In an excerpt from their new book, The Ransomware Hunting Team: A Band of Misfits’ Improbable Crusade to Save the World From Cybercrime, writers Renee Dudley and Daniel Gold take readers inside the complex and mysterious world of the hacker underground. The book reveals the ins and outs of the modern ransomware industry, while also charting the tireless work of a team of volunteer technologists who have devoted their lives to thwarting the criminal scourge. In this excerpt, the authors describes the exploits of one such “ransomware hunter,” a talented high-school dropout turned security professional, who has made it his mission in life to reverse the damage caused by criminals who develop and distribute the illegal malware.
In May 2016, a ransomware group called Apocalypse began penetrating software that enables users to connect remotely to other computers. If the default language of the computers it targeted was set to Russian, Ukrainian, or Belarusian, the ransomware would quit rather than encrypt the files.
Apocalypse attracted the attention of Fabian Wosar, a high school dropout who became the creative force behind the antivirus company Emsisoft. Fabian grew up in Germany but now rarely ventures outside his two-bedroom apartment near London. Blue-eyed, balding and unshaven, he is perhaps the most skilled code-breaker on the Ransomware Hunting Team. Since it was formed in 2016, this obscure, invitation-only band of about a dozen tech wizards in seven countries has proven remarkably effective in fighting ransomware, one of the most pervasive and fastest-growing cybercrimes in the world.
Ransomware is the unholy marriage of hacking and cryptography. Typically, the attackers capitalise on a cybersecurity flaw or get an unsuspecting person to open an attachment or click a link. Once inside a computer system, ransomware encrypts the files, rendering them inaccessible without the right decryption key — the string of characters that can unlock the information. By retrieving those keys, the Ransomware Hunting Team has saved millions of victims — individuals, schools, hospitals, businesses, government agencies — from paying billions of dollars to hackers, almost always without charging a cent.
As he had done with other types of ransomware many times before, Fabian quickly deciphered three variants of what he called Apocalypse’s “amateurish code,” and shared the keys with victims. As Apocalypse introduced six more versions, Fabian cracked them, too.
A short time later, Apocalypse named a new variant Fabiansomware as a backhanded tribute to the ransomware hunter’s expertise. Within the code, the gang inserted a dare: “Crack me, motherfucker!”
Fabian took it in stride. “They fell hard for me,” he tweeted. “If they weren’t so horrible developers, I would almost be flattered.”
The new name misled some victims into thinking that Fabian was the one extorting them. “Stop your shit,” one victim wrote to him over Twitter. “You encrypted my server and holding me to ransom.”
“Just look up what I do before you continue to embarrass yourself,” Fabian retorted. “I am a malware researcher who pissed off a ransomware gang by repeatedly decrypting their shitty ransomware and allowing their victims to decrypt their files for free.”
As he had done with Apocalypse, Fabian cracked the first two versions of his namesake ransomware. In October 2016, before releasing a third version, the ransomware’s frustrated developer decided to save time by running it by Fabian to see if it was bulletproof.
“Hello Fabian. I finished work on a new version, do you need a sample? I can send you.”
“Sure,” Fabian replied.
The developer provided a link for Fabian to access the sample. “Im 100% sure you cant crack it.” Eleven minutes later: “I would like to receive the answer from you, as you like my code?”
Fabian noticed this version contained an image of his Twitter avatar — plump face, buzz cut, black black-rimmed wire glasses, and goatee — with one difference: a penis pointed at him. He set aside the personal affront and started analysing the ransomware.
“I could still [crack it] in some cases,” Fabian wrote. “Not all though.”
The hacker then changed his tone, praising Fabian for breaking the prior versions “like a god,” and asking how he was able to solve one of them in a single day.
“Since your operations were simplistic it wouldn’t take much to figure them out,” Fabian explained.
“OK, thank you for your answers,” the hacker wrote. “So let’s continue this funny war.”
Fabian posted the modified avatar on Twitter, explaining that it would be in an upcoming version of Fabiansomware. “I wonder if this can be considered fan art,” he wrote.
A week later, the Apocalypse developer resumed the conversation, making an attempt to recruit Fabian. “If you have good brain, you can engage in real business and have a lot of money, why no?”
“I have enough money to have a comfortable living,” Fabian answered. “I like and enjoy my job and I don’t have to worry that a SWAT team comes busting down my doors.”
