Tuesday, October 29, 2019

SECURITY - Ransomware Hunting League Hero




"The Ransomware Superhero of Normal, Illinois" by Renee Dudley, ProPublica 10/28/2019

Thanks to Michael Gillespie, an obscure programmer at a Nerds on Call repair store, hundreds of thousands of ransomware victims have recovered their files for free.

This story was co-published with the Chicago Sun-Times and The Pantagraph.

ProPublica is a nonprofit newsroom that investigates abuses of power.  Sign up for ProPublica’s Big Story newsletter to receive stories like this one in your inbox as soon as they are published.


About 10 years ago, Michael Gillespie and several classmates at Pekin Community High School in central Illinois were clicking on links on the school’s website when they discovered a weakness that exposed sensitive information such as students’ Social Security numbers.  They quickly alerted their computer repair and networking teacher, Eric McCann.

“It was a vulnerability that nobody even knew about,” McCann said.  “They did a quick search on passwords and student accounts, and lo and behold, that file is sitting out there.”

A shy, skinny teenager whose hand-me-down clothes didn’t fit him, and who was often ridiculed by schoolmates, Gillespie was already working after school as a computer technician.  “He was full of information all the time,” McCann said.  “We’d bounce ideas off each other.  You could tell his passion for technology, for computers, for figuring out things.  That definitely made him stand out.”

Without crediting the students, school administrators closed the breach and changed everyone’s passwords.  Gillespie’s anonymous protection of the school’s cyberdefenses was a harbinger of his future.  Like a real-life version of Clark Kent or Peter Parker, the self-effacing Gillespie morphs in his spare time into a crime-foiling superhero.  A cancer survivor who works at a Nerds on Call computer repair shop and has been overwhelmed by debt — he and his wife had a car repossessed and their home nearly foreclosed on — the 27-year-old Gillespie has become, with little fanfare or reward, one of the world’s leading conquerors of an especially common and virulent cybercrime: ransomware.  Asked what motivates him, he replied, “I guess it’s just the affinity for challenge and feeling like I am contributing to beating the bad guys.”

Each year, millions of ransomware attacks paralyze computer systems of individuals, businesses, hospitals and medical offices, government agencies, and even police departments.  Often, files cannot be decrypted without paying a ransom, and victims who haven’t saved backup copies and want to retrieve the information have little choice but to pony up.  But those who have recovered their data without enriching criminals frequently owe their escapes to Gillespie.

The FBI and local law enforcement agencies have had little success in curbing ransomware.  Local departments lack the resources to solve cybercrime, and the ransoms demanded have often been below the threshold that triggers federal investigations.  Security researchers like Gillespie have done their best to fill the gap.  There are almost 800 known types of ransomware, and Gillespie, mostly by himself but sometimes collaborating with other ransomware hunters, has cracked more than 100 of them.  Hundreds of thousands of victims have downloaded his decryption tools for free, potentially saving them from paying hundreds of millions of dollars in ransom.

“He took that deep dive into the technical stuff, and he just thrives on it,” said Lawrence Abrams, founder of a ransomware assistance website called BleepingComputer.com.  “Every time a new ransomware comes out, he checks it out.  ‘Can it be decrypted?  Yes, it can be decrypted.  OK, I’ll make the decryptor.’  And it’s just nonstop.  He just keeps pumping them out.”

Gillespie downplays his accomplishments.  “IT [Internet Technology] moves so fast, there’s always something to learn, and there’s always someone better than you,” he said.

Gillespie’s tools are available on BleepingComputer.com, and they can be accessed through a site he created and operates, called ID Ransomware.  There, victims submit about 2,000 ransomware-stricken files every day to find out which strain has hit them and to obtain an antidote, if one exists.

