White hats versus black hats

A group of self-taught and eccentric individuals are on a mission to decrypt malicious software used by criminals who hold data hostage for ransom. Ransomware Hunting tells their gripping account

The Ransomware Hunting Team: A Band of Misfits’ Improbable Crusade to Save the World from Cybercrime

Authors: Renee Dudley & Daniel Golden

Publisher:Pan MacmillanPress

Price: Rs 599

Ransomware is a nasty form of cyber-blackmail. Criminals gain access to servers containing data, which they encrypt. Then they demand cryptocurrency payment to hand over a decryption key. If the ransom is paid, and the perp does hand over a decryption key, and if that key works, the “kidnapped” data is accessible again. Victims often pay up and don’t report the attack.

Over the years, Ransomware has claimed millions of victims, big and small, from personal computer users, to educational institutions, hospitals and government websites. Municipal websites are tempting targets, for example. These contain vast data troves, and anybody can access the front-end and probe for weaknesses.

Indeed all non-military, public-facing government websites are favoured targets since these are usually set up by contractors hired for the lowest bid on a tender, and vast numbers ranging from clerks to ministers have access. In 2022, Costa Rica’s government infrastructure was targeted by a Russian gang, Conti, which encrypted most of its government departments, and demanded $20 million to restore access. (India saw a 53 per cent jump in reported ransomware incidents in 2022 over 2021. Targets included everything from critical infrastructure to PCs. Given the Digital India policy and Aadhaar, alongside high per capita data usage and poor protection norms, India presents many soft, tempting targets.)

Ransomware may not require great technical skill. Much malware can be downloaded ready to go from the dark web, or adapted from legitimate programs. Hackers also sell Ransomware as a service (RAAS) in a warped variation on the Software-as-a-service model.

If the victim doesn’t pay, or the perp doesn’t provide a working key, the protagonists of this book come into the picture. A few cybersecurity folks focus on ransomware. They try to decrypt encrypted data and reverse-engineer malicious programs. Most are independent and some are truly eccentric. Many are quixotic enough to refuse payment. Almost by definition, they are self-taught. The authors, both journalists with ProPublica, tracked down a collective of malware researchers which calls itself “The Ransomware Hunting Team”. This consists of a dozen or so individuals scattered all over the place who do communicate  and coordinate.

The book describes their work, their backgrounds, their personalities, and the emotional costs and opportunity costs of tracking malware. The hunting team includes Michael Gillespie, who’s a cancer survivor and cat lover who couldn’t afford to go to college. He used to work at the computer support chain, Nerds on Call and lives in the wonderfully-named small town of Normal, Illinois.

Another member, is Fabian Wosar, a high school dropout from Germany, and an insomniac who’s been compared to Mycroft Holmes. London-based Wosar survived physical abuse by his alcoholic father, and extreme poverty in East Germany before migrating to London. He likes exchanging insults with cybercriminals, watches romantic movies and uses magic mushrooms, often working 30 hours stretches. His protégé is the British prodigy, Sarah “W” (@PolarToffee), who became a legend in malware research before she passed her A Levels. Refusing payment and staying independent sounds wonderfully altruistic. But it also means these hunters can struggle to put food on the table. Mr Gillespie has had a hard time paying medical bills and almost ended with a broken marriage.

It’s a pacy, well-written book with technical detail thrown in. There’s lots of excitement. The authors also salt the narrative with anecdotes, ranging from the comic to the tragic. For example, they describe a ransomware attack on a hospital, which caused a freeze on diagnoses, leading to the brain damage and death of a newborn. On the flip side, there was a partially successful effort to persuade hackers to stop targeting healthcare during the pandemic.

One problem with tackling ransomware is that it is inherently easier to create unbreakable encryption, than to decrypt it. Also, every time hunters break encryption, the criminals look to plug the bugs. Cybercriminals and hunters have a peculiar relationship. It’s adversarial, but they need to understand each other, and there’s nerdy back-and-forth on Dark Web forums. Ransomware can contain messages like “Fabian, if you crack this version I will start taking heroin!”
 

Mr Gillespie and Italian hacker Francesco Murani once collaborated to decrypt a ransomware program, BTCware. They decrypted multiple iterations. Each time, the criminals tweaked the code. Finally, after nine iterations, the duo could no longer decrypt BTCware. Neither could the criminals! Then Mr Gillespie worked with the criminals to create working keys, which they could release to victims who had paid ransom!
 

Frankly, however brilliant the reverse-engineering, ransomware hunters can at best achieve limited, short-term success. The war against ransomware cannot be won by decrypting. Better preventative hygiene, and more robust disaster-recovery systems must mesh with coordinated international efforts to regulate cryptocurrency, and to target botnet operators, and service providers facilitating ransomware. The book glosses over these aspects even as it provides a ringside view of white hats fighting black hats.