How a small team of volunteers is helping people break free of ransomware

How a small team of volunteers is helping people break free of ransomware

Stacey Harris by Stacey Harris on

It’s like a technological thriller come to life. Ransomware entered the global spotlight in 2021 after a number of high-profile cases caught the media’s attention. But long before the growing threat entered the public domain, a small group of individuals started quietly helping thousands of people and businesses get their information back – without paying the ransom.

Journalists Renee Dudley and Dan Golden have written about this incredible story in a book called The Ransomware Hunting Team, A Band of Misfits’ Improbable Crusade to Save the World from Cybercrime.

We invited the pair onto our Random but Memorable podcast to talk about this remarkable group, and what they’ve both learned about the evolution of ransomware and cybercrime. Read on for the highlights of the interview hosted by Michael Fey (Roo), Head of User Lifecycle & Growth at 1Password, or listen to the entire episode on your favorite podcast player.

Listen to episode 102 ›

Michael Fey: Can you give us some background on how you decided to write this book, and why it was important to write now?

Renee Dudley: I had been hearing from chief information security officers at big, publicly-traded companies that ransomware was a growing threat. This was before ransomware was in the news every day.

I dove into research and found that everybody connected to this world was recommending I speak to a guy named DemonSlave335. He turned out to be Michael Gilhesby, who would later become the hero of our book. I learned that he’s part of a global team of about a dozen people across seven countries who crack ransomware.

Ransomware locks victims files, and demands a ransom payment in exchange for a key to unlock those files. Michael and his global ransomware-hunting team find vulnerabilities in different strains of ransomware, and are able to help victims get their files back without having to pay the hackers.

“He was doing all of that for free, at what appeared to be this great personal expense. He sought no fame, no glory, no compensation whatsoever."

I thought it would be a good idea to visit Michael in-person at his home in rural Illinois. We started talking about ransomware and as he got more comfortable he started sharing more about his personal life. I learned that he had just overcome cancer, was only 28 years old, and was struggling to make ends meet.

What was so striking was that all of this was happening in the background while he was saving dozens and dozens of people every day from having to pay hackers the ransom. He was doing all of that for free, at what appeared to be this great personal expense. He sought no fame, no glory, no compensation whatsoever.

Now, he’s the best in the world at what he does, but he’s just this guy doing this on his own with the help of this global team.

Dan Golden: One of the requirements for joining the hunting team is you’re not allowed to charge for the code-breaking services you provide. This team has saved millions of people and institutions from paying billions of dollars in ransom. But one of the binding parts of their contract with each other is that they don’t charge anybody.

MF: Can you tell me about the process of taking this story, and shaping it into a book?

DG: We were lucky because we had two compelling stories. One is the story of Michael and the members of the ransomware hunting team. These ordinary, selfless people do extraordinary things at great cost to their personal lives. But the other is the larger story, which is the rise of ransomware.

While we were researching the book the threat of ransomware got worse and worse. The targets got bigger, the amounts of money demanded went from a few hundred dollars for individuals to millions of dollars for businesses, hospitals, universities, and even government agencies.

“Ransomware hacks evolved from ransom demands to stealing information and threatening to leak it if they weren’t paid.

Ransomware hacks evolved from ransom demands to stealing information and threatening to leak it if they weren’t paid. It evolved from an intriguing form of cybercrime to a worldwide threat and crisis – the kind of arc that you can use to shape a book.

MF: Can you talk about some of the moral challenges and ransomware scenarios that the team has faced?

DG: In a way, the greatest moral challenge is faced by the victims of ransomware. They have to decide whether to pay or not. If you pay, your files are restored. But you’re rewarding criminals and incentivizing more ransomware.

One chapter of the book looks at the city of Baltimore, which was hit by a ransomware attack. It shut down a lot of the city’s services, and made it hard to buy and sell homes and other important activities. There was a demand for $80,000 and the mayor quite courageously refused to pay. But it took months for the city to recover and officials ended up spending $18 million on recovery costs. The mayor lost his reelection bid, only getting 6% of the vote.

“The FBI always says don’t pay the ransom. But sometimes there aren’t a lot of alternatives."

It’s a tough choice. The FBI always says don’t pay the ransom. But sometimes there aren’t a lot of alternatives.

If you attack a hospital and shut down its records, files, and diagnostic equipment, staff can’t treat patients. And sometimes it’s a matter of life and death. Or a business might have to shut down if it doesn’t pay the ransom. So that’s the great moral quandary that the hunting team potentially offers a solution to. But only in some cases because the ransomware hunting team can’t crack every code – there has to be a mistake for them to crack it.

