The Ransomware Hunting Team: A Band of Misfits’ Improbable Crusade to Save the World from Cybercrime
Magazine / The Ransomware Hunting Team: A Band of Misfits’ Improbable Crusade to Save the World from Cybercrime

The Ransomware Hunting Team: A Band of Misfits’ Improbable Crusade to Save the World from Cybercrime

Book Bites Politics & Economics Technology
The Ransomware Hunting Team: A Band of Misfits’ Improbable Crusade to Save the World from Cybercrime

Renee Dudley is a technology reporter at ProPublica, before which she was on the enterprise team at Reuters for which she reported heavily about college entrance exams. She uncovered corruption in college admissions and that investigative series was a Pulitzer Prize finalist in 2017.

Daniel Golden is a senior editor and reporter at ProPublica, and was instrumental in three Pulitzer Prizes, two as an editor and one as a reporter. He also reported extensively on college admissions, earning his Pulitzer Prize as a reporter in 2004 for a series regarding preferential treatment from college admissions.

Below, Renee and Dan share 5 key insights from their new book, The Ransomware Hunting Team: A Band of Misfits’ Improbable Crusade to Save the World from Cybercrime. Listen to the audio version—read by Renee and Dan—in the Next Big Idea App.

The Ransomware Hunting Team: A Band of Misfits' Improbable Crusade to Save the World from Cybercrime Renee Dudley Dan Golden

1. Ordinary people can do extraordinary things.

The heroes of our book are the dozen or so geeky volunteers in seven countries who make up the Ransomware Hunting Team. They have regular day jobs, but their passion—and obsession—is fighting ransomware. Their technical virtuosity is largely self-taught. Some of them never went to college. Some come from backgrounds of poverty or abuse, and still suffer from depression or struggle to pay their bills.

Yet this obscure band of tech nerds is often the only recourse for victims who can’t afford—or refuse out of principle—to pay ransoms to cybercriminals. The team has cracked more than three hundred major ransomware strains and variants, saving an estimated four million victims from paying billions of dollars in ransom, almost always without charging a penny.

The foremost codebreaker on the team is Michael Gillespie, a cancer survivor and cat lover who got his start cracking ransomware while working at a Nerds On Call IT shop in the town of Normal, Illinois. He and his wife were so poor that their car was repossessed, and they almost lost their home. Nevertheless, he decrypted ransomware around the clock and developed free tools victims could use to recover without paying hackers. Other teammates include the brilliant, reclusive Fabian Wosar, a high school dropout from Germany who enjoys bantering with the attackers he foils, and his protégé, the British computer science prodigy Sarah White. Together, this team is the most effective force against an escalating global threat.

2. As society moves online, it becomes more vulnerable to ransomware.

During the COVID-19 pandemic, most people became almost completely reliant on their computers for work, school, and social connection. But, by avoiding contagion, they often became victims of another epidemic: ransomware. A wave of cyber-extortion crippled hospitals, universities, government agencies, shuttered businesses, and further isolated people.

“Ransomware gangs have paralyzed every kind of organization, demanding millions of dollars.”

With the pandemic raging, hospitals’ access to online systems and digital records became a matter of life or death. When hospitals were hit by ransomware, patients had to be transferred long distances for treatment. In one tragic case, a newborn suffered a brain injury and died after nurses were unable to detect fetal distress while her mother was in labor. Lawrence Abrams, co-founder of the Hunting Team, pleaded with ransomware gangs to stop attacking hospitals, but few abided by the truce.

Only a few years ago, ransomware was a relatively minor irritant. The gangs only attacked individuals, seeking a few hundred dollars apiece. Today, it impacts everything. Ransomware gangs have paralyzed every kind of organization, demanding millions of dollars.

Ransomware often strikes twice in the same place. If one-time victims don’t improve their security, then they may be attacked multiple times.

3. Law enforcement can’t keep up with the hackers.

For years, the FBI brushed off ransomware as an “ankle-biter crime.” After the May 2021 attack on the Colonial Pipeline, which shuttered gas stations across the southeast, the FBI began prioritizing the ransomware threat. But they were behind the curve, and at a disadvantage because the FBI lacks enough agents with advanced computer skills.

The bureau has struggled with recruitment and retention partly due to its longstanding expectation that agents should be able to do “any job, anywhere.” While other global law enforcement agencies have snatched up computer scientists over the past two decades, the FBI tried to turn existing agents into digital specialists, clinging to the “any job” mantra. But that approach doesn’t work when investigating modern cybercrime. It may be possible to turn an agent whose background is in accounting into a first-rate gang investigator; it’s a lot harder to turn that same agent into a top-flight computer scientist.

“Most computer experts don’t fit the description of typical cops.”

The “any job” outlook is also problematic for recruitment. People who have spent years becoming computer experts typically want to stay in that role. Knowing that they might be ordered to pivot to another assignment could turn off prospective applicants. Most computer experts don’t fit the description of typical cops. There are certainly exceptions, but many lack the aptitude for (or feel uneasy with) traditional law enforcement expectations such as being in top physical fitness, handling deadly-force scenarios, or even interacting with the public. But current requirements for agents of all designations include all those things. The FBI needs to drop requirements for cyber agents that aren’t necessary for the job.

4. Beware of the extortion economy.

A booming industry has sprung up to assist victims of ransomware. Negotiators, insurers, and incident response firms offer their services to victims, but while these firms may genuinely want to help, they also have a financial stake in perpetuating ransomware. For insurers, paying the ransom often makes financial sense. Victims who don’t pay may have to recover files from backups, which can be arduous and unpredictable. It can leave insurers on the hook for everything from employee overtime to public relations efforts.

Worst of all are “data recovery” firms. They purport to do (for a hefty fee) what the hunting team actually does for free: find the key to unlock files without paying a ransom. These companies get the key by paying the ransom, without telling victims, who are now scammed twice.

5. Codebreaking rescues ransomware victims, but it also makes the hackers better.

The hunting team’s victories are often fleeting. When it discovers a flaw in a ransomware code, it does its best to keep the news secret from the hackers. It follows an unwritten precept as old as espionage: don’t let your opponents know what you’ve figured out.

“In a sense, the codebreakers function as product testers for ransomware gangs.”

But, eventually, as payments drop off, cybercriminals realize that something has gone wrong and fix the flaw. In a sense, the codebreakers function as product testers for ransomware gangs. As mistakes are discovered, hackers upgrade their cryptography and make the strains tougher or impossible to decode. Due to these improvements, as well as the increasing technical savvy and specialization of many hackers, ransomware has become more secure.

Fighting ransomware is incredibly hard. Most of the attackers are out of the FBI’s reach in countries with which the U.S. doesn’t have extradition treaties. And if their cryptography has no mistakes, even the Hunting Team can’t crack the code.

When there’s no cure, prevention is vital. Steps such as multi-factor authentication and avoiding suspicious email attachments or downloading from untrustworthy sites can significantly reduce ransomware risks. Make sure to maintain reliable backups of important files in the cloud and on a device not connected to the internet. That way, if there’s a ransomware attack, files can be seamlessly restored.

To listen to the audio version read by authors Renee Dudley and Daniel Golden, download the Next Big Idea App today:

Listen to key insights in the next big idea app

the Next Big Idea App

app-store play-market

Also in Magazine