Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Crime United Kingdom

BBC Visits 'Hated and Hunted' Ransomware Expert (bbc.co.uk) 85

In "Hated and hunted," a BBC reporter describes visiting a ransomware expert "who has devoted himself, at huge personal cost, to helping victims of ransomware around the world." They hate him so much that they leave him angry threats buried deep inside the code of their own viruses... "I was shocked but I also felt a real sense of pride," says Fabian. "Almost like, a little bit cocky. I'm not going to lie, yeah, it was nice...." He works remotely for a cyber security company, often sitting for hours at a time working with colleagues in different countries. When he's "in the zone", the outside world becomes even less important and his entire existence focuses on the code on his screen. He once woke up with keyboard imprints all over his face after falling asleep during a 35-hour session.

All of this to create anti-ransomware programs that he and his company usually give away free. Victims simply download the tools he makes for each virus, follow the instructions and get their files back... According to research from Emsisoft, the cyber security company Fabian works for, a computer is attacked every two seconds. Their network has managed to prevent 2,584,105 infections in the past 60 days -- and that's just one anti-virus firm of dozens around the world.... "It's pretty much an arms race," says Fabian. "They release a new ransomware virus, I find a flaw in its code and build the decryption tool to reverse it so people can get their files back. Then the criminals release a new version which they hope I can't break... It escalates with them getting more and more angry with me...."

Fabian accepts that moving around and restricting his life and circle of friends is just a part of the sacrifice for his hobby-turned-profession... He earns a very good salary but looking around his home and at his life it's hard to see how he spends it.

He estimates that he's "upset or angered" 100 different ransomware gangs (based on his analysis of the Bitcoin wallets where they collect their ransoms.) One group had collected about $250,000 (£191,000) in three months -- until Fabian created a countering anti-ransomware program -- which is one reason he carefully hids his identity.

"I know how much money they make and it would be literally nothing for them to drop 10 or 20,000 for like some Russian dude to turn up to my house and beat the living hell out of me."
This discussion has been archived. No new comments can be posted.

BBC Visits 'Hated and Hunted' Ransomware Expert

Comments Filter:
  • I like to see the national breakdown. I know a few e Europe groups that are permanently butt hurt.
    • by Toth ( 36602 )

      I remember when the Bulgarians were the best hackers. They would include the names of viruses they had written on their resumes when applying for a computer job. Many firsts. Are they still in the game I wonder?

      • Re:Hmm (Score:5, Informative)

        by Aryeh Goretsky ( 129230 ) on Monday March 18, 2019 @12:56AM (#58290912) Homepage
        Hello,

        While Bulgaria was once a hot-bed of virus activity in the DOS era, the focus on malicious software has spread throughout Russia, Eastern Europe and the Baltic states, to the extent that it has crowded out Bulgaria as being a well-known source of malware. Of course, today malware is a global phenomenon, and you find clusters of development throughout the world, including regional specializations in both Asia and Latin America for targeting domestic banking, for example.

        Vesselin Bontchev [nlcv.bas.bg], one of the first people to document the Bulgarian virus scene via his seminal work, The Bulgarian and Soviet Virus Factories [nlcv.bas.bg], remains active in the field and would probably be the best source for current information on Bulgaria's position in the threat economy. He can also be found on Twitter [twitter.com], where his tendency towards logorrhea is somewhat tempered by the 280-character limit.

        Regards,

        Aryeh Goretsky
  • Ironically silk road had a solution for this problem. Just create an etherium payable contract that pays when the ransom where evil doer is killed, as measure by whatever method the contract specified as satisfactory proof the right person received the right result.

    Of course this is also a terrible idea. Paying mercs to kill people is going to result in incompetent mercs and dead innocents. Not to mention the whole idea of murder.

    Still given human nature if this option were offerend anonymously but widel

    • When they go low, we aim high

    • by piojo ( 995934 )

      Just create an etherium payable contract that pays when the ransom where evil doer is killed, as measure by whatever method the contract specified as satisfactory proof the right person received the right result.

      Setting aside for now the fact that that's horrible, how would it be implemented? Say it's not about killing someone but about buying a puppy. What is the oracle which tells the system that the requirements have been met?

      • In case of buying a puppy, you could submit a picture of the puppy and the receipt as proof. In case of an open contract on a person, proving the person was killed is trivial, but it might be hard proving that it was you who killed him.
      • by rastos1 ( 601318 )
        Ask Jim Bell [cryptome.org].
    • That's not new, and it has a simple solution. You know the "Wanted Dead or Alive" posters you see in westerns? They were only reserved for the worst criminals. The standard wanted poster was for capturing the criminal alive - as in you wouldn't get the reward if the criminal was killed. So all you have to do is give out the reward for information leading to the ransomware author's capture, no reward if he's killed.
  • alternate headline: "Assassins pay BBC to find address of ransomware expert."
    • The BBC is one of the worlds most respected media outlet. Normally when there is a polarizing debate, where I find both side to be exaggerated (which is easy to get on American News, and flipping sources to weed out the truth from hyperbole) I find that the BBC give a much more level headed explanation on the topic.

      Now the BBC could be banking on its good Karma, and work with the ransomware makers, but you can burn good Karma much faster then you can build it up. Besides Ransomware really doesn't bring in

      • Re: (Score:2, Insightful)

        by Anonymous Coward

        The BBC is one of the worlds most respected media outlet.