As hackers and their corporate enablers, including cyber insurance providers and data recovery firms whose business models are based on paying ransoms, profit directly or indirectly from cybercrime, one of ransomware’s greatest foes lives paycheck-to-paycheck.  Under his internet alias, demonslay335, Gillespie tackles ransomware either in his downtime at Nerds on Call or at night in the two-story bungalow he shares with his wife, Morgan, and their dog, rabbit and eight cats.  Surrounded by pets, he lies on his living room couch, decoding ransomware on his laptop and corresponding with victims desperate for his help.

Although the FBI honored him in 2017 with an award for his website, it doesn’t systematically recommend ID Ransomware — meaning that some victims may never learn of a resource that could help them avoid paying a ransom.  Many of his friends, relatives and colleagues don’t know the extent of his war on ransomware.  “They do not have a clue because of Michael’s modesty,” said his wife’s grandmother, Rita Blanch.  “Honestly, I don’t think anyone in the family knows what he does for free.  I barely know.”  When he got the FBI award, she added, “I sent out a family text, and they’re like: ‘What?  What?  Our Michael?’”

McCann wasn’t aware of Gillespie’s accomplishments either.  “It kind of gives me goosebumps,” the teacher said.  “He’s sitting here doing all this for free.  That’s incredible.”

On a humid morning in July, Gillespie sat on his covered front porch.  His hair was pulled back into a low ponytail, and he sported scraggly facial hair and a V-neck striped shirt.  Brown leaves left over from the previous autumn and birdseed from a feeder were scattered on the ground.  Gillespie said hello to a cardinal — the Illinois state bird, he pointed out — and a squirrel with a “wonky eye.”  He said a family of groundhogs resides under the porch and eats from the front-yard mulberry tree, but they didn’t make an appearance.

He opened his Twitter account.  “Like right now, I have 58 PMs and 120 notifications,” he said.  Most were pleas for help from victims of a ransomware strain, STOP Djvu, which he can sometimes decrypt.

Gillespie’s love of computers and electronics started early.  His paternal grandmother, a video gamer, introduced him to online role-playing games such as RuneScape.  He played Donkey Kong Country on a used Super Nintendo that his uncle gave him.  As emergency services volunteers, his parents communicated with tornado spotters via ham radios.  His father, a land surveyor, taught him how to repair electronics by soldering the radios.

Gillespie gleaned from his mother’s father, a police lieutenant in Florida, the importance of protecting the public.  Reinforcing the message, his parents went out of their way on family trips to pass through Metropolis, Illinois, which proclaims itself to be Superman’s hometown, and pay their respects at the Man of Steel’s bronze statue.  Gillespie was also fascinated by cryptography.  He liked the idea of having secret codes that no one else could figure out — and cracking other people’s.

Struggling financially, his family sometimes had to move in with friends or relatives.  When he was in high school, his parents filed for bankruptcy in the Central District of Illinois, court documents show.

At Pekin High, he helped protect not only the website but also his classmates’ belongings.  One day, noticing that other students were pre-setting codes to the combination locks on their lockers for convenience, he pulled down on every lock in his aisle.  About a quarter of the lockers opened.  He left a Post-it note in each one, admonishing the user to be more careful.

By then, he and Morgan Blanch were becoming close.  They lived down the street from each other but didn’t become friends until their freshman year at Pekin.  They began hanging out at each other’s houses and messaging on Myspace.  They were both in the school show choir and eventually sang in a national competition on the Grand Ole Opry stage in Nashville, Tennessee.

Both sometimes felt like outcasts.  She was overweight.  Gillespie, she said, was “that one kid at school that everybody knows who they are because they’re weird or they’re the butt of people’s jokes.”

But they could rely on each other.  “We’d get annoyed because our other friends were more flighty,” she said.  “They weren’t dependable, whereas if Michael and I made a plan, we stuck to it.  And we liked that about each other.” They started dating during Christmas break of their junior year.

