The price of being a ransomware hero: Chips with Everything podcast
The your Avatar is a drawing of a nice round face of a man with brown bid wearing some kind of back off steam. The picture was sent you by fans. So what made you like it enough to use it as Public Avatar. I'm like a huge fan of polar bears so when the person contact me it was actually like Renwick victim rain and I helped him out and got them their files bank and they were like a graphic artist cartoonist so they asked if I would accept like money or if I wanted to nation I said no no freely and then they offered hey maybe they can in drama and Avatar <hes> so yeah I said <hes> maybe you can drum your new on the tone and like potable costume and like the polar bear onesie and he said yeah sure right away and kept using it quite nice. Actually this is Fabienne Wasser the C._E._O.. Of a New Zealand based Antivirus Company called MC soft although he's not a big fan of titles Fabian is known around the world as a hero for decrypted ransomware which is a particular type of malicious software that is sent out by criminals in an attempt to extort money from their chosen victim the victims that Fabian helps every day love him the ransomware hackers he thoughts not so much. That's another reason he uses artwork for his avatar rather than showing his real face the kind of work I do we manage to hurt the cybercriminals that are behind behind all these campaigns quite a bit and we are talking about hundreds of millions of dollars so they do have a real incentive and stopping a what we are doing. Essentially I pretty much have to protect myself so I don't want people to know who I am. We are live all these kinds of things. Fabian has sacrificed a lot to stay ahead of these kinds of criminals but in an age in which runs somewhere is being used to blackmail not only individuals and companies but even entire cities his sacrifices a worth knowing about I also to count my mom back then who quite sick so not only had to feel like fought for my personal safety but also for hearse and you comes interplay like the reason why I left Germany. I'm Jordan Erika Weber and this week I look at what happens behind the scenes during a ransomware attack and examine the life of one individual who spends most of his waking hours trying to help thousands of victims retrieve data. This is chips with everything longest time I refuse to to take on the city oh title and always went by just like a developer like anyone else like the head of the research ransomware has quickly become one of the easiest and most efficient ways the cybercriminals to make money. Oh when you look at <hes> lawn transmit campaigns like and crap for example I mean they claim that they made more than two billion U._S.. Dollars gained crab is just one example of dozens of famous ransomware families you might have I've heard of some of them. There's Tesla Crypt Sam Sam Ryan Apocalypse crypto locker and many more with the potential to cause serious damage the ransomware a game has evolved from when we first started seeing these kinds of attacks I started off with what is called a screen locker. Those were like those used screens that tech yeah we have from the F._B._i.. And you did something really really naughty on your system and we locked up your system and now please pay us like four hundred dollars and pay safe cart or you cash or something like that then they moved on encrypting the data because even if you remove the rents you still wouldn't have back access to your data and that's pretty much the most prevalent. Is kind of friend somewhere today. I system hiked because you had like R._T._p.. Open some sort of remote control yet didn't pets your system properly or you got like a fish email and has an attachment and you open it. All you download like <hes> pirated software from the Internet once they got access to your system they will search all your drives and your entire network in most cases for finance that the ransomware may think is are interesting or important into you like pictures videos documents office documents all this kind of stuff and then they will encrypt all of them leave behind like a small ransom note that just says hey we have all your files and they're all locked up. You won't get them back unless you pay a certain amount. Many of the past victims of ransomware have been individuals like you and me. You might not think you have much of worth on your desktop P._C.. But if you have irreplaceable videos from your wedding or photos of your kids you I can see how an everyday citizen might be an easy target but in the last few years there's been a shift cybercriminals are aiming higher to now that network shut down in Baltimore City in the government after that ransomware attack the F._B._i.. Is Investigating to find the cause and the scope Wer is experience in May of this year the U._S.. City of Baltimore was hit by ransomware attack that so hackers demand thirteen bitcoin which is currently with more than one hundred thousand dollars in order to unlock government systems like government email accounts and systems that enable city payments essential services like nine one one and three one one or still working but most of the city's servers are shut down city employees lost lost access to e mails and the Department of Public Works has suspended -Ly Waterville fees in another high profile example. The wannacry ransomware hit a large number of networks across Europe including the N._H._S. which lost ninety two a million pounds from the attack. The number of attacks on individuals on the other hand has plummeted in the last eighteen months or so and Fabio says the reason for this sudden shift in targets is due in part to the increased popularity of the smartphone. Nowadays most people have a lot of their private information like lot of the data that they really need and really use like one the mobile phone and the mobile phone gets into the cloud so they always have kind of a backup so for whom users ransomware is still an issue but it's nowhere near as big of an