BBC Visits 'Hated and Hunted' Ransomware Expert (bbc.co.uk) 85
In "Hated and hunted," a BBC reporter describes visiting a ransomware expert "who has devoted himself, at huge personal cost, to helping victims of ransomware around the world."
They hate him so much that they leave him angry threats buried deep inside the code of their own viruses... "I was shocked but I also felt a real sense of pride," says Fabian. "Almost like, a little bit cocky. I'm not going to lie, yeah, it was nice...." He works remotely for a cyber security company, often sitting for hours at a time working with colleagues in different countries. When he's "in the zone", the outside world becomes even less important and his entire existence focuses on the code on his screen. He once woke up with keyboard imprints all over his face after falling asleep during a 35-hour session.
All of this to create anti-ransomware programs that he and his company usually give away free. Victims simply download the tools he makes for each virus, follow the instructions and get their files back... According to research from Emsisoft, the cyber security company Fabian works for, a computer is attacked every two seconds. Their network has managed to prevent 2,584,105 infections in the past 60 days -- and that's just one anti-virus firm of dozens around the world.... "It's pretty much an arms race," says Fabian. "They release a new ransomware virus, I find a flaw in its code and build the decryption tool to reverse it so people can get their files back. Then the criminals release a new version which they hope I can't break... It escalates with them getting more and more angry with me...."
Fabian accepts that moving around and restricting his life and circle of friends is just a part of the sacrifice for his hobby-turned-profession... He earns a very good salary but looking around his home and at his life it's hard to see how he spends it.
He estimates that he's "upset or angered" 100 different ransomware gangs (based on his analysis of the Bitcoin wallets where they collect their ransoms.) One group had collected about $250,000 (£191,000) in three months -- until Fabian created a countering anti-ransomware program -- which is one reason he carefully hids his identity.
"I know how much money they make and it would be literally nothing for them to drop 10 or 20,000 for like some Russian dude to turn up to my house and beat the living hell out of me."
All of this to create anti-ransomware programs that he and his company usually give away free. Victims simply download the tools he makes for each virus, follow the instructions and get their files back... According to research from Emsisoft, the cyber security company Fabian works for, a computer is attacked every two seconds. Their network has managed to prevent 2,584,105 infections in the past 60 days -- and that's just one anti-virus firm of dozens around the world.... "It's pretty much an arms race," says Fabian. "They release a new ransomware virus, I find a flaw in its code and build the decryption tool to reverse it so people can get their files back. Then the criminals release a new version which they hope I can't break... It escalates with them getting more and more angry with me...."
Fabian accepts that moving around and restricting his life and circle of friends is just a part of the sacrifice for his hobby-turned-profession... He earns a very good salary but looking around his home and at his life it's hard to see how he spends it.
He estimates that he's "upset or angered" 100 different ransomware gangs (based on his analysis of the Bitcoin wallets where they collect their ransoms.) One group had collected about $250,000 (£191,000) in three months -- until Fabian created a countering anti-ransomware program -- which is one reason he carefully hids his identity.
"I know how much money they make and it would be literally nothing for them to drop 10 or 20,000 for like some Russian dude to turn up to my house and beat the living hell out of me."
Hmm (Score:1)
Re: (Score:3)
I remember when the Bulgarians were the best hackers. They would include the names of viruses they had written on their resumes when applying for a computer job. Many firsts. Are they still in the game I wonder?
Re:Hmm (Score:5, Informative)
While Bulgaria was once a hot-bed of virus activity in the DOS era, the focus on malicious software has spread throughout Russia, Eastern Europe and the Baltic states, to the extent that it has crowded out Bulgaria as being a well-known source of malware. Of course, today malware is a global phenomenon, and you find clusters of development throughout the world, including regional specializations in both Asia and Latin America for targeting domestic banking, for example.
Vesselin Bontchev [nlcv.bas.bg], one of the first people to document the Bulgarian virus scene via his seminal work, The Bulgarian and Soviet Virus Factories [nlcv.bas.bg], remains active in the field and would probably be the best source for current information on Bulgaria's position in the threat economy. He can also be found on Twitter [twitter.com], where his tendency towards logorrhea is somewhat tempered by the 280-character limit.