When he graduated in 2010, Gillespie was named a Prairie State Scholar and an Illinois State Scholar, based on his standardized test scores and class rank.  Instead of going to college, he began working full time at the Nerds on Call store in Normal, Illinois.  Even with financial aid, he said, college would have been too expensive, and he already had everything he wanted.  “I got a job, got a car, got a girlfriend.  Boom.  Life together,” he said.

“He just felt that he could learn better on his own than in a classroom setting,” Morgan Gillespie said.  “He doesn’t really like to be restrained by protocol or by doing the ‘typical’ route of things.  He likes to get in there and figure it out and do whatever it is he feels like he wants to do.”

She enrolled at Millikin University in Decatur, Illinois, but missed Gillespie and dropped out after two months.  They moved into a new apartment close to his job and were married in October 2012, with Rita Blanch officiating.  For the bachelor party, Gillespie and his Nerds on Call friends went to a nearby farm and shot up old computers with his father’s firearms.  “Nobody who was too tipsy got to hold the rifles, but we put a few rounds through some old monitors,” said his best man, former co-worker David Jacobs, who organized the party.

The couple honeymooned in Peoria, Illinois.  The next year, with a Federal Housing Administration loan for lower-income borrowers, they purchased their $116,000 bungalow in a working-class neighborhood in Bloomington, Illinois.  There they could hear Amtrak’s Lincoln Service roar by on its way to Chicago.

At Nerds on Call, Gillespie was known as the Swiss Army Knife for his versatility.  So when a client was hit by TeslaCrypt ransomware in 2015, Gillespie was assigned to recover the files.

He embraced the task.  Not only was it an opportunity to expand his skills, but he also objected to the very idea of paying a ransom.  “I say hell no,” he said.  “There’s all the stuff about how it’s funding terrorism, funding bad stuff.  But more so, it’s just encouraging [criminals] to keep going.”

Gillespie “lives so heavily in the tech world, I think having bad actors involved just bothers him,” Jacobs said.  “Sometimes it’s also a little bit of competition.  ‘It’s me versus the bad guys and I want to win.  I want to be able to outdo their schemes.’”

Gillespie immediately consulted BleepingComputer.com.  Established in 2004 by Abrams to provide free advice for any computer problem through tutorials and forums, it had become the go-to site for ransomware assistance.

Sure enough, a BleepingComputer member known as BloodDolly had figured out how to crack TeslaCrypt.  But Gillespie still had to create a key for the client, which required running complex software for hours or days at a time.  “I wanted to post a success story for one of my customer’s systems that was hit this week,” he proudly announced on the forum in August 2015.  “I’ve just successfully decoded a few sample files at home.  … My customer is going to be thrilled we can get her photos back.”

Gillespie realized that Abrams, BloodDolly and other ransomware researchers were overwhelmed with requests for help.  He soaked up everything they could teach him.  Soon he was running software from both his home computer and computers under his desk at work, generating customized keys for scores of TeslaCrypt victims who had posted on BleepingComputer or on social media.

“It was huge, it was insane,” Abrams recalled.  “We were cracking keys left and right.  And Michael got the bug from that.  He came to the site, started cracking keys, starting helping.”

Gillespie also began exchanging private messages on BleepingComputer with U.K.-based ransomware expert Fabian Wosar.  Wosar, now the chief technology officer of antivirus provider Emsisoft, was working to break other strains of ransomware, and he referred TeslaCrypt victims to Gillespie.  Wosar, too, shared his knowledge with Gillespie.

“Sometimes, when people seem genuinely interested, I just ask them if they want to come along,” Wosar said.  “I just open a screen share, and they can watch what I’m doing.  And I explain to them what I am doing and why, and what all this different stuff means.”

Wosar, Gillespie, Abrams and a handful of other volunteers worldwide began communicating over the messaging platform Slack, forming a group they dubbed the Ransomware Hunting Team.  Abrams would hear about a new type of ransomware through users’ posts on his website and send a sample to his teammates.  If they could solve it, they would.

