It is not uncommon for malware developers to communicate with security researchers whether it be to taunt them or praise them. It is a lot less common, though, when a ransomware developer reaches out to a security researcher and tries to sell them the encryption keys for their ransomware.

This was the case when the developer of the fs0ciety Ransomware reached out to Emsisoft security researcher Fabian Wosar to see if he wanted to buy 200 decryption keys for 10 bitcoins. This was a complete fail, as Fabian already had all of the developers keys and has been been secretly collecting them for weeks due to a bug in the ransomware's Command & Control server.

Twitter message with Ransomware Developer

The ransomware developer did not take kindly to this, which led to some interesting tweets.

So how did Fabian have the keys?

Unfortunately, I can't give away the weakness that the developer had in his setup, but I can say that since October 2nd, Fabian has been collecting the encryption keys created by the fs0ciety Ransomware. In total Fabian had collected 11,366 keys before the ransomware developer suspended operation.

Since then, Fabian Wosar and Michael Gillespie have been using these keys to decrypt victim's files for free. This has been done secretly through BleepingComputer's Fsociety Locker Ransomware Help and Support Topic, Twitter, Emsisoft's site, and other forums or support sites.

As always, with the amount of ransomware victims piling up, it is great to see a win for the good guys!