, the second, third, etc, instances are each delivering behavioral metrics on how the malware operates.

Also, I am sure that because AV runs at such a low level in a system, it is able to do things like analyze all system RAM and other caches for things that don't get cleaned up quickly enough. The keys need to be put into memory at some point in order to do the encryption, which means they can be read from memory....

Re:Building a decrypter?

[fwosar]

Obviously, I can't crack all ransomware out there and I never made that claim (and neither made the article). However, a lot of ransomware has flaws that can be abused just like a lot of other software has bad crypto. The flaws are usually just what you would also find in production code: Bad key generation, improper key sizes, inappropriate key re-use, server vulnerabilities.

There are also some real "WTF?!" moments as well. For example, the first iterations of Cryptowall left the generated private key on the system by accident, because they copied sample code on how to use the CryptoAPI from the MSDN documentation without understanding what some of the parameters meant. Cryptowall later went on to become one of the most profitable ransomware campaigns in history with estimated revenues within the 300 million US dollar range. Bottom line is: As with many things, ransomware doesn't have to be perfect to cause a lot of damage.

You can obviously dismiss it as a "guy cracked a couple crappy tools", but ultimately we broke over hundreds of different ransomware families and major revisions within said families.

Re:Building a decrypter?

[CohibaVancouver]

So the key stays on the victim's machine.

Only if the criminal's intention is to actually permit the machine to be decrypted after the ransom is paid.

If all their intention is is to take the ransom, then say "So long sucker!" and disappear, then there's no need to store a key anywhere.

Re:Building a decrypter?

[SomePoorSchmuck]

So the key stays on the victim's machine.

Only if the criminal's intention is to actually permit the machine to be decrypted after the ransom is paid.

If all their intention is is to take the ransom, then say "So long sucker!" and disappear, then there's no need to store a key anywhere.

But there's some basic game theory logic at work here.
If ransomware folks want to make a lot of money quickly, then don't actually bother with decryption methods, just take the money and "so long sucker!".

But if ransomware folks want to make any more money after three weeks from now, they have to provide the data decryption. If they don't, then after a few weeks news spreads around the world that ransomware is a total scam and your data is gone no matter what. People then stop paying the ransoms at all and just move on from a backup or start over from scratch. (Which is the proper response in any case.)

Re:Building a decrypter?

[pr0fessor]

The weakest link in security is usually the user and as such they are the best point to exploit. This is why the majority of stuff like this doesn't need to be well written, of course throw in a security researcher that keeps giving away removal tools and they are annoyed that they actually need to spend some time on code.

Re:Building a decrypter?

[AHuxley]

Re "Which would be a method for blocking a ransomware attack in progress. "
Have look at "monitoring the file-system for the creation of encrypted files by suspicious processes"
https://objective-see.com/prod...

Quite a second career

[93+Escort+Wagon]

Years ago, Fabian was a teen heartthrob back during my mother’s youth... and now, here in his twilight years, he’s helping ransomware victims recover their data? That’s seriously impressive.

Backups backups backups!

[cormandy]

Backup people!

Russian Dude

[pacija]

Ah, the "subtlety" of Western propaganda. The dude who turns up and beats the living hell out of the good guy can't be just Dude. Quite often it has to be Russian Dude. Malice or stupidity? Or just plain old xenophobia?

Re:Russian Dude

Perhaps the people for hire at the location in question are mostly russian?

Re:Russian Dude

[Ryanrule]

You think he isnt aware who he is pissing off? Its not the italians.

Re:Russian Dude

[fwosar]

I can see why someone may think that, but there was an aspect to the interview, that was cut out. I used to live in one of the big German Baltic Sea harbour cities. The local shipyard was/is essentially a money laundering operation for the Russian mob. So obviously, when I started to get threats from Russian groups, in particular, that makes you feel rather uneasy. Especially given that ransomware campaigns often have trouble turning the bitcoins back into "clean" money and the go-to people for money laundering in the former USSR regions is the Russian mafia.

People are also not aware of Germany's mandatory IDs and registrations. Essentially, if you want someone's address, you can go to the local municipality. As long as you provide enough information that allows them to uniquely identify a person in their records, you can obtain their address for a small fee (~$10). If you can make a valid claim (like they owe you money), you can get a lot more information than that. The amount of information you need to provide varies a bit. But usually, the full name is enough, provided there isn't another person with the same name in the same region. In that case, you may have to add in the birthday or an old address as well.

So yeah, not really xenophobia. Just the local organised crime in the area I used to live with given with the fact that the groups with the most credible threats were from former USSR countries.

Re:You're a moron Huxster

[Cmdln+Daco]

Obviously it confuses you. So that's one who doesn't.

Re:The first murderer.

[Terwin]

Cain was a farmer and offered up fresh, moist fruits and vegetables while Able was a rancher/herder and offered up the carcasses of animals rich in fat.
Both were offering their best products, but the flames were bigger and brighter when consuming the fat bone and fur than they were when consuming the fresh, moist, vegetables, so it was assumed that God was more pleased by the one that burned better than the other.

Due to that assumption, Cain became jealous and killed his brother.

As far as I am aware, God was happy with both, at least until Cain committed murder.

Re:A BS story

[The-Ixian]

But a virus writer would certainly be aware of a free fix for their virus being distributed on a public web site....

Re:A BS story

[Aryeh+Goretsky]

Hello,

Computer virus writers, since back in the day of writing DOS viruses, did often put message directed at anti-virus companies and even individual employees, as well as shout-outs to other virus writers and virus-writing groups. Song lyrics and poems would occasionally be included as well, sometimes to be displayed as part of a payload, otherwise just in there for, one presumes, the curious. The Stoned boot sector/MBR virus' "Legalise marijauana. Your PC is now stoned" message comes to immediate mind.

Of course, these days, computer viruses are almost extinct. There are about two or three families of viruses which are still active (Sality, Virut, ...). Everything else is just various kinds of non-replicating malware, like the ransomware this article discusses. Replicating ransomware like Petya and WannaCry are still comparatively rare.

Today, there is little concern from most developers about the size of their code, at least in the same way it was back in the mini-computer and dawn of the PC era where RAM might have been measured in kilobytes. When you have malware which is hundreds of KB long, or even over a megabyte like Stuxnet, the need to optimize code for size becomes something of a non-issue.

Regards,

Aryeh Goretsky