Book review: Volunteer technologists breaking ransomware by criminal gangs
The Ransomware Hunting Team: A Band of Misfits’ Improbable Crusade to Save the World from Cybercrime
By Renee Dudley and Daniel Golden
New York: Farrar, Straus & Giroux
2022
355 pp.
Imagine that you’re starting another day like any other. You go to log into your laptop or desktop machine, and you get nothing. The screen is blank. Or the applications all look fine, but your files have all different file extensions. And there is a note on the screen telling you that your machine has been digitally captured, and if you want to ever see your files again, you’d better be willing to pay a ransom…in “cryptocurrency”…in the next day or two…or else... What would you do?
Renee Dudley and Daniel Golden’s The Ransomware Hunting Team: A Band of Misfits’ Improbable Crusade to Save the World from Cybercrime (2022) uses a breathless storytelling style to describe the emergence of ransomware (malware--malicious software--that encrypts people’s and organizations' data and requires ransom payment to access a key to re-encode their data in a readable way) in the world, and how a small band of mostly self-taught information technologists stood in the gap to crack some of the ransomware and salvage people’s locked data where government and law enforcement were perhaps slow to respond.
Figure 1: Cybersecurity Silver
Introduction
This non-fiction book opens with a school of 150 elementary students mostly from the poorer strata of society in Central London. The children at the publicly funded school hail from “immigrant families from Pakistan, India, and Eastern Europe” with many on public assistance (Dudley & Golden, 2022, p. 3). The co-authors write:
On a shoestring budget, in a building that’s showing its age, the school gives the children a solid education and helps them adjust to English life and culture. Teachers track the students’ progress by photographing them as they learn how to hold a pencil, draw a picture, or write their name. The snapshots are uploaded to a server, a powerful computer that processes data and provides services for other devices. Because teachers photograph each child in their class at least twice a week, and the system has been in place for several years, the server stored hundreds of thousands of photos. (pp. 3-4)
This is the server that is encrypted due in part to the IT manager failing to update the software. [As a side note: As minors, aged 5 to 10, the students are a protected class, and the fact of their being photographed so often ostensibly to record their progress reads as unusual to this reviewer. Are native-born British children put through the same practice? The school itself goes unnamed.] The student privacy issues aside, this incident serves as a bridge for the broad reading public into cybersecurity, with real-life examples that show the risks and costs of such cyber threats.
The real-life incident above not an “edge case” per se. It is one example of an expensive macro-challenge, with cyber-extortionists squeezing people and organizations for money to access their own stored data. They write:
The frequency and the impact of ransomware attacks are widely understated because many victims don’t make them public or inform authorities. But in recent years, hundreds of strains, with odd names like Bad Rabbit and LockerGoga, have paralyzed the computer systems of millions of companies, government offices, nonprofit organizations, and individuals. Exploiting society’s near-total dependence on computers, criminal hackers demand thousands, millions, or even tens of millions of dollars to restore operations” (p. 5)
Arrayed against the hackers and ransomware makers are a small group of “white hats,” technologists who range from self-taught to one having a master’s degree.
The team’s members have regular jobs, typically in cybersecurity, but cracking ransomware is their passion. Several have a kind of tunnel vision; once they commit to solving a problem, they plug away at it nonstop for hours or days, oblivious to the world around them. At least three of them…have attention deficit hyperactivity disorder, which is normally associated with being easily distracted but can also manifest itself as a state of deep, prolonged concentration called hyperfocus. They share an urge, almost a compulsion, to help humanity and fight cybercrime, like an Internet Justice League. (p. 11).
The group itself is less than a dozen, and the membership in this group is by invitation only. The members are motivated by protecting the electronic spaces of the WWW and Internet, not for monetary gain or publicity. The main character, Michael Gillespie (aka
About the Ransomware Hunter Team (RHT)
These technology wizards have “cracked more than three hundred major ransomware strains and variants, saving an estimated four million victims from paying billions of dollars in ransom” (p. 10). Their main clients receive the services for free. These are those who are not protected by high-powered cybersecurity teams, insurance coverage, or federal law enforcement. The team members are from “the United States, the United Kingdom, Germany, Spain, Italy, Hungary, and the Netherlands” (p. 10). One of the members describes them as “misfits,” who’ve found meaning and value in this ransomware hunter-group. Indeed, the standards for success in IT are very high: a solution works, or it doesn’t. Academic credentials are much less important than the ability to learn, to solve practical problems, and to hold the line ethically against criminal actors (even in the face of temptations like money).
