Ransomware Hero to Receive FBI Award

The US Federal Bureau of Investigation (FBI) announced on Tuesday that it would be awarding the FBI Director’s Community Leadership Award to Michael Gillespie for his efforts in combating ransomware and helping users who fell victims to this threat.

Gillespie is a member of the infosec community, known as the author of various ransomware decrypters, and the creator of ID Ransomware, RansomNoteCleaner, and CryptoSearch.

Michael has been helping ransomware victims for years

Michael is also known to most Bleeping Computer readers as Demonslay335, the username he uses on our forums, where for the past years he's been providing free support to ransomware victims.

The FBI now wishes to acknowledge Michael's efforts during the past few years, both for the decrypters he created, the tools he built to help in identifying and cleaning ransomware infections, and the free support he's been providing on our forums and his personal Twitter profile.

Lawrence Abrams, the owner of Bleeping Computer, first got to know Michael when he started volunteering his time by assisting TeslaCrypt victims factor their private keys in order to decrypt their files for free. Since then Michael has created several tools, with probably the most well-known being ID Ransomware.

ID Ransomware is an online portal that allows victims to identify what ransomware they are infected with by uploading ransom notes or encrypted files. ID Ransomware will analyze the uploaded files and tell the victim what strain of ransomware has infected his computer, and attempt to provide file recovery and clean-up information, where available.

Another tool Michael created is RansomNoteCleaner, a Windows app that searches and removes ransom notes left behind after a ransomware infection. This tool was created to help with ransomware strains that create ransom notes in every folder they encrypt files, sometimes leaving behind thousands of ransom notes on a single computer.

Michael also created CryptoSearch, a Windows tool that finds files encrypted by a particular ransomware, and allows the user to move them to a central location so they could be backed up until a free decryption method becomes available.

FBI & security researchers are users of Michael's tools

Bleeping Computer has been told that both FBI agents and security researchers investigating ransomware incidents are big fans of Michael's creations, which many consider go-to tools in incident response operations.

Michael will receive the FBI Director’s Community Leadership Award for 2017 during an official ceremony held at FBI Headquarters in Washington, in April of 2018.

The award was created in 1990 as a way to honor individuals and organizations for their efforts in combating terrorism, cybercrime, illegal drugs, gangs, and other crimes leading to violence in the US. Michael is one of 56 individuals or organizations who will receive the award this year.

With this occasion, Bleeping Computer took the opportunity to sit down with Michael and find out more about what drives him.

BC: Tell us about the first ransomware case you encountered and what drove you to help victims for free?

MG: That's honestly a hard one to remember by now, the first one ever. I do remember becoming mostly involved with ransomware when TeslaCrypt was first very active in 2015, and learning how to break its encryption using the tools and methods developed/discovered by BloodDolly and Googulator. Honestly, it's just fun learning the behind-the-scenes math of how crypto works. It's something that always fascinated me. But cracking keys and finding the most efficient way with the math (in TeslaCrypt's case, factoring weak primes and learning how the number sieve works) just turned out to be an actual real-world application of doing something good with it. And thus began my (on-going) journey into learning cryptography and reverse engineering.

BC: Is there any specific ransomware incident you're proud in helping take down or limit its damage?

MG: There's one that's a bit of a trophy in our group, but we're not allowed to publicly discuss it at this point; let's just say someone did get caught. ;) Other from that, each time we are able to break a new ransomware, it's always a proud moment. Especially when sometimes the criminals think they fix it in a new release, and we just break it again. :P To name one personally perhaps, I felt super excited when I broke the first version of Vortex and was able to help the Polish CERT decrypt several cases; their own analysts had given up on it. :)

BC: Tell our users how does your typical ransomware-fighting day look like?

MG: Usually, I start out by checking our feeds, such as possibly interesting samples uploaded to VirusTotal or ID Ransomware. If anything piques my interest, I may investigate it further, or publish it on Twitter. Examples would be a new extension for a known ransomware, or possibly something entirely new looking from a submission to ID Ransomware; in these cases I tweet out a "Ransomware Hunt" to ask the community if they know any more information.

Sometimes I get responses either from victims who I can talk to to try getting more information from, or, if I'm lucky, another analyst in the community replies with an actual malware sample they spotted. This is how a lot of new ransomware are sometimes discovered, as victims will find my tweet because it is literally the only legitimate result on Google at the time about it. After I've covered these, I then check social media, forums, and email for anyone who has reached out to me for help, or may be giving me new information even.

If I find a particularly interesting ransomware sample, I might start doing some analysis on it to see if it looks like something I could break - or even if not, if I can confirm whether it is truly secure just so we know. Many times it's something above my skill set and I have to pass it along to the group to see if anyone else can take a look.

BC: Any thoughts on how the ransomware landscape evolved in the past year? Do you see this trend going away? Are there any signs ransomware activity is going down?

MG: We see a lot of in-development garbage that still proves everyone is trying to get their hand in the market. That hasn't stopped. The past year has definitely had its surprises with new "features" and ways of combining malware. There's always something new, I don't think we've quite hit that plateau yet - I won't give the malware authors any of the ideas we've had. ;)

BC: Who are some of the other people who you think would deserve a similar recognition for their efforts in combating ransomware?

MG: Definitely everyone in our Ransomware Hunting group. A few members include @LawrenceAbrams, @fwosar, @PolarToffee, @malwrhunterteam, @DanielGallagher, @struppigel, and a few others. There are so many others in the community who help behind the scenes as well outside of our team.

BC: Any particular thoughts you want to relay to the ransomware authors reading this article?

MG: Stop and think about what you are doing with your life, and how much grief you are giving people by causing so much damage. I recommend therapy and soul-searching.