Overtures like Apocalypse’s weren’t uncommon. Ransomware developers reached out to compliment, insult, or banter with the hunters — and to try to manipulate them. They shared the team’s fascination with ransomware and many of the same skills. As the developer of Apocalypse correctly pointed out, Fabian could have been one of the world’s foremost ransomware attackers instead of one of its greatest ransomware hunters. Fabian and the hackers are “kindred spirits,” Ransomware Hunting Team co-founder Lawrence Abrams said. “It’s almost like a competition between them.”
Within the ranks of both hunters and hackers are self-taught, underemployed tech geeks who sometimes lack social graces, like video games, and are familiar with some of the same movies. Like the Ransomware Hunting Team, most of the attackers are young men. They are concentrated in Eastern Europe, although scattered globally. In countries such as Russia and North Korea, some gangs appear to enjoy a degree of government protection — and, in some cases, to be weapons in an undeclared cyberwar.
Some of the hackers pride themselves on abiding by a code of ethics. For example, they generally uphold their side of the bargain and restore computer access upon receiving a ransom. The gangs recognise that if they earn a reputation as double-crossers, future victims will be less likely to pay. They rationalize their extortion in all sorts of ways. But even when they say it isn’t about the money, it probably is. Their greed is the biggest difference between them and the team.
Fabian cracked so many ransomware strains that thwarting hackers became almost routine. So he was amused when those triumphs were accompanied by the occasional outburst of theatrical praise or protest from the villain.
Beaten hackers sometimes embedded messages to their nemesis in their ransomware code. Some fawned on him: “FWosar you are the man,” a developer inserted in the text of NMoreira ransomware in late 2016. “I am inspired by dudes who understand what they do.
“Your bruteforcing tool was amazing, I am really impressed . . . I also didnt test the Random Number Generator, that was a stupid thing to do. Hope you can break this too, Im not being sarcastic, youre really inspiring. Hugs.”
Fabian posted the compliment on social media. “At least they are polite idiots this time,” he wrote. “Still idiots, though.”
Others pleaded with him. “Fabian, please, don’t crack me!” one attacker wrote. “It is my last attempt, If you crack this version then I will start taking heroin!”
Unmoved, Fabian broke the ransomware and built a decryptor that victims could use to recover their files for free. More often, the hackers insulted him. Taunts like “Crack me again, Fabian! Show that you got balls!” stood out in the long lines of numbers and letters.
Sometimes, though, the insults felt like threats. One attacker advised him to “lay of [sic] the cheeseburgers you are fat!” Even though his weight wasn’t a secret — he appeared portly in his avatar image and had mentioned dieting on Twitter — Fabian was unnerved. A hacker interested in his personal appearance might search for his address or family.
He also discovered that someone had set a Twitter trap for him. It was a fake Fabian Wosar account that tweeted an encoded message. When he decoded it, he found the address of a website that tracked IP addresses — the series of numbers that identify devices connected to the internet. If Fabian had visited the site from his home computer, its operators could have pinpointed his location to a city or even a neighbourhood. At the time, he was still living in his hometown of Rostock, Germany.
Even more alarming were the messages that associates of the CryptON ransomware gang were sending him via online forums. CryptON attacked both home users and companies, but there was a weakness in one of its algorithms. In 2017, Fabian discovered the flaw and cracked the first three versions. In a not-so-veiled warning, CryptON’s developers, who were believed to be Russian speakers, told Fabian that their friends would like to visit him in Hamburg, Germany. He had listed Hamburg as his location on LinkedIn, since it was only about two hours’ drive from Rostock and better known. “They were implying that if they want to, they can get to me, so I better stay out of their business,” he said.
He removed his personal details from sites like LinkedIn. But the episode was a stark reminder that his work did more than help victims recover files. Another consequence, unseen to the team’s members, was the disruption of hackers’ livelihoods. When Fabian cracked their ransomware, their income dried up. For some hackers, that meant they couldn’t feed their families. For others, it meant waiting to buy a luxury car. And if they had ties to hostile foreign governments, the stakes were much higher, both for them and for Fabian.
He already had the Russian mob on his mind, as Rostock had a reputation for being a nexus of organised crime. The Russian chairman of Wadan Yards, a shipyard a short distance from Fabian’s house, had been shot dead in an apparent contract killing in Moscow in 2011. Although there is scant evidence of overlap between traditional organised crime groups and cybercriminals, Fabian became increasingly paranoid as he noticed menacing faces staring at him in cafés and trailing him around his neighbourhood grocery store.