Regards,
Aryeh Goretsky
Live by the bitcoin, die by the bitcoin (Score:2)
Ironically silk road had a solution for this problem. Just create an etherium payable contract that pays when the ransom where evil doer is killed, as measure by whatever method the contract specified as satisfactory proof the right person received the right result.
Of course this is also a terrible idea. Paying mercs to kill people is going to result in incompetent mercs and dead innocents. Not to mention the whole idea of murder.
Still given human nature if this option were offerend anonymously but widel
killstarter? (Score:2)
When they go low, we aim high
Re: (Score:1)
Oh, I think more positive proofs can be provided, in the form of DNA samples from the grease spot where the former ransomware distributor was standing.
Re: (Score:2)
I saw that movie too!
Re: (Score:3)
Just create an etherium payable contract that pays when the ransom where evil doer is killed, as measure by whatever method the contract specified as satisfactory proof the right person received the right result.
Setting aside for now the fact that that's horrible, how would it be implemented? Say it's not about killing someone but about buying a puppy. What is the oracle which tells the system that the requirements have been met?
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
They are experts on unleashing, not defeating, ransoms.
And that assumes they are even experts, and not script kiddies.
Re: (Score:2)
No, he was suggesting targeting the criminals.
aka (Score:2)
Re: (Score:3)
The BBC is one of the worlds most respected media outlet. Normally when there is a polarizing debate, where I find both side to be exaggerated (which is easy to get on American News, and flipping sources to weed out the truth from hyperbole) I find that the BBC give a much more level headed explanation on the topic.
Now the BBC could be banking on its good Karma, and work with the ransomware makers, but you can burn good Karma much faster then you can build it up. Besides Ransomware really doesn't bring in
Re: (Score:2, Insightful)
The BBC is one of the worlds most respected media outlet.
They were, at one point, but certainly not since #PanoDrama.
Re: (Score:2)
Normally when there is a polarizing debate, where I find both side to be exaggerated (which is easy to get on American News, and flipping sources to weed out the truth from hyperbole)
That's the distance giving them perspective. The BBC can be completely biased when it comes to British news.
Re: (Score:2)
Re: (Score:3, Informative)
Cain was a farmer and offered up fresh, moist fruits and vegetables while Able was a rancher/herder and offered up the carcasses of animals rich in fat.
Both were offering their best products, but the flames were bigger and brighter when consuming the fat bone and fur than they were when consuming the fresh, moist, vegetables, so it was assumed that God was more pleased by the one that burned better than the other.
Due to that assumption, Cain became jealous and killed his brother.
As far as I am aware, God wa
Building a decrypter? (Score:4, Interesting)
“It’s pretty much an arms race,” says Fabian. "They release a new ransomware virus, I find a flaw in its code and build the decryption tool to reverse it so people can get their files back.”
How does this work? There's probably some government agencies with the ability to crack various encryption schemes, but a dev at some anti-virus company?
I'm sure he's pretty good at what he does, and there's probably a handful of instances where the ransomware folk did something dumb. But file encryption is pretty standard stuff, and I can't imagine it's too hard to generate a unique decrpytion key for each victim and to stop that key from persisting on the victims machine.
So is the story mostly hype and the guy just cracked a couple crappy tools? Are the ransomware folk really that incompetent? Or am I missing something?
Re: (Score:2)
How fast can all the contents be encrypted to keep it secure from any/all expected decryption efforts?
Then have it revert back to a working computer with the correct code?
The idea is that the speed of CPU needed and that a lot of people use the same often used code set/example.
The other idea is to detect a rapid, understood and unexpected for the users system code use of all CPU power.
The spin up of CPU use for encrypti
Re: (Score:1)
Obviously it confuses you. So that's one who doesn't.
Re: (Score:3)
That the OS encryption acts in a set way and its start can be detected in CPU by advanced AV software .
Which would be a method for blocking a ransomware attack in progress. This article is about something completely different. Decrpyting a ransomware attack that was already completed.
Gov methods don't help much if the encryption used is not common, not well understood and is not OS/commercial weak as sold.
Whether or not some major government agencies can crack encryption doesn't really matter to this story. An AV researcher isn't going to be able to crack commonly available encryption algorithms. If he's releasing decryption tools he's doing it through other mechanisms.
Re: (Score:2)
Have look at "monitoring the file-system for the creation of encrypted files by suspicious processes"
https://objective-see.com/prod... [objective-see.com]
Re: (Score:2)
So the key stays on the victim's machine.