Gillespie creates 90% of the decryptors available on BleepingComputer, Abrams said.  Since May, when Abrams began tracking statistics, decryptors on the site have been downloaded more than 320,000 times.

While BleepingComputer makes money from advertisers, members of the hunting team from time to time have discussed charging for their services.  Each time, “it left a sour taste,” Abrams said.  He recalled a mother who contacted him to say she’d lost photos of her son, a fallen Army veteran, to ransomware.  Abrams helped to decrypt her files.  “I couldn’t charge for that,” he said.

Wosar and Gillespie have each created more free, public decryptors than anybody else in the world.  The two have much in common: neither went to college and both consider themselves autodidacts, learning mostly from internet research.  Both found a home and friendships on BleepingComputer.  And both, Wosar said, suffer from imposter syndrome — feelings of inadequacy that persist despite their success.

“I think we’re all kind of misfits,” Wosar said, referring to members of the team.  “We all have weird quirks that isolate us from the normal world but come in handy when it comes to tracking ransomware and helping people.  That’s why and how we work so well together.  You don’t need credentials, as long as you have the passion and the drive to teach yourself the skills required.  And Michael clearly has it, right?”

As ransomware became increasingly prevalent, the Ransomware Hunting Team had trouble staying abreast of new variants.  “It just got to the point where we just couldn’t keep track any more,” Abrams said.

Gillespie quietly began working on a solution.  “I’m a programmer,” he said.  “What do I do?  I automate.”

At night, on his couch, Gillespie developed a site where victims could upload a ransomware-encrypted file and automatically learn what type it was, whether a decryptor existed and, if so, how to get it.  In March 2016, he launched ID Ransomware with an announcement on Twitter and on BleepingComputer.  “All too often after a ransomware attack, the first question is, ‘what encrypted my files?’, followed by ‘can I decrypt my data?’” he wrote.  “This web service aims to help answer those questions, and guide a victim to the correct information relating to their infection.”

The site took off immediately.  Victims, ransomware recovery firms and other researchers sent encrypted files for analysis.  When they submitted files infected by an unidentified type of ransomware, Gillespie added it to his database.  As before, he and other members of the team worked to create decryptors for newly discovered strains.  ID Ransomware currently can detect more than 780 strains, of which almost 40% have free decryptors, most of them developed by Gillespie or Wosar, and others by cybersecurity firms such as Kaspersky, Avast and Bitdefender.

He’s developed other free applications for victims, which are available on BleepingComputer.  RansomNoteCleaner removes ransom notes left behind after an infection — eliminating the time-consuming task of removing them manually — and CryptoSearch locates encrypted files and makes it easier to back them up, in the hope that a solution may someday be discovered.  ID Ransomware also cross-references the submitter’s IP address with Shodan, a site that can show a computer’s vulnerabilities.  If it detects an open port, which could have allowed the hackers in, ID Ransomware flags the vulnerability — and, like the notes Gillespie stuck in the high school lockers, suggests fixing it.

Gillespie worked nonstop.  “I felt like I never saw him,” his wife said.  “We would be hanging out in the evening, and he would be like, ‘Oh my gosh, I have to go do this.’ And he would just disappear for hours.”

Volunteers around the world have translated ID Ransomware into two dozen languages, from Swedish to Nepali.  Only 26% of submissions to the site have come from the U.S.  “He collects amazing data because so many people use it,” Abrams said.  “He has tons of information.  You can see statistics, trends, what kinds of attacks are happening and when.  Everyone uses it.”

Those users include law enforcement, on both sides of the Atlantic.  Europol and Netherlands police flattered ID Ransomware by imitation, launching a similar but less comprehensive site.  An FBI agent from the Springfield, Illinois, field office asked to meet Gillespie, and they got together with another agent at a local Panera restaurant.

“The first meeting was nerve-wracking for me because, you know, why does the FBI want to talk to me?” Gillespie recalled.  “I was so awkward at that meeting.  I wasn’t thinking, ‘Am I gonna get arrested.’  But I did have in the back of my mind, ‘Am I gonna say something stupid?’”