issue as it once was nowadays most rents amount criminals go off to company specifically and the reason for that is especially in the last year like the rent some amounts they just exploded and in my opinion the reason for that is that most companies and also most municipalities governments universities they have cyber insurance and cyber insurance has like two aspects to first of all. If you get hit by ransomware they may pay the ransom and if you get hacked otherwise they will pay for the loss of revenue and in a lot of cases paying the rent some miss a lot cheaper cheaper than going through the entire East process which can often take days even weeks so it's not unheard of that like a company requires like two weeks three weeks to recover all their stuff from the from the backup which means two two or three weeks loss of revenue which the cyber insurance would have to pay in other words companies and their cyber insurance providers might decide. It's more cost effective to just pay the ransom but one company went against the status. Quo you very brief statement from this from this morning basically saying that there had an extensive cyber attack which occurred early hours of this morning they say it impacted up operations in several of the company's Business Norsk Hydro which is one of the world's largest produces aluminium was talkative by hackers in March not only did they refuse to pay the ransom but they decided to tell their shareholders and the general public about the attack it cost the company millions but Fabio and believes it was the right move. They showed that if you got hit by ransomware are hacked in any way if you properly communicate if you're open with your customers if you keep people informed than your company will most likely be fine because a lot of companies when they get hits. It's by resume all get hacked and General Stayton way really they are afraid for what would happen like will stock price crash will or revenue go down where we'd be ruined pretty much so in many cases they they try to keep it secret especially where in like the advent of the G._D._p.. Off Example where you have to report these things so things will always get public unless you ignore the G._D._p.. Are and then you have like a lot of other issues. It's it's just good to have like an example to point companies to that. Go through something very similar and tell them hey listen just do what they did. I mean they are fine and what is more important since they didn't pay they also don't enable enable like the rents them are authors to go hat and target even more companies with the new resources and they prevent them from becoming victims so that's always great what does ransomware out to Lee look like for someone who's experiencing it so if you fall victim to this kind of virus what what do you see in most cases especially in the beginning. You don't see anything and that's on purpose because if you were suspect that something's wrong on your system you may turn off and in a way you would interrupt the encryption process and not everything's fully encrypted Ryan. You may notice that your system becomes kind of slow. That's because a lot of data's being written to hottest which slows things down. You may see that the files on your desktop change that they suddenly have different extension or you can no longer double click them to open them and things like that and yeah then eventually wants the rent's. I'm finished encrypting while your files you will usually see a ransom note popping up on your screen. Sometimes the ransom note includes like instructions on how to get bitcoin because honestly most people don't really know how to get bitcoin in the first place so yeah. That's usually what what happens when you become a victim and if you d become a victim what should you do like an individual what she so. This may sound really unintuitive but the first thing you should do tall is don't remove the ransomware and the reason for that is quite simple like <hes> when you contact someone like me right in order for me to figure out what the ransom it did I actually need the ransomware and if you deleted from your system and you no longer heaven and then I have to find the exact ransomware that encrypted your system and most people may not be aware of it but they are literally hundreds of thousands if not millions of new malware files general per day that means you're looking for Neil in like huge stack of other needles if it was hey it would be great because then the needle stick out but it is in. It's like just this colossal mess really so first of all don't remove ransomware. You should probably disconnect <hes> the system from the network mostly so the rent some con spread through the network right <hes> the next step. Is You need to figure out what kind of ransomware and oftentimes ransomware will say <hes> yeah I am rent some or I am ransomware. <hes> gone crap for example. You shouldn't trust <hes> those names and the reason for that is quite simple. There are a lot of copycats out there we call them script kitties <hes> who just tried to profit off like lar transmitter brand imitating the name and stuff like that even though they're on the ransomware they are claiming to be and often they are very shortly programmed very insecure secure so don't do that this actually a website that is called Idee ransomware and there you can upload the ransom note and you can also upload one of the encrypted files and the website will figure out which which ransomware family you got hit by and not only that would even tell you if it's like a fee while a free way to decrypt your files so if someone like US already published a free decrypted for this particular Clarence Smith family then you can just download it on you can just run on your system and decrypt your files and then you back to normal so that's all it's great and ultimately you also have to figure out like how wasn't that. I got infected by ransom. To begin with because imagine you managed to get your files back and everything is fine. If you don't