Certainly, the “leet” ("elite") services they offered for many years (and into the present) are invaluable:
The team filled a gaping void. The U.S. government was slow to respond to the growing ransomware threat. The Federal Bureau of Investigation couldn’t get a handle on it, advising victims against paying ransoms but offering no practical alternative. The hackers often operated out of countries like Russia and Iran that don’t have extradition agreements with the United States and tacitly condone cyberattacks on the Western world, possibly using them to gather intelligence or share in the profit. From insurers to cybersecurity firms, the private sector had little incentive to thwart ransomware; is it surged, they benefitted. (p. 11)
As the researchers tell it, for years, a small group of talented and prescient individuals stood in the gap (and later even helped out federal law enforcement). They worked to crack various encryption-based ransomware in order to free the captured data of people and organizations from around the world. They were able to crack some, but they also faced unsolvable programs with perfect encryption.
The Origin of Ransomware
This book describes a colorful Harvard-educated primatologist, Joseph L. Popp, as the first creator of ransomware. He launched his program on a floppy disk that contained information about HIV/AIDS prevention (in 1989). After several bootups of the disk, the program would lock down the person’s device and data unless they paid a sum. Ransomware’s core innovation was a weaponization of encryption (p. 12). As the researchers tell it, his belief in social Darwinism was used as a rationale for advantage-taking of those seen as biologically “lesser.” His program resulted in the Computer Misuse Act of 1990 (in the UK, which was ahead of many).
In those early days, people risk incorrect reactions or over-reactions, which would guarantee the non-recovery of their data in some cases. Law enforcement is depicted as somewhat clueless. When a copy of a floppy disk was requested, one police jurisdiction apparent sent a photocopy of both sides. Some police would pick up a monitor as evidence instead of a CPU (p. 32). Indeed, the savvier federal agencies anticipate challenges and stay atop the technologies as they evolve.
The Ransomware Hunting Team… describes early days of amateurs and script kiddies engaging with malicious ransomware. There were shows of pique and ego. Over time, the ransomware practitioners professionalized. They formed criminal gangs. They hired call centers in India, “with representatives contacting employees or clients of victim organizations that hadn’t paid up” (p. 95). They hired employees for different roles while the main group focused on the core ransomware. Some would sell usage of the malware tools to “affiliates” who would themselves take on the risk of deployment the software (pp. 92 – 93) in this volume industry (the more people who are reached, the higher the numbers of those who would fall for the various tricks). The work of the hunting team was very confrontational because they were de-toothing some of the programs and embarrassing the various cybercriminals and gangs, even as they worked to be low-key about what they discovered (so as not to tip off the makers of the malware).
Intensifications of Ransomware Attacks
An escalation of the ransomware approach involved threats (and practices) of releasing private data to coerce payment from victims. The data leakage is a “double extortion” by not only breaching records by ratcheting pressure on the targets by threatening their leakage as well as their unavailability. Once the first cyber-criminal gang innovated this way, others followed suit. in one case, “the group included before-and-after photos of patients who had undergone breast augmentation surgery. The hackers contacted those patients by email and included personal photos in their messages” and threatened to leak the images if payment was not sent (p. 107). Even when ransoms were paid, there were no guarantees that the data would not be shared after payment. Data was sometimes shared among various threat actors.
The WannaCry ransomware worm was launched by North Korea in 2017 and led to “devastating” effects, raising the awareness that such technologies could be used in cyber warfare. They write:
WannaCry had infected the UK’s National Health Service, among many other victims across 150 countries, before security researcher Marcus Hutchins famously found a kill switch that neutralized the unusual worm. It caused hundreds of millions of dollars in damages during its short rampage. (p. 98)
Hundreds of millions of dollars of damage are concerning even as the malware was eventually neutralized.
Others started targeting managed service providers (larger targets) with larger amounts of money that could be extorted…and organizations with insurance (which could also result in larger payouts). Where some cybercrime gangs only pursue essentially micro-payments (under $1,000 per victim), higher end ones used more complex technologies and pursued extortion amounts in the six and seven figures.