The FBI needed help.  Victims often don’t report attacks to the bureau because they don’t want investors or the public to learn of their security lapses.  In 2018, the FBI received only 1,493 reports of ransomware — compared with the 2,000 queries daily to Gillespie’s site from about 750 different IP addresses worldwide.

At first, the agents sought information about the origins of a specific ransomware attack, something Gillespie does not investigate.  Then they began requesting lists of IP addresses that had uploaded files to ID Ransomware, which could help identify victims, as well as ransom notes and other material.  Gillespie, who discloses on the ID Ransomware homepage that email or bitcoin addresses uploaded to the site may be shared with “trusted third parties or law enforcement,” complied.

His assistance appears to have paid off.  Gillespie said agents indicated to him that his information may have been instrumental in last year’s indictment of two Iranian hackers wanted in connection with SamSam ransomware, which paralyzed computer networks across North America and the U.K. between 2015 and 2018.  Although the suspects have not been arrested, it was the U.S. government’s first indictment of cyberattackers for deploying a ransomware scheme.

Gillespie continues to meet regularly with FBI agents.  He tips them off, for instance, when a ransom note or extension on a file uploaded to the site identifies the targeted business.  Cooperation from such victims could help law enforcement learn more about the source of the ransomware, he said.

Some other ransomware hunters are warier of the FBI.  Abrams expressed concern that, despite the ID Ransomware acknowledgment, there could be “repercussions” from victims who might be upset that Gillespie identified them to the bureau.  Gillespie “is a little too trusting” of law enforcement, Abrams said.  “I do think that he’s not very worldly and that he sees things a little more black and white than with a lot of shades of gray.  And I think in that case he could be easily manipulated and taken advantage of.”

In 2017, the FBI awarded Gillespie a Community Leadership Award for his “public service, devotion and assistance to victims of ransomware in the United States and Internationally.”  Gillespie prominently displays the award in his home.  In April 2018, he and his wife flew to Washington for the award ceremony, accompanied by his boss at Nerds on Call.  The joke around the office was that the boss “went with him to try to nerf anybody trying to recruit him,” said Gillespie’s former co-worker, Jacobs.  “He would be very difficult to replace.”

Philosophically opposed to charging victims, Gillespie keeps ID Ransomware free.  He put up a link for donations to help cover the costs of running the site, but he didn’t bother to register it as a nonprofit, which would have enabled donors to deduct gifts from their taxes.  Contributions were scarce.  One $3,000 donation through PayPal proved to be a scam — Gillespie speculated that it may have been revenge by hackers whose ransomware he disabled — and PayPal demanded the money back.  He couldn’t repay it and switched to another service.

Gillespie “doesn’t chase money,” Jacobs said.  “If he were chasing money, he would have been living on the East or West Coast by now and doing something for some company that we’d all heard of instead of a little service provider in the Midwest.  But he’s one of those guys, he operates very heavily on principle.”

To make ends meet, Gillespie supplemented his Nerds on Call salary with a 2 a.m. paper route, delivering the local newspaper on his bike.  While he had enjoyed having a paper route in junior high, the job now depressed him.  But the family bills were mounting, especially for health care.  Morgan Gillespie struggled with diabetes and other medical issues.  Over the years, Michael Gillespie noticed blood in his urine, and in the fall of 2017, his wife finally made him see a doctor.  The physician removed a tumor and diagnosed bladder cancer, which rarely affects young adults.  Gillespie took one day off for surgery and one to recover before returning to work.  He underwent immunotherapy treatment weekly for two months, and the cancer has been in remission since.  Although he was insured through Nerds on Call, the costs for his care still added up.

