Lessons from the frontlines of the fight against ransomware

WASHINGTON — A wave of ransomware attacks has affected cities across the country, recently hitting more than a dozen Texas towns and last year shutting down Baltimore’s city government. 

Just this week, there are signs that portions of the technology that underpins elections in the U.S. could be targeted by one of these attacks. Overall, ransomware attacks worldwide cost $8 billion in 2018 alone, according to Cybersecurity Ventures, a cyber research firm funded by cybersecurity vendors.  

Understanding ransomware, where it originates and how to fight it is crucial as it becomes more prevalent and targets more critical systems.

Since 2012, Fabian Wosar, chief technology officer of Emisoft, a cybersecurity firm, has been working to fight against the attacks in an attempt to help recover victims’ data and ensure that a specific strain of ransomware is rendered obsolete. 

Wosar has built a reputation as the most well-known ransomware killer in the world. He works to help victims unlock their files and restore their systems without having to pay a ransom.

Ransomware, often delivered to a computer system via a malicious email attachment, will encrypt, or lock, certain files on a system, and require users to pay a fee if they want their files unlocked.

Wosar said he’s built a “skeleton decryptor” that provides a road map for breaking most of the types of attacks he sees. 

That job is made much easier when the affected computer or system has not discarded the original ransomware delivery mechanism (like a phishing email). 

The bulk of his main work is trying to find “mistakes” in the ransomware code that help him to break it. Without getting too technical, he said that these mistakes are often because of a lack of randomness in the encryption keys. 

If he can figure out the pattern, and if only one key was used to lock all of the documents, he said he can break the ransomware in just a few hours.

In addition to working with certain strains of ransomware once they have attacked a system, Wosar also has experience in the online marketplaces where the technology is bought and sold. 

Even though the markets for ransomware are not necessarily clandestine, accessing them is not simple, he said. 

“[These communities] often operate on a referral basis or you actually have to prove that you went out and broke the law yourself before they even let you in,” he said. “It’s quite difficult to get access to these kinds of communities to begin with”

Wosar acknowledged that there are some darknet communities that are a bit more open, but “the type of ransomware you can buy there is usually of extremely poor quality.”

Understanding the marketplaces where the technology is bought and sold is important for those who are on the front lines of countering and breaking ransomware.

Michael Gillespie, creator of ID ransomware,  a tool for determining which strain of ransomware was used in an attack, said he frequently works with Wosar. 

He said that knowing what type of ransomware was used in an attack is critical to understanding how to fix the problem, and that finding the newest strains is an ongoing project.

“I don’t crawl dark web or anything. I’m more on the forefront interacting with victims and hunting for samples or new ransomware [through] other channels,” Gillespie said in an online exchange.

The darknet or dark web are sections of the internet that can only be accessed with a specific type of internet browser called Tor. While there are sites that promote illegal activity on the darknet, most of the sites lead to broken links or mundane forums.

He added that his main focus is not to create defense systems for networks, but “mostly finding and identifying new ransomware and trying to break them.”

In addition to Gillespie and Wosar, who are working to identify, break and provide decryption keys to various attacks, there are researchers who compile internet traffic data to look for anything suspicious.

Looking for trends in the types of attacks helps inform how cybersecurity companies can defend against ransomware and how businesses and individuals can proactively protect themselves. 

Mark Lechtik, a security researcher, said there are a number of priorities in his work when he is trying to learn more about a certain attack.

“Our primary goal is to understand the behavior of malware to be able to mitigate it on the product level,” he said. “The awareness on a particular attack allows security personnel in an organization to be ready to hunt and prevent it. 

“The goal of the technical research is to point out all the ins and outs of an attack, so that various kinds of mitigation strategies could be applied against it.”

There are methods to decrypt and recover files without using experts, but that primarily includes paying the ransom. 

Even though Wosar has had success breaking ransomware attacks and recovering data, there are plenty of cases where data can’t be recovered. A Florida city paid over half a million dollars when it was hit with ransomware earlier this year, and in 2017 a South Korean company paid $1 million in ransom after being attacked.

In cases where paying ransom is deemed appropriate and necessary, Wosar advises finding companies that specialize in ransomware negotiations to help haggle down the price and also deal with paying in Bitcoin. 

 “It’s easy for someone to just try to take the moral high ground like ‘you should never pay,’ ‘the U.S. never negotiates with terrorists,’” he said. “But the reality is in a lot of cases, the choice is between paying the ransom and going out of business.”

“It’s very easy to tell people what they’re supposed to do, but it’s very different when you are the one who is affected by it.