Ransomware Developer Asks Security Researcher for Help in Fixing Broken Crypto

Fabian Wosar, Emsisoft security researcher, is facing a moral dilemma like very few security researchers have faced before.

Wosar, who is also a user of the Bleeping Computer forums where he's been active for the past few years helping ransomware victims, has received a private message from a user that has identified himself as one of the people who coded the Apocalypse ransomware.

During their exchange, the ransomware coder has asked Wosar to help their crew fix a bug in the ransomware's encryption process that causes files to be overwritten with junk data.

Crook tries to secure Wosar's help, for the victims' sake

In order to secure Wosar's help, the ransomware coder has appealed to the researcher's dedication to helping ransomware victims. The crook says that if Wosar helps, they'll be able to provide a ransomware variant that doesn't destroy users' files.

The ransomware author was very candid with Wosar in his request. He said that even if Wosar helps or not, money is more important to them, and they'll continue to spread their ransomware as they have been doing for the past six months.

The only ones that will have something to gain are the ransomware victims, who, if they decide to pay, will regain access to their files. The request, in full, is below:

Once you have written that you feel sorry for the ransomware victims... You can help them. As you know, now we use CryptoApi, and if encryption function fails - we just fil file with garbage.

As a result, after the decryption some victims crying to us... we try to keep an honest business, but money is more important to us, so some of the victims lose some of their files.

How you can help them? I know you are the best in cryptography, so we can send you the encryption and decryption code, and you should point us where is a bug, we will fix it and no more fake encryptions with garbage instead of the file content.

Indeed, a real moral dilemma. For now, Wosar hasn't decided if he'll help or not. There are arguments that for helping victims, but there's also the issue that he'll be aiding a criminal endeavor.

Infosec professionals tell Wosar not to help

Various security researchers and infosec professionals have expressed their opinions on Twitter. Most told Wosar not to help.

The Apocalypse developers are the same guys that temporarily renamed their ransomware as Fabiansomware in an attempt to make victims think that Wosar was behind the ransomware.

They did this because Wosar has broken several versions of their ransomware and has put out free decrypters that allowed victims to recover files for free.

In the past, the same Apocalypse devs have resorted to insults and calling Wosar different names via the strings and comments left in the ransomware's source code.

The Stampado and Radamant ransomware developers have also insulted Wosar in the same way after the researcher cracked their ransomware versions and put out free decrypters.

Current versions of the Apocalypse ransomware don't use the Fabiansomware name anymore and are called Esmeralda and Kangaroo.

So a ransomware author contacted me today asking for help with their ransomware. They hit a bug in CryptoAPI in their encryption routine ...

— Fabian Wosar (@fwosar) November 16, 2016