The couple reached a financial breaking point.  They racked up credit card debt and fell behind on payments on Morgan Gillespie’s Nissan.  They rotated which utility bills they would pay; one month their electricity would be turned off, and the next month it would be gas.  They surrendered the car to the bank, which sold it at a loss at auction and forced them to make up the difference.  Last year, around the time his wife lost her job as a nanny, they missed four mortgage payments on their house and began to receive foreclosure notices, Michael Gillespie said.

Gillespie said he’s considering charging other security researchers for the statistics he gathers on the site, but he will always keep the tools free for victims.  Friends and family members nagged Gillespie to collect fees from ID Ransomware users.  Even his wife’s grandmother, whom Gillespie calls “grammy,” brought it up.  “I try to not interfere in that area,” Rita Blanch said.  “Unless, being silly at times, when I would say to him, ‘Babe, you need to charge, you could, like, be rich.’”

Other relatives “have been like: ‘Why isn’t he charging?  Why isn’t he making money off of this?’” said his wife, who recently found a part-time job as a babysitter.  “They think it’s almost dumb, the fact that he does what he does.  But that was just never what the deal was for us.  He just doesn’t want to take advantage of people who are already being taken advantage of.”

Instead, his fellow ransomware hunters stepped in.  Abrams covered the $400 cost of obtaining a certificate that lets users know they’re downloading from a trustworthy site.  Wosar began donating to ID Ransomware, and his employer, Emsisoft, hired Gillespie part-time this year to create Emsisoft-branded decryptors.  The money enabled the Gillespies to catch up on mortgage payments.

“He’s doing so much, how do you not support him if you can?” Abrams said.

After dinner one summer evening, Gillespie took a visitor to the Normal office of Nerds on Call, one of the company’s three locations in central Illinois, nestled in a strip mall between a check-cashing store and a Great Clips hair salon.  Gillespie, who has worked for Nerds on Call for 11 years, has keys, so he was able to open the office and disable the alarm system.  In the back, behind the retail area, is his desk, adorned with framed photos of his cats.

As his wife’s relatives often remind him, he could earn three times as much somewhere else.  But he’s happy at Nerds on Call, which gives him the freedom to work on ransomware in his downtime.  This year, he figured out fixes for the STOP Djvu ransomware, which was infecting files through pirated software.  Victims — who were unlikely to seek law enforcement assistance since they were committing a crime themselves — continue to press Michael for help unceasingly.  “It’s borderline harassment,” he said.

His frustration with the deluge of entreaties occasionally boiled over in his tweets.  “Everything you could possibly need to know is IN THE FUCKING FAQ, and its in BIG BOLD RED LETTERS,” he once responded.  “I’m losing sleep, losing time at my job, losing fucking sanity at this point.”

Some STOP Djvu victims thanked Gillespie.  Adam Hegedus of Szolnok, Hungary, was surfing the internet on his girlfriend's laptop in August when he disabled the anti-virus and firewall protections.  Ransomware crippled the computer, and a text file demanded $1,000 to restore access.  Hegedus' girlfriend is a teacher, and her lesson plans, thesis and other important documents were encrypted.  Hegedus felt so guilty that he couldn't sleep, and he sought assistance from several forums, including BleepingComputer.com.  This month, Gillespie replied with some good news; he had a decryption key.  Hegedus called his girlfriend, who rushed home and was delighted to be able to use her files again.

"You cannot imagine how grateful I am," Hegedus wrote to Gillespie.  "Everything has been decrypted and this is only because of your hard work." Hegedus offered a donation, but Gillespie declined.

Gillespie hopes that someday his services will no longer be needed, because businesses and people will have learned proper cybersecurity.  “If the world had backups, then we wouldn’t have ransomware,” he said.

In the meantime, he said, he plans to keep plugging away, even as hackers and their enablers pile up profits.  “There’s a time in every IT person’s career where they think, ‘I’m on the wrong side,’” he said.  “You start seeing the dollar amounts that are involved.  But nah, I can’t say that I ever have.  I just don’t care to go that way.”

ProPublica research reporter Doris Burke contributed to this article.

No comments: