The story of central Illinois’ ransomware superhero
From central Illinois, 27-year-old cancer survivor provides decryption help to web victims worldwide, typically for free, much of it in his spare time
This story is published in partnership with Propublica.
About 10 years ago, Michael Gillespie and several classmates at Pekin Community High School in central Illinois were clicking on links on the school’s website when they discovered a weakness that exposed sensitive information such as students’ Social Security numbers. They quickly alerted their computer repair and networking teacher, Eric McCann.
“It was a vulnerability that nobody even knew about,” McCann said. “They did a quick search on passwords and student accounts, and lo and behold, that file is sitting out there.”
A shy, skinny teenager whose hand-me-down clothes didn’t fit him, and who was often ridiculed by schoolmates, Gillespie was already working after school as a computer technician. “He was full of information all the time,” McCann said. “We’d bounce ideas off each other. You could tell his passion for technology, for computers, for figuring out things. That definitely made him stand out.”
Without crediting the students, school administrators closed the breach and changed everyone’s passwords. Gillespie’s anonymous protection of the school’s cyberdefenses was a harbinger of his future. Like a real-life version of Clark Kent or Peter Parker, the self-effacing Gillespie morphs in his spare time into a crime-foiling superhero. A cancer survivor who works at a Nerds on Call computer repair shop and has been overwhelmed by debt — he and his wife had a car repossessed and their home nearly foreclosed on — the 27-year-old Gillespie has become, with little fanfare or reward, one of the world’s leading conquerors of an especially common and virulent cybercrime: ransomware. Asked what motivates him, he replied, “I guess it’s just the affinity for challenge and feeling like I am contributing to beating the bad guys.”
Each year, millions of ransomware attacks paralyze computer systems of individuals, businesses, hospitals and medical offices, government agencies, and police departments. Often, files cannot be decrypted without paying a ransom, and victims who haven’t saved backup copies and want to retrieve the information have little choice but to pony up. But those who have recovered their data without enriching criminals frequently owe their escapes to Gillespie. Mostly by himself but sometimes collaborating with other ransomware hunters, Gillespie has cracked more than 100 of the almost 800 known types of ransomware. Hundreds of thousands of victims have downloaded his decryption tools for free, potentially saving them from paying hundreds of millions of dollars in ransom.
“Every time a new ransomware comes out, he checks it out,” said Lawrence Abrams, founder of a ransomware assistance site called BleepingComputer.com. “‘Can it be decrypted? Yes, it can be decrypted. OK, I’ll make the decryptor.’ And it’s just nonstop. He just keeps pumping them out.”
Gillespie’s tools are available on BleepingComputer.com, and they can be accessed through his own site, called ID Ransomware. There, victims submit about 2,000 ransomware-stricken files every day to find out which strain has hit them and to obtain an antidote, if one exists.
As hackers and their corporate enablers, including cyber insurance providers and data recovery firms whose business models are based on paying ransoms, profit directly or indirectly from cybercrime, one of ransomware’s greatest foes lives paycheck to paycheck. Under his internet alias, demonslay335, Gillespie tackles ransomware either in his downtime at Nerds on Call or at night in the two-story bungalow he shares with his wife, Morgan, and their dog, rabbit and eight cats. Surrounded by pets, he lies on his living room couch, decoding ransomware on his laptop and cor
responding with desperate victims.
Many of his friends, relatives and colleagues don’t know the extent of his war on ransomware. “They do not have a clue because of Michael’s modesty,” said his wife’s grandmother, Rita Blanch. “I barely know.”
McCann wasn’t aware of it either. “It kind of gives me goosebumps,” the teacher said. “He’s sitting here doing all this for free. That’s incredible.”
Gillespie’s love of computers and electronics started early. His paternal grandmother, a video gamer, introduced him to online role-playing games such as RuneScape. He played Donkey Kong Country on a used Super Nintendo that his uncle gave him.
Gillespie’s maternal grandfather was a police lieutenant in Florida. Reinforcing the importance of protecting the public, his parents went out of their way on family trips to pass through Metropolis, Illinois, which proclaims itself to be Superman’s hometown.
Struggling financially, his family sometimes had to move in with friends or relatives. When he was in high school, his parents filed for bankruptcy.
At Pekin High, he helped protect not only the website but also his classmates’ belongings. One day, noticing that other students were pre-setting codes to the combination locks on their lockers for convenience, he pulled down on every lock in his aisle. About a quarter of the lockers opened. He left a Postit note in each one, admonishing the user to be more careful.
When he graduated in 2010, Gillespie was named an Illinois State Scholar, based on his standardized test scores and class rank. Instead of going to college, he began working full time at the Nerds on Call in Normal. Even with financial aid, he said, college would have been too expensive, and he already had everything he wanted. “I got a job, got a car, got a girlfriend. Boom. Life together,” he said.
He and his high school sweetheart, Morgan Blanch, married in October 2012. They honeymooned in Peoria. The next year, with a Federal Housing Administration loan, they bought a $116,000 bungalow in Bloomington. There they could hear Amtrak’s Lincoln Service roar by on its way to Chicago.