        They were, at one point, but certainly not since #PanoDrama.

      • Normally when there is a polarizing debate, where I find both side to be exaggerated (which is easy to get on American News, and flipping sources to weed out the truth from hyperbole)

        That's the distance giving them perspective. The BBC can be completely biased when it comes to British news.

  • by quantaman ( 517394 ) on Sunday March 17, 2019 @11:50PM (#58290806)

    “It’s pretty much an arms race,” says Fabian. "They release a new ransomware virus, I find a flaw in its code and build the decryption tool to reverse it so people can get their files back.”

    How does this work? There's probably some government agencies with the ability to crack various encryption schemes, but a dev at some anti-virus company?

    I'm sure he's pretty good at what he does, and there's probably a handful of instances where the ransomware folk did something dumb. But file encryption is pretty standard stuff, and I can't imagine it's too hard to generate a unique decrpytion key for each victim and to stop that key from persisting on the victims machine.

    So is the story mostly hype and the guy just cracked a couple crappy tools? Are the ransomware folk really that incompetent? Or am I missing something?

    • by AHuxley ( 892839 )
      Look at an average PC CPU and storage media on an average laptop/desktop computer.
      How fast can all the contents be encrypted to keep it secure from any/all expected decryption efforts?
      Then have it revert back to a working computer with the correct code?
      The idea is that the speed of CPU needed and that a lot of people use the same often used code set/example.
      The other idea is to detect a rapid, understood and unexpected for the users system code use of all CPU power.
      The spin up of CPU use for encrypti
      • That the OS encryption acts in a set way and its start can be detected in CPU by advanced AV software .

        Which would be a method for blocking a ransomware attack in progress. This article is about something completely different. Decrpyting a ransomware attack that was already completed.

        Gov methods don't help much if the encryption used is not common, not well understood and is not OS/commercial weak as sold.

        Whether or not some major government agencies can crack encryption doesn't really matter to this story. An AV researcher isn't going to be able to crack commonly available encryption algorithms. If he's releasing decryption tools he's doing it through other mechanisms.

    • by Anonymous Coward

      It's pretty simple. If the attackers are 'honest', than a decryption key actually exists. In that case, it is the malware authors who are playing 'defence' for once, and all the regular 'attack' vectors apply:

      1) The malware authors could have bugs in the implementation of the encryption just like every other program.
      2) They could store the keys on the client's machine, like many bad programs do.
      3) They could store the keys on a central server, which could get compromised just like any normal server.
      4) They

    • One angle you are perhaps missing is that this guy works for an AV company. Which means that he probably has access to some pretty good telemetry from several different systems attacked by the same malware. You can imagine that if something is seen once and reports it back to the mothership, the second, third, etc, instances are each delivering behavioral metrics on how the malware operates.

      Also, I am sure that because AV runs at such a low level in a system, it is able to do things like analyze all system

    • by fwosar ( 5865076 ) on Monday March 18, 2019 @10:07AM (#58292370)

      Obviously, I can't crack all ransomware out there and I never made that claim (and neither made the article). However, a lot of ransomware has flaws that can be abused just like a lot of other software has bad crypto. The flaws are usually just what you would also find in production code: Bad key generation, improper key sizes, inappropriate key re-use, server vulnerabilities.

      There are also some real "WTF?!" moments as well. For example, the first iterations of Cryptowall left the generated private key on the system by accident, because they copied sample code on how to use the CryptoAPI from the MSDN documentation without understanding what some of the parameters meant. Cryptowall later went on to become one of the most profitable ransomware campaigns in history with estimated revenues within the 300 million US dollar range. Bottom line is: As with many things, ransomware doesn't have to be perfect to cause a lot of damage.

      You can obviously dismiss it as a "guy cracked a couple crappy tools", but ultimately we broke over hundreds of different ransomware families and major revisions within said families.

    • The weakest link in security is usually the user and as such they are the best point to exploit. This is why the majority of stuff like this doesn't need to be well written, of course throw in a security researcher that keeps giving away removal tools and they are annoyed that they actually need to spend some time on code.

  • by 93 Escort Wagon ( 326346 ) on Monday March 18, 2019 @01:27AM (#58290954)

    Years ago, Fabian was a teen heartthrob back during my mother’s youth... and now, here in his twilight years, he’s helping ransomware victims recover their data? That’s seriously impressive.

  • Backup people!
  • Ah, the "subtlety" of Western propaganda. The dude who turns up and beats the living hell out of the good guy can't be just Dude. Quite often it has to be Russian Dude. Malice or stupidity? Or just plain old xenophobia?
    • by Anonymous Coward

      Perhaps the people for hire at the location in question are mostly russian?

    • You think he isnt aware who he is pissing off? Its not the italians.
    • by fwosar ( 5865076 )

      I can see why someone may think that, but there was an aspect to the interview, that was cut out. I used to live in one of the big German Baltic Sea harbour cities. The local shipyard was/is essentially a money laundering operation for the Russian mob. So obviously, when I started to get threats from Russian groups, in particular, that makes you feel rather uneasy. Especially given that ransomware campaigns often have trouble turning the bitcoins back into "clean" money and the go-to people for money launde

"To take a significant step forward, you must make a series of finite improvements." -- Donald J. Atwood, General Motors

Working...