Interacting with the Cyber Ransom-Takers
Various individuals who ran afoul of the ransomware gangs would try to negotiate their way out of payments with very limited success.
The creative thinking of some of the team members led some into some risky territory. One gang was so poor at programming that they could only recover some of the held data, even after their victims had paid the ransoms. The main protagonist took an unconventional approach by working up some cooperation:
To achieve his goal of rescuing victims whose backs were against the wall, Michael (Gillespie) decided to cooperate with his archenemies. He emailed BTCWare to propose a deal. It would send him master keys to earlier versions that he was unable to break but that were no longer big moneymakers for the gang. In return, he promised to show BTCWare how to fix the glitches that were deleting victims’ files in the latest version. Otherwise, he pointed out, BTCWare would lose credibility and fewer people would pay. (p. 91)
In this case, the organization did trade the old keys for advice on how to not accidentally delete victim data. To this reviewer, it seems highly naïve to align himself with those engaging in destructive and criminal acts even ostensibly for a greater good. Another way to say this is that there is more gray zone than black-and-white, in a context of each side achieving its own interests.
Government Interventions
The U.S. government was not sitting idly by as cyber-criminals rampaged through the system. The U.S. Treasury Department placed ransomware companies under sanctions because of their ties to rogue governments, like ransomware companies linked to the FSB (Russia’s Federal Security Service). This move meant that ransomware victims “who subsequently paid Evil Corp could face civil penalties, including fines, for supporting criminal activities” (p. 99). The ransomware company sought to hide its fingerprints and brand in the hopes that victims would pay the ransoms without realizing that they were also running afoul of U.S. laws. They also engaged in various deceptions to entice people to pay ransoms and so violate U.S. Office of Foreign Assets Control (OFAC) regulations.
Virtual Confessionals
In one unusual case, a hacker realized the “haram” nature of his cyber-extortions and wanted to make amends. He reached out to the Ransomware Hunting Team and offered decryption keys to help people recover their data. One of the team members set up virtual confessionals online where individuals and groups could come clean and perhaps even offer key dumps to help unlock stolen data captured with ransomware (p. 110). Interestingly, such confessionals did not bring out the members that they were hoping:
Most of Fabian’s (Wosar’s) correspondents were hackers who claimed they were scammed out of money or otherwise wronged by their partners in crime. Others contacted him with information that could doom competitors…The communication benefited both parties: Fabian helped targets prevent or recover from attacks, while the hackers sabotaged their foes—with low risk of being fingered. (p. 111)
Some reached out because of Fabian Wosar’s fame:
Sometimes, even as they sought revenge on their enemies, the hackers took a few moments to fish for Fabian’s approval of their handiwork or to worship at his ransomware altar. Those messages reminded him of the banter he’d exchanged years earlier with Apocalypse, whose developer had called him ‘a god.’ (p. 113)
Some of the victims of the ransomware attacks, even as they reach out for free help from the team, end up being abusive and manipulative. One threatened to commit suicide unless his locked data was retrieved (p. 134). Indeed, one was facing bankruptcy after the ransomware attack, and other suffered a heart attack with the ransomware attack as the proximate cause. The team members themselves were under extreme pressure to find solutions even as they balanced full-time work and family lives oftentimes.
There is a potent anecdote in this book. Here, the MalwareHunterTeam (MHT) reaches out through its social media to ask followers for some donations to buy a space from which to work. They write:
Forty-six well-wishers contributed a total of $4,111.48. Daniel gave the most, $1,000, and Lawrence chipped in $200, writing, ‘Thanks MHT for all you do.’ MalwareHunterTeam responded by accusing the Twitter-verse of stinginess, given that the goal was $20,000.
'Last donation was over 5 days ago,’ MalwareHunterTeam tweeted in March 2021. ‘So can we say now that of the 118k followers (of course not counting very poor people, ones who have no PayPal, etc.), less than 50 people think that our hard work in the past years wroth even a 1$donation?’ (p. 281)
This book holds up a mirror to humanity and showcases how people are so often willing to take advantage of each other’s naivete and generosity. One of the team members, Lawrence Abram, reached out to the top 10 ransomware groups to ask for a COVID-19 truce during which they would not attack hospitals and healthcare facilities and nursing homes. The gangs broke the agreement almost instantaneously. During the COVID-19 pandemic, “a wave of cyberextortion crippled hospitals and other vital services, shuttered businesses and schools, and further isolated people from relatives, friends, and coworkers” (p. 5). There seems to be a near-constant tension between the idealists and the opportunists in this book (perhaps reflecting in-world dynamics).