figure out what you did wrong or what went wrong in the first place you will get hints again. especially in the case of like Nas <unk> Hydro for example they got hit by Rook and riot is what we call a secondary infection that means their system and their their network was initially infiltrated by completely different malware if they find themselves and accompany network or if they find themselves on a system that looks like really really juicy so to say a with a lot of data that looks important they will actually deploy the ransom if you are hit by ransomware attack and you can't figure out how to fix it by yourself you can always contact someone like Fabio on a lot of people get in touch with him through twitter will send him an email. If you need him one day he'll happily try and find you a decrypted that you can download to radio system of the ransomware. All of this good work comes at a price so fabien that price is personal safety. There were also incidents where people send me links on twitter for example that were encoded and encrypted kind of trying to to get me to engage in the riddle and then maybe figure out the U.. L. And then go to then turn out. It was an I._p.. Lager and using the I._p.. Address you can actually figure out like where someone is roughly located more on that after the break. I'm Emma John and I'm sorry I lied to you. I said we'd be happy if England won the World Cup but lost the ashes. It's not true I wanted all I know it's greedy but positioning the earn next to the World Cup of Ben Stokes his mantelpiece would make this the ultimate summer for English cricket so join US on must've been as we turn ourselves into emotional wrecks all over again. It couldn't be nerve wracking as the World Cup final could it the spin is supported by natwest. Welcome back to chips with everything. I'm Jordan. Erika Weber this week. I'm taking a look at ransomware with one person who spends most of his time trying to prevent cybercriminals from extorting money from innocent victims Fabien Walser a renowned anti ransomware expert has worked on thousands of cases over the course of his career as you can imagine Fabio's Bobbins path to becoming a world renowned anti ransomware hacker has seen him help a lot of victims along the way I would think probably a couple of thousand at this point I mean I have been doing this for about seven years at this point in usually Ashley per week. It's like ten fifteen twenty people. It's it's it's a little bit. Seasonal Christmas is quite popular. Why do you think that is is it like older? Less tech literate people getting devices or I think it's more the fact thinks that people send off like virtual greeting cards salon so they may be more inclined to open attachments and open emerton kind of flow of their guard a little bit because I think most people nowadays they are a lot more careful than they were <hes> like ten years ago but especially for Holidays Birthdays Valentine's Day for example Christmas whenever there's like some huge event like the release of Mula Report for example in the U._S. where ransomware kind of try to capitalize on this the specific events by sending out all kinds of spam emails that relate to these events and kind of try to trick people to open them. What are some of the highest steak cases that you in particular have dealt with whether by money or just how much the person had to stand to lose <hes> recently? I got approached by an M._S._p.. which is like a managed service provider essentially company that takes care of like all the I._T.? The computers of other companies who don't have like A._T._S. their main business but they they do use computers but they don't really know how to maintain them and stuff and often. Those companies are rather small so it's it's not really cost effective for them to hire their own I._T.. Stuff so they kind of outsource it to these myspace. And that M._S._p.. Actually got hacked and from there the ransomware office had access to I think it was like over two thousand systems and they all got encrypted so that was quite had inc and I think the ransom awesome where Maryland was <hes> somewhere between five hundred thousand and a million Fabian and the team MC soft couldn't find a way to completely save the company from paying around some but in the end Fabien came up with the solution that drastically reduced the amount they did have to pay. I did find flaw in science the ransomware that allowed us that if we would purchase the decrypt of only one system which was obviously way lower than I could use that one to kind of derive decrypt is for for all the other systems as well so any facts what happened instead of them having to pay like almost a million U._S.. Dollars they only ended up paying think like five k. something like that which must have made them quite happy. Oh Yeah Yeah definitely uh-huh Definitely Fabien considered this a win on purely monetary grounds but the stakes aren't always financial fabio and told me about a photographer he helped here in the U._k.. He did like wedding photography and funeral photography for example and he got hit by iron so called X.. Czarist he just recently did like a whole bunch of pictures of funeral and like all of that was lost and obviously conscious Redo the funeral and to the anxious again yeah he was he was quite it delighted when when he got all his files back and especially if you are a very small business even paying like a thousand U._S. dollars you just can't you don't have the money to do so that was quite emotional. I'm still in contact with the photographer Agra every now and then actually like he writes emails and tells me about like how he's how he's doing. Yes like a daughter who wants to go to cryptography and wants to do what I do which is which is kind of kind of to be honest. That's incredible. Yeah yeah hit inspired a generation kind of so you talk about how you find you find a floor in the ransomware code so say people they find you they contact you and then you know these problems and upon your desk. How do you go