Ransomware fighter on the run after costing hacker gangs millions

7159

Security expert Fabian Wosar is in hiding after costing ransomware authors hundreds of millions of dollars since 2012.

The German-born IT security expert was even forced to move countries to outrun his pursuers and he continually shifts from location to location in London to outrun an estimated 100 ransomware gangs trying to track him down.

He moved again just a few days before speaking with Micky.

“They follow me on Twitter, they have attempted to figure out where I live and there have been a lot of hidden messages in the ransomware (code),” Wosar said via Skype from an undisclosed location in London.

Hackers even released ransomware named in his honour, ‘Fabiansomware’.

Fighting crime from his front room

Wosar is the Chief Technology Officer for NZ IT security firm Emsisoft and he develops the anti-ransomware tools the company gives away for free.

https://www.emsisoft.com/ransomware-decryption-tools/

“The insults and the comments made me realise I need to keep a low profile. People are literally searching for me to find out where I live,” Wosar said.

“Obviously that’s an issue when you have people looking for your because you’re doing serious damage to their business – we’re talking hundreds of millions in damages to their business.”

Wosar showed Micky some code hidden in a Tweet to him that would have logged his geo location if he’d been silly enough to click on it.

99% of ransoms are paid in Bitcoin

Ransomware is a form of virus that encrypts a target’s system, promising to decrypt files if a ransom is paid.

In 99% of cases, the ransom is demanded in Bitcoin.

Ransomware can have a huge impact – the Wannacry virus infected 300,000 computers in 150 countries, while the NotPetya strain caused an estimated $10 billion in damages.

Ransomware attacks on businesses have increased by 365% over the past year according to Malwarebytes Labs, with the average ransom paid approaching $36,295.

Despite having major impacts, it’s actually quite a small industry and Wosar estimates there are only about 100 ransomware authors worldwide and perhaps another 1000 associated criminals.

That means they’re keenly aware of what he does and they want to stop him.

Moving from Germany

“On my LinkedIn I had the location set to Hamburg, and I got messages saying ‘we have ‘friends’ in Hamburg, in a threatening manner. I got threats left and right, things people wanted to do to my mother.

“That was the moment I thought ‘This is getting heavy,’ and I removed all my pictures from social media and any identifying information.”

He moved to the UK shortly afterwards and even his coworkers don’t know where he lives. Wosar said he doesn’t appear in public and doesn’t usually attend security conferences due to the risk, though he’s making an exception this year.

“I will do a couple this year but they will be vetted – one is by the FBI,” he explained.

How do you thwart ransomware?

Wosar said there are a few different ways to thwart ransomware. Cracking the decryption itself is really difficult, but cryptography is also so difficult in the first place that the authors often get it wrong.

“Usually the first version isn’t perfect and I may be able to find a flaw that allows me to recover files without paying the ransom,” he explained.

He said it every time he cracks the decryption or exploits a flaw, the ransomware authors come back stronger and more secure the next time.

“Sometimes this goes back and forth for several months,” he said.

“When a ransomware family is new, about 50% are insecure and I can break them. The more they improve it and the cat and mouse [game] goes on, the less likely it is I can break them.”

Different approaches

Wosar combats ransomware through a few different approaches. Sometimes the hackers don’t secure their servers properly so he hacks them for the encryption key.

In some instances, hackers reuse keys, which enables Wosar to work backwards and decrypt files.

On one occasion, ransomware authors contacted him to ask for his help, after they were unable to decrypt their own encryption.

“They asked me to help them out because they know I care about users getting back their data. It’s a moral grey area because on the one hand I do care about users getting their files back but I don’t want to help ransomware authors.”

He ended up pointing the ransomware authors towards some Windows API documentation where they could find the answers they needed.

“I nudged them in the right direction,” he said.

If your computer or business is infected with ransomware, Wosar has some simple advice.

What you should do if you’re attacked

Don’t try and remove the ransomware from your system – quarantine it, but don’t outright delete it or format your drive. That’s because a sample is required for Wosar to have any hope of cracking it.

“It’s extremely difficult and in many cases impossible (to fix),” he said.

“Your chances increase dramatically if you can provide the ransomware executable on the system.”

He said not to take the ransomware authors description of what variant they’d infected your system with. They often lie.

Head to ID Ransomware and upload an encrypted file and the ransom note.

“It will try and work out which ransomware you were hit by – also by looking at the Bitcoin wallet address. It will tell you if a free fix is available.”

If you have to pay, hire a negotiator

While recent research has shown that ransomware authors will decrypt files 94% of the time after receiving their ransom, Wosar does not advise people to pay unless there is no other choice.

This only encourages more ransomware attacks and rewards criminal behavior.

However, he understands that sometimes it is necessary to pay up to recover essential files.

“You can’t go to the tax office and say ‘whoops, I lost all my invoices and receipts’ so if it truly is the very last option to may want to pay.

“If you go down that road it may be advisable to get a negotiator on board with experience.

Wosar noted that professional ransomware negotiators can often bargain the price down, and it helped with bookkeeping as it can be very difficult to explain to the tax office why your company sent $200,000 in Bitcoin to a random address.

“It’s easier for a large company to pay a negotiator because then you get an invoice and they deal with all the headaches,” he said.