At the end of 2017, he felt compelled to leave Germany to protect himself. He opted for the United Kingdom because of its stricter privacy laws. He knew he would miss the Baltic Sea coast, cool weather, and traditional sausages of his hometown, but he otherwise had no reason to stay.
After Fabian relocated, the direct praise and taunts he’d become accustomed to receiving from hackers became less frequent. It wasn’t that he was off their radar. Rather, ransomware was maturing as a business, and the hackers were becoming more professional.
Fabian had the sense that most of the hackers who’d contacted him were either solitary operators or members of a small group. By the time of his move, however, many ransomware developers were acting as part of larger gangs.
Under the ransomware-as-a-service approach, developers delegated to other hackers the task of actually spreading the ransomware. The model dates to 2014, when a strain called CTB-Locker posted a dark web advertisement selling use of the ransomware to interested “affiliates” for $US10,000 ($13,882). In addition to the initial fee, the developer would take a roughly 30 per cent cut of ransom payments. Since ransomware at that time was a volume business targeting home users, such ads attracted hackers who controlled what are known as botnets. These networks of computers that are infected and hijacked without the owners’ knowledge indiscriminately spread ransomware via spam. Hackers who purchased the “off-the-shelf” kits didn’t necessarily need deep technical knowledge to be successful. Dharma and Phobos, ransomware-as-a-service strains that remained popular for years, contained scanners that guided hackers to their targets.
Dark web forums became rife with advertisements for ransomware-as-a-service programs, and the model grew in popularity and sophistication. Gangs developed different ways of generating revenue, with some charging a onetime licence fee and others billing for a monthly subscription. Especially once ransom demands ballooned, many developers required profit-sharing agreements that gave them a cut of each payment plus control of cryptocurrency wallets where victims sent money.
Eventually, the affiliate application process became competitive. The most ambitious gangs began to prefer affiliates with the expertise to get their ransomware inside large corporate, government, education, and healthcare targets that had much deeper pockets than home users. In job ads, prospective “employers” outlined specific qualifications, such as proficiency in Cobalt Strike, a legitimate tool, co-opted by hackers, that is used to identify system vulnerabilities. They also sought affiliates with experience in cloud backup systems; if they could encrypt businesses’ backups, they would eliminate the option of restoring files without paying a ransom. The ads asked applicants to submit portfolios, with promising candidates invited for interviews.
In July 2019, an especially ambitious outfit known as REvil was expanding its operations and hiring for a “limited number of seats.” Its ad, written in Russian, warned off noobs.
“Get ready for an interview and show your evidence of the quality of the installations,” the ad said. “We are not a test site, and the ‘learners’ and ‘I will try’” candidates need not apply.
REvil told candidates they would not be allowed to spread the ransomware in the Commonwealth of Independent States, which includes Russia. If hired, they would get a 60 per cent cut of ransoms collected, upped to 70 per cent after the first three payments. Aware that competitors, law enforcement officers, and security researchers were viewing its ads, REvil kept the details of its operation brief. “More information can be obtained during the interview,” it wrote.
REvil and other groups went on hiring sprees, seeking dozens of hackers to spread their strains. Rival developers had to compete with one another for the most promising affiliate candidates, individuals in such demand that they seemed to have an advantage over their employers. Nothing could stop an affiliate from working with multiple ransomware gangs — and attacking the same victim with more than one strain.
As money poured into their operations, ransomware gangs began to mirror the practices of legitimate businesses. Just as a manufacturer might hire other companies to handle logistics or web design, ransomware developers increasingly outsourced tasks beyond their purview, focusing instead on improving the quality of their ransomware. The higher-quality ransomware — which, in many cases, the Ransomware Hunting Team could not break — resulted in more and higher payouts from victims. The monumental payments enabled gangs to reinvest in their enterprises. They hired more specialists, and their success accelerated.
Criminals raced to join the booming ransomware economy. Underworld ancillary service providers sprouted up or pivoted from other criminal work to meet developers’ demand for customised support. Partnering with gangs like GandCrab, “cryptor” providers ensured that ransomware could not be detected by standard anti-malware scanners. “Initial access brokerages” specialised in stealing credentials and finding vulnerabilities in target networks, and sold that access to ransomware operators and affiliates. Bitcoin “tumblers” offered discounts to gangs that used them as a preferred vendor for laundering ransom payments. Some contractors were open to working with any gang, while others entered exclusive partnerships.
