Michael Gillespie of Emsisoft and Coveware on How Slaying Ransomware Works

Last updated June 23, 2021
Written by:
Bill Toulas
Bill Toulas
Cybersecurity Journalist

Michael Gillespie is the researcher that people and companies turn to when their files are locked by ransomware. He has managed to unlock countless malicious strains so far, and he keeps on fighting the "dark side" of cryptography by looking deeply into how ransomware works and finding flaws in them. Through Emsisoft and Coveware, M. Gillespie is offering decryption tools for free, undermining the "bad guys" money-making business and saving people's files. He is also the creator of "ID Ransomware," an online tool that helps victims identify what type of ransomware hit them.

We approached Michael during a very busy time, and he was kind enough to give us a short interview, so here we go.

TechNadu: Can you give us the "short version" of what drew you in ransomware forensics and how you ended up being the "Demon Slayer"?

I've always found cryptography fascinating. When I got exposed to a real case of breaking ransomware (TeslaCrypt thanks to BloodDolly and Googulator), it got me hooked. As for "demonslay335", that's just been my online alias since I was a kid (specifically for online games and graphic design forums), so I've kept with it.

TechNadu: What are the most common flaws that you find in ransomware strains, that enable people like you to finally "unlock" them?

Probably how the key is generated or secured. But I've just about seen it all by now. I can't give away too many secrets on how we break them. 😉

TechNadu: What would be the proudest moment of your ransomware-fighting career so far?

A few things I'm not allowed to discuss publicly. 😉

TechNadu: Why do you release your decryptors at Emsisoft for free? Is all this hard work done merely to highlight that the white-hat side of hacking is brighter, more ethical, and even above financial gains?

That's a very interesting way of putting it, but yes, that could be part of it. I just have a strong drive for breaking the bad guy's code and find it fun.

TechNadu: RaaS (Ransomware as a Service) remained a big thing last year with the launch of Revil/Sodinokibi. What can you predict for this field in 2020?

Just more of the same thing, really. The actors are always doing more for integrating new "tools" into their ransomwares to make their "job" more efficient.

TechNadu: The source code of Dharma/Crysis, a ransomware strain that had seemingly no path to reverse engineering, became available for purchase recently. Are we closer to breaking it now, or are we expecting greater troubles?

With the sale of the Dharma source code to more "available markets" lately, this certainly lowers the bar for new threat actors to jump on the bandwagon.

TechNadu: The recent incidents show that the actors have turned to a very profitable combination of data stealing and encryption. What's your take on this, and do you see a dangerous trend forming?

This trend has been long in the making and was only the next logical step in the extortion process, quite honestly. The fact of the matter is that organizations were simply not taking it as seriously before.

TechNadu: What is the situation with ransomware infections during the ongoing Coronavirus outbreak? We've seen some malicious actors looking to grasp the opportunity, while others stated that they would stay away from healthcare centers. What activity do you see right now?

I don't believe the overall volume of ransomware infections has really been affected, I still see about the same number of victims submitting to ID Ransomware and contacting me on various platforms.

TechNadu: There's an ever-growing number of universities, municipalities, counties, organizations, and companies falling victims to catastrophic ransomware lock-downs. After all these years of experience, what would you suggest as the best method to protect systems from ransomware infections? Also, what steps of response should be taken in the case that things go wrong?

Backups, backups, backups. Having a proper backup strategy (3-2-1 method), and the actual procedures in place to quickly restore, are paramount to recovery. At this point, businesses should not just be prepared for "if", but "when" they are hit.

TechNadu: In general, would you say that firms, countries, and agencies are spending enough of their budget in cybersecurity and ransomware defense in particular? If more funds were invested into the fight against ransomware, would it make a notable difference?

From what I see, a majority of ransomware-struck businesses commonly have glaring holes in their security that very obviously point to their lack of IT budgeting. It's always a case of the lowest hanging fruit. And from my experience in working with small-medium businesses for general IT, cybersecurity very commonly is an after-thought versus productivity.

TechNadu: Quantum computing is "on the doorstep," so what can be expected in terms of breaking the current forms of encryption, and how is the world of ransomware going to change? 

Quantum computing will eventually break asymmetric algorithms such as RSA, and some forms of elliptical curve algorithms, but most symmetric algorithms (such as AES-256) are still very resilient. For example, quantum computing might lower the security of AES-256 to that of AES-128, but that's still not feasible to brute-force unless a separate weakness is discovered in the algorithm. Ransomware would still be a threat for the most part; they may have to swap out some of the asymmetric algorithms, but it would be very minimal work. The good news might be we could decrypt many previous ransomwares, but we're talking nearly 25-30 years in the future (when it's projected that such a quantum computer running Shor's algorithm would be feasible), when a majority of that data may not be applicable anymore.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: