This CFO gets on cybercriminals' nerves by discovering vulnerabilities in ransomware payloads
Fabian Wosar hunts for vulnerabilities in ransomware payloads and helps victims to decrypt their data. Because he decimates criminals' incomes, personal threats have become a part of his daily life.
"There's a reason why I'm only here as an avatar," Fabian Wosar, Chief Technology Officer at New Zealand's software company Emsisoft, said during the MIT Tech Review conference CyberSecure.
"I do worry about my safety, primarily because there have been a whole bunch of threats that were made against me personally or members of my team. I do live as a hermit with my two cats, and I don't usually attend any events in person, and I don't give video interviews," he said.
Wosar is known as a ransomware slayer - he's part of the group where volunteers help victims of ransomware often when law enforcement can't.
"In the simplest terms, my team and I try to discover vulnerabilities within ransomware payloads that allow us to essentially help victims recover the data without having to pay a ransom in the first place," Wosar explained.
Recently he and his team have been tracking down the BlackMatter ransomware gang and its predecessor DarkSide, responsible for the Colonial Pipeline cyberattack. Even though he couldn't disclose too many details about their hunt for the prominent ransomware family, but admitted to having significantly disrupted BlackMatter's business.
"The interesting thing about Darkside and BlackMatter is that at the very beginning, they started out being secure. Secure in this context means that they didn't make any obvious mistakes within their cryptography that would allow a company like us to break the encryption and return the data to the victims," he said.
However, as they were iterating over their ransomware payload and transitioning into ransomware as a service model (RaaS), they started to introduce such vulnerabilities, which, Wosar said, is relatively unheard of.
"For whatever reason, ransomware threat actors transition from a secure payload to an insecure one. Usually, it's the other way around - they start with an insecure payload and then move over, fix the issues, and move towards a secure payload. In this particular case, this is pretty much what happened," he said.
They first introduced a vulnerability at the beginning of December 2020, which Wosar and his team found and used to help victims.
"However, about a month later, that particular vulnerability was, unfortunately, fixed. Then the Colonial Pipeline incident happened, where they managed to hit critical infrastructure in the US. ) This incident attracted so much attention both from the US government, as well as other governments around the world, that they decided to lay low a little bit," Wosar explained.
They showed up again in July 2020. Once again, they started with a secure payload.
"However, during one of the updates, they once again introduced a vulnerability that allowed us to decrypt the data of victims essentially. This time that vulnerability was around for almost two months, and we were able to help quite a lot more victims and completely decimate their [cybercriminals'] income for the better part of two months, which was probably the biggest damage that we managed to inflict on a single ransomware threat actor so far," Wosar recalled.
The US government has been taking action against ransomware actors. The US Treasury offered a bounty for information on REvil members. The reward of up to $10 million is offered for information leading to the identification or location of Sodinokibi/REvil leadership. Recently, the US has offered a $10 million reward for information on the DarkSide ransomware gang responsible for the Colonial Pipeline cyber attack.
That's hardly surprising, given that reported ransomware payments in the United States so far have reached $590 million in the first half of 2021, compared to a total of $416 million in 2020.
As these crimes don't go unnoticed and attract a lot of unnecessary attention to cybercriminals, they, Wosar believes, will change their tactics and try to stay out of the radar.
"I do believe that in the very near future, we will see threat actors moving away from partnering with just one RaaS, just one affiliate program, and instead hop from affiliate to another, or even adopt techniques like constant rebranding, like EvilCorp is doing. EvilCorp, whenever they hit a new huge victim, they completely rebrand their ransomware family," he said.
Their goal is to make attribution a lot more complicated.
"They try to make attribution a lot more difficult. Instead of having groups, programs, or Raas That are responsible for the majority of the damage, a large number of cases, which will ultimately draw attention from law enforcement, you have a lot of cases where the ransomware family was only used once or twice, and then they disappeared again," Wosar said.
More from CyberNews
Subscribe to our newsletter