“That’s similar to the normal world,” said John Fokker, head of cyber investigations at the California-based cybersecurity company Trellix. “When people specialise and the business is growing, they’ll branch off certain services that before they had to do by themselves. You see the same thing in the underground as well.”
That vast underground economy was out of sight of most victims. But a few outsourced services were what businesses like to call customer-facing. Some ransomware groups shared a call centre in India, with representatives contacting employees or clients of victim organisations that hadn’t paid up. Following a script provided by the hackers, the callers would describe the incident to the people on the other end of the line — who in some cases weren’t even aware an attack had taken place — and then pressure them to convince the victim organisation to pay.
Some gangs even outsourced their negotiations to specialised providers. Since many hackers lack a command of English, hiring a professional to communicate with victims seemed like a savvy business move. But, just like in the legitimate business world, outsourcing could backfire. With multiple groups using the same service, negotiations sometimes became jumbled. One contractor simultaneously negotiated in online chats with victims of two groups, Maze and DoppelPaymer. Relying on a script, the negotiator mistakenly failed to replace the word “Maze” with “DoppelPaymer” throughout the DoppelPaymer negotiation, causing confusion and delay.
Lizzie Cookson, a U.S.-based negotiator familiar with the victims’ side of the Maze-DoppelPaymer mix-up, said the gangs’ outsourcing added a “headache to this whole process.”
“We’ve known for a long time that we’re not really interacting with the developer ‘face to face,’ so to speak, anymore,” Cookson said. “Which is too bad because things were a lot more straightforward then.”
When victims asked members of the Ransomware Hunting Team for advice on how to protect themselves from future attacks, they always suggested keeping reliable data backups. But another twist in ransomware’s evolution made that counsel seem futile.
In November 2019, the Maze group pioneered a tactic that became known as “double extortion.” The group exfiltrated victims’ files before encrypting them, then used the stolen data as leverage in ransom negotiations. If victims refused to pay the ransom, Maze would leak the data.
Backup files might save victims from encryption, but not from massive data leaks. Even if victims had backups, they still would have to pay a ransom, or their confidential data would be posted on the dark web. This would mean public disclosure of intellectual property; police evidence; military secrets; private medical, educational, and employment records; and more.
Double extortion made ransomware more dangerous and unpredictable than ever. It also meant that ransomware attacks had to be treated as data breaches, with victims required to follow relevant state and federal laws to notify employees, clients, patients, and others whose data was compromised. With this added responsibility, the costs of recovering from an attack continued to rise, just as public trust in data privacy and security continued to erode.
In short order, other ransomware strains followed Maze’s lead. By the end of 2020, more than two dozen groups were using the double-extortion tactic. Maze and most of the others created “leak sites” on the dark web where members of the public could view victims’ names and stolen data, either for free or for a price. “Represented here companies do not wish to cooperate with us, and trying to hide our successful attack on their resources,” Maze said on its leak site. “Wait for their databases and private papers here. Follow the news!”
Like Maze, REvil launched a leak site, which it called Happy Blog. There, it published names of victims as well as data it had stolen from them. Its high-profile victims included a law firm representing Lady Gaga and other celebrities, the money-exchange chain Travelex, and the American fashion brand Kenneth Cole. REvil shook the tech world when in April 2021 it published blueprints for Apple products, including an unreleased MacBook; the group said it had stolen the documents from the laptop manufacturer Quanta Computer, a key Apple supplier.
Chicago data privacy attorney Michael Waters represented a plastic surgery group whose data was stolen in a double-extortion attack, including before-and-after photos of patients who had undergone breast augmentation surgery. The hackers contacted those patients by email and included personal photos in their messages. “They threatened to post them online unless payment was made,” Waters said.
In addition to giving them leverage in negotiations, the shift to data breaches also emboldened gangs to become more creative in canvassing for targets. REvil breached insurance companies, intending to search for lists of their cyber policyholders. Knowing that such policies often covered ransom payments, REvil then targeted the companies they found. “Yes, this is one of the tastiest morsels,” Unknown said. “Especially to hack the insurers first — to get their customer base and work in a targeted way from there. And after you go through the list, then hit the insurer themselves.”
In another innovation, Maze formed what Ransomware Hunting Team member Lawrence Abrams dubbed a “cartel,” banding together with other gangs to share a common data leak site. Maze told Lawrence in June 2020 that consolidating resources would lead to “mutual beneficial outcome, for both actor groups and companies . . . Organizational questions is behind every successful business.”
