Fabian Wosar, CTO of EMSISOFT is known as the most prolific ransomware killer in the world. We reached out to Fabian and asked him ten questions.
Look for our Live Interview and video late next week…
Steve: You’re the cybercriminal…Create ransomware or steal and sell data? Why?
Fabian: There can be a whole bunch of motivations at play. Some people are just interested in the challenge. They just want to proof that it is possible to break a system or to write malware for a certain system. Then you have people who just do it “for the lulz” or are somehow politically motivated. These people usually want to highlight certain issues or just want to have fun. The vast majority however, especially when it comes to ransomware, are financially motivated. Decently successful ransomware groups make tens of millions of dollars each month. Gandcrab for example managed to generate 2 billion US dollars worth of ransom money within about a year.
Steve: Do you see patterns from the “cyber gangs” in the reuse of code when they program new ransomware or variants? Are these ‘gangs’ becoming smarter? Are they recruiting better programmers?
Fabian: It very much depends on the gang and campaign. Ransomware code is readily available not only on blackmarkets but also on places like Github. So the barrier of entry is somewhat low. There are also a whole bunch of “Ransomware as a Service” offers available, where everyone who is interested in getting into ransomware can just sign up, infect a bunch of people, and then get a cut of the revenue generated. That is how Gandcrab operated for example.
The gangs behind ransomware haven’t necessarily have become smarter, but they adjusted and changed tactics a lot. While in the beginning, ransomware very much was a home user problem, the focus has shifted towards companies in the recent years. Instead of spreading ransomware through spam, exploit kits and pirated software, attackers try to break into systems directly in order to encrypt them.
Steve: Are you seeing a collaboration of cybercriminals where opposing criminals are ‘teaming’ up with one another?
Fabian: There definitely is a lot of teaming up going on. Take a look at Ryuk for example, which is often deployed through existing bot infections. Whether the bot herders are behind Ryuk itself or whether the Ryuk gang is buying infected systems from the bot herders isn’t exactly clear. There is obviously also a lot of auxiliary stuff going on. It’s one thing obtaining a large amount of bitcoin. It’s another to turn that bitcoin into clean cash that you can use and buy things with. So the same organised crime structures that are involved in money laundering are present in cyber crime as well.
Steve: Is Microsoft keeping up with updates and patches and are you seeing more neglect from IT personnel?
Fabian: There certainly is a bit of apathy going on. Every couple of weeks there is a new big vulnerability threatening your security. It becomes difficult to keep up, especially when you have lengthy test cycles for new patches to make sure they work in your environment or if you rely on certified hardware and software, that can’t be easily patched without breaking the certification.
Outsourcing was often seen as a solution to this problem, but especially recently there have been attacks on MSPs, often with catastrophic results. We have seen cases where MSPs got hacked and thousands of their clients got hit by ransomware that was deployed through the RMM sytems used by those MSPs.
Steve: IoT and Network Area Storage is getting hit by Ransomware today. Do you foresee new threats that go into Automotive/Transportation, SCADA/PLC, Linux and Mac Oss that involve a more sophisticated Ransomware?
Fabian: We have already seen some of those cases. A while ago a bunch of PHPBB communities got targeted by a rather unique ransomware. They replaced the database driver on those communities with one that would transparently encrypt and decrypt all data during access. The forums continue to work fine, often for months, until the attacker pulls the key out of the driver, making the database inaccessible. Since the driver often has been there for months, backups may have already been rotated out. But even if they weren’t, a large portion of content that was added since the attack may be encrypted with no recovery possible. I would suggest more of these types of attacks in the future.
Steve: When did you first notice code in Ransomware had your name in it? Were you shocked? Is this something you are seeing more of? Are you constantly receiving threats?
Fabian: The first time it happened was about 3 years ago in a ransomware called Radamant. I wasn’t exactly shocked to be honest. I was more surprised and also a little bit proud. It’s the greatest form of compliment you can get in my line of work. It still happens occasionally in addition to ransomware authors contacting me directly on Twitter or in various online communities. The threats have become less, but they still happen occasionally. The biggest reason for that is that I am less public about my work and often help victims directly or provide information to other researchers who then release the decrypters.
Steve: Generally how long does it take to reverse engineer ransomware and provide keys if possible?
Fabian: That very much depends on the ransomware. But on average, it takes me less than 30 minutes to take the ransomware apart, find the encryption routines, and figure out whether the encryption scheme is secure or not. Writing a decrypter then takes another couple of hours. About 4 on average I would say. A lot of QA and testing goes into these decrypters. The last thing we want is damage the user’s files after all. So we tend focus on being careful instead of being the first. However, more often than not we are the first anyway.
Steve: Are you seeing more shady security companies who negotiate with the cybercriminals without the victim knowing?
Fabian: It continues to happen, yes. It’s important to drag these companies into the open and tell people what they are doing. People often think I am against paying the ransom under any circumstance. While that would obviously be the ideal, I am well aware that when it comes push to shove, people prefer to part with a large sum of cash rather than kiss their entire livelihood goodbye. So I am not against paying the ransoms per se, if there truly is no other way, and I also don’t think that a data recovery company should be ashamed of paying ransoms. Quite frankly engaging with a company that has experience with these types of negotiations can be quite beneficial. Not to mention that your accountants will probably prefer you paying a legitimate third party instead of buying bitcoins and sending them somewhere without any kind of invoice.
Ideally data recovery companies should just be honest about how they came up with the amount they charge their clients and outline exactly what they are doing. That doing so can make you hugely successful can be seen in the case of Coveware for example, who are very open about their processes and cost structure.
Steve: How did you get involved in Information Technology?
Fabian: I bought my first PC when I was about 10 years old. It didn’t take long until I got my first computer virus (Tequila.B). I was really fascinated by the concept, so I went into the library (sort of an offline Wikipedia for the young people out there ;)) and they actually had a bunch of books about computer viruses. So I got really into the topic, which led me to eventually learning assembly and Pascal programming and writing my own little anti-virus tools when I was about 11 years old. I never really moved away from that.
Steve: Finally, what is your recommendation other than the usual protection methods that someone can use to protect themselves against ransomware?
Fabian: Backups are by far the best protection. I recommend everyone who isn’t on some data limited plan to go with a cloud based backup solution. Preferably one that can operate using “zero-knowledge”, so that your data is encrypted on your system and the backup provider has no knowledge of what data is being stored on their service. Besides backups, practicing proper cyber hygiene is key. Stick to well known software and keep it updated. Don’t download and install software from places that aren’t trustworthy. Don’t have your data laying around openly on the internet. Have all access points to your network and systems protected using strong authentication (ideally based on certificates, not passwords; but if you have passwords, make sure they are of high complexity). Things like that.
Security software can obviously help quite a bit as well, but there are limits. I am always surprised how customers who had RDP enabled on their systems and trivial passwords complain that our product didn’t protect them. No product will in those cases. The attacker can just turn them off or uninstall them before running their ransomware. Once someone gained access to your system like that, it is game over.
Chief Technology Officer EMSISOFT