about not cracking the code? I presume it's incredibly complicated the eyes of a regular person but I think everything is complicated. If you never done it I don't know how to do it. It comes with practice but usually the process is always quite seminar. It's like finding rent smear. That's responsible people than we call it disassembling the coats pretty much that means we use software to break down to like very instructions that the processor executes when running the program and we look for things does and the like a whole bunch of different flaws in Twenty Fifteen Fabian started to notice something owed popping up in some of the runs and why he was being asked to decrypt within the code that were personal insults directed directed specifically at Fabio on the ransomware criminals were speaking directly to Fabian not only to send verbal abuse but to try to get him to stop decrypt in their work. I mean it was honestly quite flattering because it meant they obviously took notice off me rain and because I am hurting their business so it was quite flattering and I made it a point to just on my twitter feed to post every single install than I ever got and pretty much make fun of them but the messages Fabian was finding in the malware couldn't always be read as flattery over time. It got like a lot more personal like people trying to figure out where I live and people <hes> sent me messages not not owning that ransomware but also I can on twitter like in various communities like they registered in countdowns and insults there at one point someone even named virus Fabio awesome where to try to convince potential Rancho victims that Fabian himself might be the one targeting them. The virus was actually created by a ransomware family called apocalypse a group that Fabian had thought it several times over every time they release inurance mayor. I found it. I broke it. Unlike all the victims got their fence bank and then they changed the rent somewhere because they didn't really know why broken or how and so they just made random changes all over the place and hoping that this time it will be secure and it never was an all went on for like over six. Six months and eventually they were like so annoyed by it then they just rebranded their end somewhere and they put like a picture of my avatar inside the ransomware of my ransomware doing something very very inappropriate so <hes> that was that was pretty bizarre to be honest. I still cracked though so that was fine sir so eventually they figured out how to do it properly so we could no longer break the ransomware and of they made I think they didn't make barely three hundred thousand or four hundred thousand dollars in about two months and then they just stopped for the most part Fabio found humor in the cat and mouse game he sometimes ended up playing with ransomware authors but the insults and threats that he received in the code had a real effect on his life when he first started getting these messages he was living and working in Germany and like at one point. I received messages from rensselaer authors bird like hey by the way we have friends in Hamburg so that was like the point where I thought okay. Maybe I should stop like little bits or go a little bit less profiled so to say there were also incidents where people send me Eh links on twitter for example that were encoded and encrypted kind of trying to get me to engage in the riddle and then maybe figure out like the U.. L. And then go to their turn out. It was an I._p.. Lager and the appeal essentially just like a blinken when you click on it it registers the I._p.. Address and using the I._p.. Address you can actually figure out like where someone is roughly located Fabio never actually lived in Hamburg but he decided the risk to his personal safety and the safety of his loved ones was too high. I also to count my mom back then who was quite sick so not only had to feel like fought for my personal safety but also for hers and he comes into play like the reason why I left Germany despite making so many sacrifices fabulous still keeping a low profile no one knows where he lives. He doesn't leave his house much and he doesn't go back to Germany all of which it can lead to a lonely existence. I'm obviously always in contact with like all my co workers like France and Germany also have like a couple of friends here but yeah when you when you work from home and you don't really go outside much because you don't don't behalf to because I mean you're working at home right. It gets lonely from time to time. It's like one of the reasons why we want like a small dog like can't keep you company. Unfortunately my landlord like doesn't really want me to get a pan but I'm looking into moving again soon and this time I made sure to pick like a law that allows pants. I get like a little puppy soon which will be quite fun. Yeah yeah quite quite quickness A._p._D.. Yeah do you think you'll quit the anti ransomware game anytime seen. I don't think so no no mostly because it's still a huge issue rain so unless rent smell authors suddenly decide hey. We just stopped doing what we are doing. I would probably still do it because I personally i. It's quite fun for me. I like puzzles really and each new rents mass pretty much a completely new puzzle completely new challenge so it's it's fun and also pretty much every single victim that I'm managed to help. They are like very very thankful and why I do a lot of insults from the rents authors like even more nice words and thank yous and like emails like for example the photographer who still writes me and tells me about what is going on in his life and stuff like that yeah. That's quite nice actually huge thanks to Fabio the getting me up to speed on how I might be able to protect myself from ransomware attack in the features. I linked to fabulous twitter account on the episode description on the Guardian website so for me this week tips is produced by Danielle Stevens to next week. Thanks for listening. I put costs from the Guardian. The Guardian Dot Com slash.