That December, Lawrence wrote an article for his influential website, BleepingComputer, that addressed the question of how victims could be sure their stolen data would be deleted after paying a ransom. The answer, he learned, was that they couldn’t. REvil had re-extorted victims with threats to post data weeks after they paid for the files to be deleted. A handful of other groups had posted data from companies that had paid. Even Maze, despite assurances that victims could trust its word, had mistakenly posted a target’s data on its leak site. Lawrence told readers to expect the worst.
“There is no way for a victim to know for sure if a ransomware operation is deleting stolen data after a ransom payment is made,” Lawrence wrote. “Companies should automatically assume that their data has been shared among multiple threat actors and that it will be used or leaked in some manner in the future, regardless of whether they paid.”
By early 2021, alarmed by ransomware’s higher profile and the gangs’ increasingly harsh tactics, some smaller players were having second thoughts. One of these players was a hacker who went by the Russian version of the name Adrian on the messaging platform Telegram.
Adrian preferred to use a Russian name because his father was Russian and he wanted to sound intimidating. “The most dangerous hackers are from Russia,” he said. But he was actually living in a Middle Eastern country where computer hacking was also common.
He grew up loving computers and playing video games like CounterStrike: Global Offensive and Fall Guys. He graduated from high school but didn’t go to college and never held a real job. He said he didn’t leave the house often because “all of my world is related to computers.” His interest in tech led him to join hacking channels on Telegram. From there, he entered the world of cybercrime, brute-forcing into servers secured with weak passwords.
In 2020, Adrian pivoted to ransomware because he otherwise “couldn’t make money easily.” Like many of his adversaries on the Ransomware Hunting Team, he taught himself cryptography, learning from books and videos online. He then developed his own ransomware strain, which he based on Phobos. He called it Ziggy after an iridescent snake discovered in Laos in 2016; the snake itself was named Ziggy Stardust in honour of late singer David Bowie’s alter ego.
Although Ziggy’s attacks helped him buy food and a new computer, Adrian said he was motivated more by politics than by money. He targeted users in the United States and Israel but demanded only a $US200 ($278) ransom, an absurdly small amount compared to the seven- and eight-figure demands other groups were making. He split the proceeds with an affiliate who found the victims. Ziggy’s code specified an unusual “whitelist” of locations where the ransomware would automatically shut off rather than encrypt the target: Iran, Syria, Lebanon, and Palestine.
After about a year, during which he netted about $US3,000 ($4,165) from victims, Adrian began feeling guilty and fearful. Law enforcement globally and in the United States had just disrupted a major ransomware spreading botnet as well as the Netwalker strain. Another smaller ransomware developer, who was Adrian’s mentor, had recently abandoned his own strain, called Fonix. Corresponding over Telegram, Fonix’s creator told Adrian he was sad that he had hurt people. Adrian said he reflected on those words and prayed for guidance. He worried about what his parents and friends would think if they found out what he had done.
Adrian decided he wanted out. He contacted the Ransomware Hunting Team and turned over keys it could use to help victims of Ziggy recover their files. The next month, BleepingComputer reported that Ziggy was offering refunds to victims who’d paid a ransom. “They plan to switch sides and become a ransomware hunter after returning the money,” the article said.
Lighter after his atonement, Adrian still worried about law enforcement coming for him. “I don’t like to see people unhappy,” he said. “It feels very bad. In our religion hurting people it is something named HARAM . . . But now i gave up. Am i criminal now?”
If anyone from the big ransomware gangs was feeling remorse, Fabian saw no evidence of it. Still, he wanted to make sure the Ransomware Hunting Team could capitalise on any second thoughts. In an unusual overture, Fabian opened a virtual confessional where hackers could come clean about their sins and repent by anonymously sending him decryption keys. Practically speaking, the confessional was an account on a messaging service favoured by cybercriminals. In July 2021, he tweeted the details to his more than ten thousand Twitter followers.
“I have created an XMPP account to make it easier for people to anonymously send me key dumps,” he tweeted. “So if you want to off-load your key database when you shut down your operation, feel free to contact me at fabian.wosar@anonym.im – no questions asked.”
Sceptics emerged immediately. “Enjoy the spam,” one follower replied. “It will be rough.”
“Nothing so far,” Fabian responded the next day. “I am actually questioning if it is working.”