At Nerds on Call, Gillespie was known as the Swiss Army Knife for his versatility. So when a client was hit by TeslaCrypt ransomware in 2015, Gillespie was assigned to recover the files.
Gillespie embraced the task. It was an opportunity to hone his skills, and he objected to the very idea of paying a ransom. “I say hell no,” he said. “There’s all the stuff about how it’s funding terrorism. But more so, it’s just encouraging [criminals] to keep going.”
He consulted BleepingComputer.com. Sure enough, a BleepingComputer member known as BloodDolly had cracked TeslaCrypt. Gillespie still had to create a key for the client, which required running complex software for hours or days at a time. By year’s end, he was generating customized keys for scores of TeslaCrypt victims who had posted on BleepingComputer or on social media.
Gillespie also began exchanging private messages on BleepingComputer with U.K.-based ransomware expert Fabian Wosar, who was working to break other strains of ransomware. Gillespie, Abrams, Wosar and a handful of other volunteers worldwide formed a group they dubbed the Ransomware Hunting Team. Abrams would hear about a new type of ransomware through users’ posts and send a sample to his teammates. If they could solve it, they would.
Gillespie creates 90% of the decryptors available on BleepingComputer, Abrams said. Since May, decryptors on the site have been downloaded more than 320,000 times.
At night, on his couch, Gillespie developed a site where victims could upload a ransomware-encrypted file and automatically learn what type it was, whether a decryptor existed and, if so, how to get it. In March 2016, he launched ID Ransomware with an announcement on Twitter and on BleepingComputer. The site took off immediately.
Victims, ransomware recovery firms and other researchers sent encrypted files for analysis. Volunteers worldwide have translated ID Ransomware into two dozen languages, from Swedish to Nepali. Only 26% of submissions to the site have come from the U.S. “He collects amazing data because so many people use it,” Abrams said. “You can see statistics, trends, what kinds of attacks are happening and when. Everyone uses it.”
Those users include law enforcement. An FBI agent from the Springfield, Illinois, field office asked to meet Gillespie, and they got together with another agent at a local Panera restaurant.
“The first meeting was nervewracking for me because, you know, why does the FBI want to talk to me?” Gillespie recalled.
The FBI needed help. Victims often don’t report attacks to the bureau because they don’t want investors or the public to learn of their security lapses. In 2018, the FBI received only 1,493 reports of ransomware.
Then they began requesting lists of IP addresses that had uploaded files to ID Ransomware, which could help identify victims, as well as ransom notes and other material. Gillespie, who discloses on the ID Ransomware homepage that email or bitcoin addresses uploaded to the site may be shared with “trusted third parties or law enforcement,” complied. Gillespie said agents indicated to him that his information may have been instrumental in last year’s indictment of two Iranian hackers wanted in connection with SamSam ransomware, which paralyzed computer networks across North America and the U.K. between 2015 and 2018. It was the U.S. government’s first indictment of cyberattackers for deploying a ransomware scheme.
In 2017, the FBI awarded Gillespie a Community Leadership Award for his “public service, devotion and assistance to victims of ransomware in the United States and Internationally.”
Rather than charge victims, Gillespie kept ID Ransomware free, and he supplemented his Nerds on Call salary with a 2 a.m. paper route. But the bills were mounting, especially for health care. Morgan Gillespie was struggling with diabetes. In 2017, Michael Gillespie was diagnosed with bladder cancer. He underwent immunotherapy treatment weekly for two months, and the cancer has been in remission since.
The couple racked up credit card debt and fell behind on payments on Morgan Gillespie’s Nissan. They rotated which utility bills they would pay; one month their electricity would be turned off, and the next month it would be gas. Last year, around the time his wife lost her job as a nanny, they missed four mortgage payments on their house and began to receive foreclosure notices, Michael Gillespie said.
His relatives “have been like: ‘Why isn’t he charging? Why isn’t he making money off of this?’” his wife said. “They think it’s almost dumb.”
His fellow ransomware hunters stepped in. Fabian Wosar’s employer, antivirus provider Emsisoft, hired Gillespie part-time this year to create Emsisoft-branded decryptors. The money enabled the Gillespies to catch up on mortgage payments.
After dinner one summer evening, Gillespie took a visitor to the Normal office of Nerds on Call, one of the company’s three locations in central Illinois, nestled in a strip mall between a check-cashing store and a Great Clips hair salon. In the back, behind the retail area, is his desk adorned with framed photos of his cats.
Nerds on Call lets him work on ransomware in his downtime. Gillespie hopes that someday his services will no longer be needed, because businesses and people will have learned proper cybersecurity. “If the world had backups, then we wouldn’t have ransomware,” he said.
In the meantime, he said, he plans to keep plugging away, even as hackers pile up profits. “There’s a time in every IT person’s career where they think, ‘I’m on the wrong side,’” he said. “You start seeing the dollar amounts that are involved. But I just don’t care to go that way.”