Only if the criminal's intention is to actually permit the machine to be decrypted after the ransom is paid.
If all their intention is is to take the ransom, then say "So long sucker!" and disappear, then there's no need to store a key anywhere.
Re: (Score:1)
So the key stays on the victim's machine.
Only if the criminal's intention is to actually permit the machine to be decrypted after the ransom is paid.
If all their intention is is to take the ransom, then say "So long sucker!" and disappear, then there's no need to store a key anywhere.
But there's some basic game theory logic at work here.
If ransomware folks want to make a lot of money quickly, then don't actually bother with decryption methods, just take the money and "so long sucker!".
But if ransomware folks want to make any more money after three weeks from now, they have to provide the data decryption. If they don't, then after a few weeks news spreads around the world that ransomware is a total scam and your data is gone no matter what. People then stop paying the ransoms at all and
Re: (Score:1)
It's pretty simple. If the attackers are 'honest', than a decryption key actually exists. In that case, it is the malware authors who are playing 'defence' for once, and all the regular 'attack' vectors apply:
1) The malware authors could have bugs in the implementation of the encryption just like every other program.
2) They could store the keys on the client's machine, like many bad programs do.
3) They could store the keys on a central server, which could get compromised just like any normal server.
4) They
Re: (Score:2)
One angle you are perhaps missing is that this guy works for an AV company. Which means that he probably has access to some pretty good telemetry from several different systems attacked by the same malware. You can imagine that if something is seen once and reports it back to the mothership, the second, third, etc, instances are each delivering behavioral metrics on how the malware operates.
Also, I am sure that because AV runs at such a low level in a system, it is able to do things like analyze all system
Re:Building a decrypter? (Score:5, Informative)
Obviously, I can't crack all ransomware out there and I never made that claim (and neither made the article). However, a lot of ransomware has flaws that can be abused just like a lot of other software has bad crypto. The flaws are usually just what you would also find in production code: Bad key generation, improper key sizes, inappropriate key re-use, server vulnerabilities.
There are also some real "WTF?!" moments as well. For example, the first iterations of Cryptowall left the generated private key on the system by accident, because they copied sample code on how to use the CryptoAPI from the MSDN documentation without understanding what some of the parameters meant. Cryptowall later went on to become one of the most profitable ransomware campaigns in history with estimated revenues within the 300 million US dollar range. Bottom line is: As with many things, ransomware doesn't have to be perfect to cause a lot of damage.
You can obviously dismiss it as a "guy cracked a couple crappy tools", but ultimately we broke over hundreds of different ransomware families and major revisions within said families.
Re: (Score:2)
The weakest link in security is usually the user and as such they are the best point to exploit. This is why the majority of stuff like this doesn't need to be well written, of course throw in a security researcher that keeps giving away removal tools and they are annoyed that they actually need to spend some time on code.
Quite a second career (Score:3)
Years ago, Fabian was a teen heartthrob back during my mother’s youth... and now, here in his twilight years, he’s helping ransomware victims recover their data? That’s seriously impressive.
Backups backups backups! (Score:2)
Russian Dude (Score:1)
Re: (Score:1)
Perhaps the people for hire at the location in question are mostly russian?
Re: (Score:2)
Re: (Score:2)
I can see why someone may think that, but there was an aspect to the interview, that was cut out. I used to live in one of the big German Baltic Sea harbour cities. The local shipyard was/is essentially a money laundering operation for the Russian mob. So obviously, when I started to get threats from Russian groups, in particular, that makes you feel rather uneasy. Especially given that ransomware campaigns often have trouble turning the bitcoins back into "clean" money and the go-to people for money launde
Re: (Score:2)
But a virus writer would certainly be aware of a free fix for their virus being distributed on a public web site....
Re: (Score:2)
Hello,
Computer virus writers, since back in the day of writing DOS viruses, did often put message directed at anti-virus companies and even individual employees, as well as shout-outs to other virus writers and virus-writing groups. Song lyrics and poems would occasionally be included as well, sometimes to be displayed as part of a payload, otherwise just in there for, one presumes, the curious. The Stoned boot sector/MBR virus' "Legalise marijauana. Your PC is now stoned" message comes to immediate mind.