social network

Contrary to risks and threats: the story of an anonymous programmer who devoted his life to combating extortion viruses

All his free time German Fabian pays war against Internet attackers. And making dangerous enemies.

WannaCry ransomware notification on the Korean cybersecurity unit’s computer AFP Photo

In the spring and summer of 2017, hundreds of institutions around the world, including Russian and Ukrainian, were infected with the WannaCry and NotPetya viruses. These programs have blocked the work of thousands of computers, demanding to transfer the ransom in the cryptocurrency for unlocking. The endless amount of computer data was under threat, and more than 500 thousand devices suffered from the actions of viruses in total .

The joint efforts of activists from different countries with WannyCry and NotPetya have mastered, but less well-known extortionists continue to successfully attack private, corporate and municipal computers. Among those who oppose them is Fabian, a native of eastern Germany. In an attempt to help people return data for free, he spends most of his life at the computer, and threats have forced him to leave his homeland and move to the UK. The history of the programmer told the edition of the BBC.

Lonely life in four walls

“Your files are encrypted” – it’s hard to find a person who hasn’t encountered a similar notification at least once. The virus blocks access to the infected device, scaring the victim by saying that if she does not pay the ransom, all data on the computer will be erased.

The cost of unlocking was assigned by attackers – in Russia, it averaged 400 to 2,000 rubles, but when computers around the world paralyzed WannaCry, for all countries there was a fixed price – $ 300 in bitcoins. Fabian is engaged in the fight against such viruses and earned notoriety among the authors of extortionists programs.

In early 2018, the German found this a convincing confirmation – while digging into the code of the next virus, he discovered that someone had inserted his name into the source code.

“I won’t lie, it was impressive. Obviously, the coder is very angry. He spent the time writing this message, knowing that I would see it for sure [in the code], and that means I really got them, ”said Fabian Bi-bi-si.

He receives such dumb appeals more or less regularly, and often they cannot do without a mate, threats or insults of Fabian’s mother. One day, someone called a coder’s file in honor of a man – as the programmer believes, in order to pass it off as the author of the program.

Once, an attacker addressed a German through a code, asking him not to crack his encryptor. Otherwise, the author promised to get hooked on heroin. Fabian did not attach any importance to this, still hacking the program, but taking a screenshot of the appeal. So he does with all the threat messages, storing them in a very weighty folder on the computer. But if in the digital world, Fabian has earned a reputation as a fighter against intruders, then in real life, he keeps a low profile.

A BBC reporter described Fabian as a young, plump man who spends 98% of his life at home. The German lives on the outskirts of London, and at the entrance to his home, the absence of decorative furniture is immediately apparent. Frames for photos, paintings, lamps or plants – Fabian does not have all this. His bookshelves are empty except for the Nintendo collection of video games and a few coding guides. Among the few things a programmer has, there is also a board game about hackers – Fabian said that he is very good at it, although so far he has only played alone.

Notification of the need to shut down your computer due WannaCry attack on the office computer, in May 2017 Photo of the community “Typical Messenger” in “VKontakte”

For some reason, the programmer chose the smallest room as his working office, closing the windows with curtains. The courier brings food to him, so he rarely leaves home. “I’m one of those people who don’t go outside if it’s not necessary,” the man said. He is listed as an employee of cybersecurity company Emsisoft, the work in which provides him with earnings.

Fabian’s anti-ransomware programs are distributed free of charge with the permission of their employer. To restore the victim’s files, download the decoder and follow the instructions, then get back access to the device. In part, it was the ease of use of the decoder programs that led Fabian to dislike the combined groups of intruders.

The German compares programming with writing, explaining that the author of the code can always be distinguished by his writing style. Thus, he notices how many times he encounters one or another group. There is another way to track the activity of intruders. Just look at the addresses of Bitcoin wallets to which they ask to transfer the ransom in order to understand whether this gang is new or not.

According to the cyber-specialist, once he “strongly got” a group of intruders, who in three months earned about 250 thousand dollars on the virus, but then Fabian intervened and released a decoder. “We never know for sure who contacted, but, in my opinion, over the past few years I have upset or expelled at least 100 different cyber-groups,” says the man.

“Arms race”

Ransomware viruses are one of the most convenient tools for Internet intruders. Having obtained control over the victim’s data, they do not need to search for the buyer of the information and bargain with him about the price. Instead, they return data to a person for a fixed amount, without worrying about their safety. The irretrievable loss of data is an impressive lever of pressure, and many people accept the conditions of intruders.

Individuals do not want to lose memorable photographs, the management of large firms fear for corporate data and do not want to disappoint shareholders, and the authorities estimate that it will be cheaper for attackers to replace equipment at the expense of taxpayers. In March 2019, the leadership of Jackson County in the state of Georgia, after blocking a number of computers with the extortionist virus, paid the attackers $ 400,000 in ransom.

The authorities did not see any other way out – the program paralyzed all municipal devices down to the sheriff’s computer, where he kept statistics on crimes. Officials explained that restoring the system from scratch (they probably did not have a backup) would cost the district much more.

After the payment, unknown persons sent a key-decoder, which returned access to the system. Presumably, the authors of the virus were a hacker group from Eastern Europe or Russia.