Another called him an “absolute madlad,” slang for insane. “Really asked people to bombard him with spam,” the follower wrote.
Undeterred, Fabian replied: “Whatever it takes to get some ransomware victims their data back.”
Like a bored priest waiting on his side of the privacy screen, Fabian stood by patiently and hopefully for penitents to come forward. Sure enough, over the course of the first month, they began to trickle in. These sinners, however, didn’t want absolution; they wanted revenge.
Most of Fabian’s correspondents were hackers who claimed they were scammed out of money or otherwise wronged by their partners in crime. Others contacted him with information that could doom competitors. They provided Fabian with details of breaches and impending attacks, and they turned over decryption keys for those that had already taken place. The communication benefited both parties: Fabian helped targets prevent or recover from attacks, while the hackers sabotaged their foes — with low risk of being fingered.
In late August, a hacker connected to the ransomware group El_Cometa reached out to Fabian. Previously known as SynAck, which had been attacking victims since 2017, El_Cometa emerged in August 2021. Bitter infighting ensued, and the hacker, who identified vulnerable targets, felt cheated out of money by one of the group’s partners. To settle the score, the hacker decided to undermine the whole operation. The hacker gave Fabian decryption keys for El_Cometa’s victims as well as log-in details for the cloud storage where their stolen data was kept.
In addition, the hacker gave Fabian details about targets whose systems had been compromised but not yet encrypted and proof of “backdoors” — secret entrance points left behind by intruders that allow for future access — placed in those networks to ensure continued access. These victims of impending attacks included the North Carolina–based turkey company Butterball.
The correspondent showed Fabian a detailed map of one of Butterball’s networks and a screenshot of domain admin credentials that included comically easy passwords like Butterball1 and G0bb1er. Working through the night, Fabian tried unsuccessfully to reach Butterball to warn them about what he’d learned. Around 1:00 a.m. London time, obsessed and frustrated, he vented on Twitter.
“I hate it when you know a company is about to be hit by ransomware but you can’t get anyone there to listen to you or answer a call,” he wrote, without naming Butterball or how he knew it was on the brink of disaster. “We know their security already failed them. Ransomware deployment is imminent. 1B+ US company.”
Two days later, Fabian updated his followers. “We managed to reach the company and handed over the information we had to them,” he wrote. “They were already in the process of taking appropriate actions, which is excellent news and kudos to their IT staff for catching on to the intrusion independently.”
Butterball later notified “individuals whose personal information may have been accessed” that someone had hacked into its network and tried to upload files to a cloud server; the company said it detected the “suspicious activity” within an hour, halted the upload, and deleted the transferred files.
After sharing the breach details with Butterball, Fabian felt satisfied. The Ransomware Hunting Team had now contacted every victim named by the El_Cometa hacker.
“We managed to reach all of these victims and potential victims,” Fabian wrote on Twitter. “We provided free decryption tools to the victims where the ransomware was already deployed and handed over all information dumps we obtained to their IT teams and [law enforcement agencies]. It’s been a good week after all.”
In the months that followed, new hackers messaged Fabian every few weeks. True to the role of confessor, Fabian cast no judgment. Granting hackers the space to open up about their transgressions without shame would, he believed, help them feel comfortable spilling their secrets. He also learned that the most efficient way to extract information was to make it clear that he was prepared to do the hackers’ dirty work — letting them think “that they’re taking advantage of me instead of the other way around,” he said.
Now that Fabian was in regular contact with his adversaries again, he saw up close how the landscape had changed. He was dealing with hackers inside large gangs rather than with small, stand-alone operators. He understood that affiliates had no allegiance to their groups and vice versa. Money, and nothing else, established loyalty among his correspondents.
Yet some things, like a shared fascination with cryptography, hadn’t changed at all. Sometimes, even as they sought revenge on their enemies, the hackers took a few moments to fish for Fabian’s approval of their handiwork or to worship at his ransomware altar. Those messages reminded him of the banter he’d exchanged years earlier with Apocalypse, whose developer had called him “a god.”
“People who create ransomware have a certain appreciation for the skills and knowledge to do what we on the Hunting Team do,” Fabian said. “Coming to me, this is their way of showing respect.”
This article originally appeared in The Ransomware Hunting Team: A Band of Misfits’ Improbable Crusade to Save the World From Cybercrime, by Renee Dudley and Daniel Golden, published by Farrar, Straus and Giroux on Oct. 25, 2022.