Four lessons from life-long ransomware expert Fabian Wosar

"I started collecting computer viruses like other people collected Pokemon cards."
23 July 2020

Ransomware threatens the very safety of organizational data. Source: Unsplash

  • Ransomware costs businesses an overwhelming US$75 million per year
  • CTO of Emsisoft Fabian Wosar joins TechHQ in an interview and shared his wisdom on one of the most malicious forms of cybercrime

Cybersecurity and malware research, in particular, has been a “significant part” of Fabian Wosar’s life since he was a teenager. Growing up in East Germany, “computers were a relatively rare sight,” for the now world-renowned ransomware expert Fabian Wosar. It wasn’t until he was 11 years old he’d saved enough to buy his first computer and several years later, caught his first computer virus, known as TEQUILA-B.

“I started collecting computer viruses like other people were to collect stamps or Pokemon cards,” Wosar told TechHQ. “And I spent excessive amounts of time on the computer, just taking all the viruses I have apart, figuring out how they work, and ultimately, I ended up writing like my own little antivirus tools that detected and removed the viruses that were in my collection.”

That was how Wosar, CTO of Emsisoft and one of the most world-renowned ‘ransomware busters’ began his campaign against what has become one of the biggest threats to businesses today – malware that blocks users from their data until a ransom is paid, that costs businesses a staggering US$75 million per year.

Since those early days, decryption tools built by Wosar, available for ransomware victims for free, have been downloaded more than 1.7 million times.  TechHQ jumped at the chance to interview Wosar to tap into the state of play of ransomware in a remarkable year, as well as his own experiences as a lead actor in the fight against the indiscriminate cybersecurity threat.

# 1 | There are five stages of ransomware grief

Companies hit with ransomware go through a journey of emotions: “In my experience, victims who get hit by ransomware go through like the five stages of grief that also people that are dealing with death are going through,” said Wosar.

Mapping out the five stages of grief, we would see denial, anger, bargaining, depression, and acceptance, but the general reaction of companies victim to ransomware is just “denial.” Often companies think they can somehow keep it under wraps, and if they are able to fix it quickly without anyone noticing, they won’t have to disclose the incidents, even though, in many cases, they are legally obliged to.

Once companies realize the issue isn’t likely to go away, “you generally encounter a lot of anger” Wosar said. Anger geared towards not just the attackers but also within the company where the personnel or figure that is deemed responsible for the attack, regardless of whether or not they truly responsible for the breach.

“Usually, after they got the anger out of the way, the bargaining starts,” Wosar continued and states this is the point where ransomware victims would reach out to companies like Emsisoft or to popular figures within the ransomware research community like Michael Gillespie, or himself.

In many cases, companies may try to reach out directly to the authors themselves and plea with them. “Unfortunately, if that fails, which it often does, the depression kicks in – companies start fearing for their livelihood, and they face the realization of the incident.”

Wosar explained that in the end, ransomware victims often come to a stage of acceptance where “they either end up paying the ransomware authors” or “they take the hit and try to recover from it.”

In brief, the psychology behind ransomware capitalized on “selling hope.” Ransomware authors see victims being placed in severely dire situations, and companies are sold “the hope that everything can be fixed, that somehow they can recover from this.”

# 2 | There are one in ten chances of data being stolen 

As if ransomware attacks weren’t a big enough problem in themselves, Emsisoft released a study that found an increasing emergence of exfiltration+encryption attacks, which combine the disruption of a ransomware attack with long-term consequences of the data breach, leaving doors open for further attacks in future.

This ‘hybrid’ cyber attack emerged in 2019, and sees attackers notify their victims that if they fail to pay the ransom demand, not only will data on the infected systems remain encrypted, but the attackers will expose highly sensitive data to the public as well.

Wosar called this is a frightening development, “especially when you consider that the state of data exfiltration as a practice that just years ago, was more of like a theoretical idea.”

The study found that exfiltration attacks evolved from accounting for zero cases of ransomware attacks to about 10% in a span of six months. But Wosar believes that the real number is almost certainly much higher and will continue to climb over in the next couple of months. It is likely that in a year’s time, “data exfiltration would become the norm for all threat actors and groups that are involved in these ransomware attacks.

“Chances are the attackers can use the credentials they harvested again in the future,” warned Wosar. Stolen data such as local outlook files from email databases gives attackers “an idea of who you communicate with, which can then be leveraged for more convincing spear-phishing attacks that lie against your company but also all companies that you work with as well.”

In other words, bad actors are given an advantage and can develop more sophisticated techniques such as mimicking correspondence email signatures, falsifying sender addresses, and basically, imitating the way people communicate – it all perpetuates the continuance of cybercrime.

# 3 |  Transparency is key

While ransomware is, unfortunately, part of the cybersphere, how victims choose to respond and react to the incidents can make a huge difference. Wosar highlighted two cases in particular that illustrate the contrast of how and how not to handle ransomware.

“If you ever find yourself in a [ransomware] situation and if you want to be prepared, I highly recommend reading up on the Norsk Hydro case and look at the responses from the company, and kind of model your own response and your own plans.”

Norsk Hydro, a Norwegian manufacturing firm, was a target of LockerGoGa ransomware last year and often has been lauded for its refusal to pay its attackers and openness to discuss what happened.

“They had press conferences on an almost daily basis and gave multiple daily thoughts about the situation and how they are handling it,” Wosar commented. 

Consequently, the company’s transparency and openness in handling the incident saw their stock price not taking a dip, “at least not the kind of hits that companies who are in these situations would fear.”

In contrast, Travelex was described as the “polar opposite” in their handling of ransomware: “At first, they completely tried to deny everything even though it was like blatantly obvious to anyone was what was going on. They kept everyone in the dark.” The foreign exchange company’s public response comprised taking down its website, with a note stating “temporarily unavailable due to planned maintenance.” The management of the incident has been largely criticized due to its lack of transparency as covered in TechHQ

As indicated by Wosar, a general reaction of companies hit with ransomware is to resolve the incident with the least publicity, as fast as possible. 

“I know that a lot of companies fear public backlash,” Wosar said. “But in my experience, most customers and clients are actually very understanding when it comes to data breach, which is probably like a direct result of just the myriad of data breaches that happen all the time.”

Being open and honest about what happened is important, said Wosar, and “it also strengthens your position when it comes to the ransomware negotiations.”

# 4 |  Don’t pay up 

Key to ransomware’s ongoing prevalence is the fact that so many victims, seeking to sweep the problem under the rug, simply pay up the ransom demanded by their attackers – a study by IBM Security’s X-Force found that 20% of compromised organizations have paid ransoms of more than US$40,000. The figure is likely much higher, since not many companies would confess to it.

There have even been reported instances of ‘highly-specialized’ companies claiming to be able to ‘break’ systems from ransomware, but simply taking their clients money and paying off the attackers themselves.

Wosar emphasized his regret at ransomware victims choosing to pay the ransom when there are alternative solutions available: “I always find it kind of disheartening when we deal with ransomware victims who contact us after they’ve paid the ransom.

“And it turns out that they didn’t have to pay the ransom in the first place,” the ransomware expert said. To date, free decryption tools are available, and ransomware has flaws that companies and malware experts know of, and can exploit to diffuse the situation. 

Companies hit with ransomware will fare better with “a little bit of research.” Or just even “reaching out to a company like us would go a very, very long way.”