Capturing such groupings is a complex and multi-level task that the police are not always ready to deal with. In December 2017, five people were arrested in Romania on suspicion of distributing cipher viruses CTB-Locker and Cerber. But their search ended in success only due to the joint work of the FBI and the National Criminal Agency of Great Britain, as well as Romanian and Dutch investigators.

For such a well-coordinated work requires a lot of resources that the authorities are not always ready to allocate. As a result, encryption viruses continue to terrorize the Internet. According to the company Emsisoft, in which Fabian works, programs of this type attack new devices every two seconds.

In two months of 2019, the company has prevented millions of infections, and there are much more similar organizations in the world. But not enough to completely protect people. Nor could these firms predict the blows of WannaCry and NotPetya. The cyber attack of the latter is considered one of the most destructive in history – the total amount of damage from it exceeded 10 billion dollars. This assessment is due to the fact that even in the case of a ransom payment, NotPetya intentionally erased all data.

ATM during cyber attack NotPetya, July 2017. Photo by Reuters

Most of the actions of the attackers went to the Danish company Maersk, specializing in freight transport. Almost all the work of the company was paralyzed, and it was partially restored only 10 days later. Supposedly, the distributors of NotPetya acted for political reasons in order to harm Ukraine, but there is no official version of the possible customers of the attack.

“This is quite an arms race. They release a virus-extortionist, I find the vulnerability and on the basis of it write a program-decoder so that people restore their data, ”says Fabian. Sometimes such battles were delayed for months: the attackers distributed a new version of the virus, and the programmer again found a hole in the code. According to Fabian, unknown people sometimes find the problem in the program and fix it, but often the virus authors do not see the loophole that the German uses.

Such a race has consequences – often in the heat of confrontation, the programmer forgets about the simplest things like eating food and water, as well as caring for himself. Among his piled table are two boxes of pills, which he takes daily because of health problems.

“I am overweight and have problems with blood pressure, so I use medications. In addition, I suffer from hyperthyroidism (a syndrome that causes an increase in hormone levels – ) , ”says Fabian. The programmer agrees that the cause of his physical condition is in work and lifestyle, therefore he is thinking of having a puppy. With him, he will at least go out to walk. In addition, he sometimes lacks company.

The man carefully maintains his anonymity, but somehow the attackers still learned about his overweight. And lucidly told him about it.

In one of the messages for the programmer, hidden in the virus code, it was said: “Fabian, stop cooking cheeseburgers, fat man.”

The man repeatedly faced insults, but he could not but pay attention to it. The message itself did not hurt him, but it showed that the attackers knew something about Fabian. Up to this point, even his boss and colleagues did not know exactly where he lived in eastern Germany, but his “enemies” still managed to discover the details of his life.

Fabian was frightened. In an attempt to find the source of the leak, he thoroughly examined his profiles in social networks and forums, checking whether he ever left pictures of himself. So from stumbled upon his old tweet, where he mentioned the ketogenic diet (low-carb diet with a high fat content and moderate protein content – ) .

After that, the programmer deleted his date of birth from everywhere and tried to minimize information about himself on the Internet. Then he decided to leave Germany, where, according to him, it is easy to locate a person with a minimum of information at hand.

It was very scary. I don’t think they would kill me, but these guys are very dangerous. I know how much money they make, and it would not cost them 10-20 thousand to some Russian dude to come to my house and beat the whole spirit out of me. I moved to the UK as soon as possible. Here you can hide, maintain anonymity.Fabianprogrammer, specialist in ransomware viruses

Fulfilling a childhood dream

None of Fabian’s colleagues still do not know where he lives in the UK. He agreed to talk to the BBC reporter only because he would soon leave his current home and move to another place. As the man acknowledged, frequent travel, life restrictions and a narrow circle of friends are part of the sacrifice he made for his craft. In the end, he sought his whole life.

Born in a poor family in the former GDR, he first saw a computer at seven years old with his father at work. Impressions of the device seized the boy, so the next three years he saved money on his own computer, collecting and selling recyclable bottles and cans on the street.

Some time passed after a ten-year-old boy bought a computer, when the device was attacked by the now little-known TEQUILA-B virus. But instead of despairing, Fabian admired how the program disrupted the computer’s performance. He went to the library and read several books about computer viruses, after which he wrote his first antivirus program.

By the age of 14, among friends and acquaintances, he had earned the fame of “the guy who understands computers,” helping less experienced peers and seniors. Including thanks to this part-time work, the family saved up money for moving to a more prosperous district. Four years later, the young man was taken to the cybersecurity company Emsisoft, where over the years he has earned a reputation as the best specialist in ransomware viruses.

Fabian probably could become famous by attending public lectures and publishing books on the subject of his craft. But instead he preferred a quiet life in the shadows. He describes his salary as “very good,” but, since he almost never leaves the house, he has nowhere to spend money.

I spend almost nothing, no. I like to play online board games, but it’s not worth the big bucks. Most of the money I send to my sister, who brings up a small daughter. I am pleased to know that she has everything she needs.Fabianprogrammer, specialist in ransomware viruses

Back to top button