MF: Can you talk a little bit about some of the tools and tactics the team uses?

RD: The hunting team looks for vulnerabilities in the ransomware. One of the vulnerabilities is that cryptography relies on random numbers. Hackers use what’s called a random number generator but sometimes it’s not truly random. It will start repeating numbers after a certain point, and the hunters can exploit that and use that to find the key.

DG: With the random numbers, sometimes you could do what’s called brute-forcing the system, where you can make so many efforts to crack the code that eventually you find the pattern and come up with the key. They have a whole variety of tools, and it just depends on the type of ransomware.

RD: Other times, they find vulnerabilities in the hacker’s infrastructure. They might find a weakness in the server they’re using. Michael has actually hacked into the hacker’s own servers to retrieve keys, which he then used to develop tools to help victims get back into their systems.

DG: The ransomware group might also use the same key too many times. So a victim could pay and get the key, and then they can use that key to help other people who haven’t paid.

MF: You spoke to a number of people on the ransomware hunting team. Did they have common motivations for joining?

RD: A number of them, including Michael, Fabian, and Carsten Hahn, come from backgrounds of poverty or abuse. A lot of them are self-taught. Many of them didn’t attend college and some of them even dropped out of high school. They’ve taught themselves skills by taking books out of the library, watching YouTube videos, or even learning from each other.

“This is their way of fighting back against the bullies in the world."

They know that they’re some of the only people in the world that have those skills, and they feel the expectation of using them for the greater good. When it comes to their backgrounds, they have an underdog mentality.

This is their way of fighting back against the bullies in the world.

MF: In the book you call out that this team is helping people where the government, FBI, and law enforcement either can’t or won’t. Why is that?

RD: The FBI tells people not to pay because the more you reward hackers, the more they’re going to do it. But the FBI provides no practical alternative. The team gives people an out that doesn’t involve paying, and doesn’t involve giving up your files.

But this is changing in the “post-colonial attack” era. The ransomware attack on the colonial pipeline in 2021 shut down gas stations across the Southeast. It was a flash point for ransomware because after that, the US government started taking it seriously.

Before that, the FBI, the Department of Homeland Security, and others across the federal government treated ransomware as an ankle-biter crime. They thought that the demands were too low, and not enough people were being affected by it.

“Now that ransomware is seen as a global threat, the bureau is cooperating more and more with members of the hunting team and other private researchers."

This was the mentality even as ransomware was gaining traction and becoming a serious global threat. We talked to FBI agents who were frustrated that this wasn’t getting taken more seriously. The cyber division just couldn’t get traction on the issues they thought were important, like ransomware. There weren’t enough people with advanced technical skills to take on the challenges that were coming in. So the hunting team really filled this void.

Now that ransomware is seen as a global threat, the bureau is cooperating more and more with members of the hunting team and other private researchers. The hunting team has been coming up with these free decryptors for certain strains. And now, finally, the FBI is telling victims when those tools are available.

MF: How have your views changed while writing this book, and knowing that there is a group of people out there who are fighting the good fight?

RD: I’m so impressed by the members of this team. They’re all just ordinary people. They have regular jobs, they work in IT and cybersecurity. Some of them have families. They’re just living their lives, but doing these completely extraordinary things on the side. Many of their own families don’t know the extent of how much they’ve helped humanity.

“They’ve helped millions of victims save billions of dollars."

They’ve helped millions of victims save billions of dollars. It’s really unbelievable how much they’ve been able to accomplish since they banded together in 2016. Ransomware itself is horrible and the problem keeps getting worse. It’s reassuring to know there are these unlikely heroes doing amazing work out there.

DG: It’s uplifting but it’s also reinforced how scary the cybercrime threat can be. The ransomware groups are increasingly pairing up with foreign governments like the Putin regime, and acting under state sponsorship. I have a number of friends who’ve read our book and said: “We’re so impressed by the hunting team, but also we’re scared to death by ransomware.” I think a lot of people will have that dual reaction.

Editor’s note: This interview has been lightly edited for clarity and brevity.

Subscribe to the Random but Memorable podcast

Be prepared for Random but Memorable moments, as well as the latest security news, tips and tricks and expert interviews.
Subscribe now

Content Marketing Manager

Stacey Harris - Content Marketing Manager Stacey Harris - Content Marketing Manager

Tweet about this post