This hacker hacks the hackers. He reverse-engineers ransomware so that victims can decrypt their files without paying money to criminals.

But the polar bear-loving Fabian Wosar lives in hiding at an undisclosed location. It’s all thanks to the threats and abuse he receives from ransomware gangs, which he describes as “the Russian mob.”

Scary stuff. In today’s SB Blogwatch, we peek behind the curtain and marvel.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: strange sunsets.

Fabulous Fabian

What’s the craic? Aunty Beeb’s Joe Tidy tells a tale of the computer virus cracker making powerful enemies:

Fabian Wosar … is world renowned for destroying ransomware – the viruses sent out by criminal gangs to extort money. Because of this, he lives a reclusive existence, always having to be one step ahead of the cyber criminals.

…

He’s a man who has devoted himself … to helping victims of ransomware around the world. A man who guards his privacy dearly to protect himself, because for every message of gratitude he receives, almost as many messages of abuse come at him from the cyber criminals who hate him.

…

“I was shocked but I also felt a real sense of pride,” says Fabian. … “It’s clear that the coder is really pissed. They’ve taken the time and effort to write a message knowing that I’ll probably see it and I’m clearly getting under their skin. It’s a pretty good motivator.”

…

He works remotely for a cyber security company, often sitting for hours at a time working with colleagues in different countries. … All of this to create anti-ransomware programs that he and his company usually give away free. Victims simply download the tools he makes … follow the instructions and get their files back. … Emsisoft, the cyber security company Fabian works for … managed to prevent 2584105 infections in the past 60 days.

…

“I have upset or angered around 100 different cyber gangs over the past few years. … I moved to the UK as soon as I could. You can hide here, there are no registers or anything and I can be anonymous.”

He had to move countries? Here’s fellow German, Karsten Hahn—@struppigel, aka MalwareAnalysisForHedgehogs:

Great article about @fwosar … who has cracked lots of ransomware, and received threats. … He had to move from East Germany to an unknown location because of it.

Fabian who? Fabian Wosar—@fwosar tweets modestly:

BBC’s @joetidy visited me a while ago. … The result is a pretty informative and entertaining article.

…

I doubt that I am a hero. There’s nothing heroic about what I do. … People hate reinstalling Windows. I actually enjoy it. Maybe a bit too much xD

…

There are a couple of smaller inaccuracies to make for a more exciting and approachable story overall. But other than that it turned out pretty great in my opinion.

…

It’s surprisingly difficult to find a landlord that accepts a puppy in the UK. … Germany is a lot more progressive in that regard. … They don’t like cats either. They are all worried about their carpets and wooden floorboards.

He certainly doesn’t sound like a superhero. Andrew Stokes channels Edna Mode: [You’re fired—Ed.]

Great true life story and further proof that not all super heroes wear capes.

Another new member of the Fabian fan club is @OnlyxAlphawolf:

I find it hilarious you’ve pissed cyber criminals off so much they’re starting to leave you messages in their virus code since they know you’re gonna go through it sooner or later.

…

Keep up the great work!

But quantaman wonders if there’s a There there:

I’m sure he’s pretty good at what he does, and there’s probably a handful of instances where the ransomware folk did something dumb. But file encryption is pretty standard stuff, and I can’t imagine it’s too hard to generate a unique decryption key for each victim and to stop that key from persisting on the victim’s machine.

…

Or am I missing something?

Yes you are, or so tgsovlerkhgsel seems to say:

Getting encryption right is hard, even if you’re using a good algorithm.

…

Competent people get it wrong all the time, and the people writing ransomware are often… less competent.

…

Using a static symmetric key for all victims, generating individual keys in an insecure way, 256-bit RSA keys … reusing the stream of a stream cipher, using formerly-believed-to-be-secure ciphers like RC4,

…

There’s plenty room for failure, especially if you aren’t an expert.

It’s even simpler than that, thinks this Anonymous Coward:

If you want to remove the key from the victim’s machine, then you have to store it somewhere else until the ransom is paid.

…

You can make a distributed solution for that, but that’s complicated, because your network is constantly changing due to systems being wiped and reinstalled. Or you can make a centralized solution, but that makes it easy to attack.

…

Criminals are not the kind of people who put in the work to do things properly. So the key stays on the victim’s machine.

Although The-Ixian suggests this more nuanced version:

This guy works for an AV company. Which means that he probably has access to some pretty good telemetry from several different systems attacked by the same malware. You can imagine that if something is seen once and reports it back to the mothership, the second, third, etc, instances are each delivering behavioral metrics on how the malware operates.

…

I am sure [the AV] is able to do things like analyze all system RAM and other caches for things that don’t get cleaned up quickly enough. The keys need to be put into memory at some point in order to do the encryption, which means they can be read from memory.

Having said all that, technion alleges an allegation:

There are a lot of news articles I read about people “cracking ransomware encryption” [but] I’m extremely suspicious of anyone claiming to.

…

There are a number of companies I’m aware simply pay the ransom, then charge a huge markup to claim they “cracked the encryption”, so it’s better for their business to support the view there are elite hackers somehow breaking RSA every time ransomware uses it.

So Fabian Wosar—or someone claiming to be him—returns to add this to our narrative:

A lot of ransomware has flaws that can be abused just like a lot of other software has bad crypto. The flaws are usually just what you would also find in production code: Bad key generation, improper key sizes, inappropriate key re-use, server vulnerabilities.

…

The first iterations of Cryptowall left the generated private key on the system by accident, because they copied sample code … without understanding [it]. Cryptowall later went on to become one of the most profitable ransomware campaigns in history.

…

Bottom line is: As with many things, ransomware doesn’t have to be perfect to cause a lot of damage.

…

I used to live in one of the big German Baltic Sea harbour cities. The local shipyard was/is essentially a money laundering operation for the Russian mob. So obviously, when I started to get threats from Russian groups, in particular, that makes you feel rather uneasy. … People are also not aware of Germany’s mandatory IDs and registrations. Essentially, if you want someone’s address, you can go to the local municipality [and] you can obtain their address for [about] $10.

Meanwhile, phantomfive snarks it up:

Alternate headline: “Assassins pay BBC to find address of ransomware expert.”

And Finally:

Seven Sunsets

Hat tip: b3ta

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hatemail may be directed to @RiCHi or sbbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Jennifer Stern (cc:by-sa)

— Richi Jennings