Various Tools in Use
For those who enjoy reading about IT tools, The Ransomware Hunting Team… offers occasional nuggets. The encryption tools change file extensions and may be read as a kind of “gang signature” (p. 146). There are CryptTester tools that help identify new strains of ransomware based on comparisons against known families and patterns of ransomware to understand what they evolved from (p. 146). There are brute-forcing ways to arrive at keys:
The hackers sometimes make the team’s task easier by encrypting files with keys that aren’t random. Because computers are deterministic machines, designed to leave nothing to chance, generating random numbers can be more challenging than it sounds. One method makes use of lava lamps by taking pictures of the heated wax bubbling inside the glass container and translating their seemingly chaotic movements into numbers. (pp. 148 – 149)
In some cases, there are attack surfaces that are broad and exploitable. For example, one cyber-gang was made vulnerable during a changeover of servers which bounced back ‘bot requests (enabling a vulnerability). In others, ransomware may be unbreakable:
If the cryptography is solid, the ransomware is almost unassailable…Ransomware gangs generally rely on either of two types of ciphers. In a ‘stream cipher,’ the key yields an ongoing stream of numbers that transform all of the text. A ‘block cipher” divides text into segments of equal length and encrypts them in different but related ways. Either way, an algorithm contained in the ransomware code performs a mathematical operation that combines the key with the original data to create an encrypted file. (pp. 145 – 146)
Figure 2: Cyber Hunting
A Shady Place
Various data recovery firms emerged to meet a market need. Many of these were fly-by-night. Their shtick was to hire some big-name “national security” individuals to serve as spokespeople for their organization. They would claim that the companies had “proprietary technology and expertise” but actually paid ransoms for the target data (p. 251), essentially working in collusion with the ransomware criminals and taking their own cut under an illusion of legitimacy.
Figure 3. Hacker
Conclusion
Renee Dudley and Daniel Golden’s The Ransomware Hunting Team: A Band of Misfits’ Improbable Crusade to Save the World from Cybercrime shows that volunteering to solve large-scale societal problems can be challenging and often thankless. The two ask who will guard the informal guardians, given so much apparent need and yet so much general apathy? Who will laud the hidden heroes? Who will help document the critical knowledge about ransomware in order to understand future iterations? Who will stand as fighters to protect common citizenry (with costly signaling, not just cheap talk and showboating)? As the members of the MalwareHunterTeam (MHT) move on to focusing on their own lives and livelihoods and survival, are there others stepping forward? And with what skills and what motives?
This work has a happy ending for the protagonist, but one is left wondering why he stayed so long in an underpaying job and free work (even though his acquired skills enabled him to write his own ticket later on).
Has law enforcement stood up more effective global systems? Are they more ready now to profile cyber-criminals and to bring justice to them wherever they are? [It would seem so for the current moment. The mainline press has described aggressive hacking back, profiling the cyber-criminals with their own cameras / microphones/ screenshots, with undercover agents, and others. Indeed, there are emergent other threats that may / may not be anticipated at this time. People under-estimate law enforcement and intelligence agencies at their own peril. In the same way that general populations can benefit from peace dividends from wise geopolitical leaders, they also benefit from astute law enforcement that is ethical and informed and professional.]
Dudley is a technology reporter at ProPublica, and Golden is an editor and reporter at the same organization. Dudley was a Pulitzer Prize finalist in 2017 in a work about the rampant cheating on college admissions tests.
Figure 4. Cybercrime Visual
Note: EDUCAUSE Review shared an article titled "How Case Western Reserve University Responded to the Cybersecurity Insurance Crisis," an article which shows something of a higher education angle. This article is by A. J. O'Connell and was published January 19, 2023.
About the Author
Shalin Hai-Jew works as an instructional designer / researcher at Kansas State University. Her email is shalin@ksu.edu.