Those users include law enforcement, on both sides of the Atlantic. Europol and Netherlands police flattered ID Ransomware by imitation, launching a similar but less comprehensive site. An FBI agent from the Springfield, Illinois, field office asked to meet Gillespie, and they got together with another agent at a local Panera restaurant.

“The first meeting was nerve-wracking for me because, you know, why does the FBI want to talk to me?” Gillespie recalled. “I was so awkward at that meeting. I wasn’t thinking, ‘Am I gonna get arrested.’ But I did have in the back of my mind, ‘Am I gonna say something stupid?’”

The FBI needed help. Victims often don’t report attacks to the bureau because they don’t want investors or the public to learn of their security lapses. In 2018, the FBI received only 1,493 reports of ransomware — compared with the 2,000 queries daily to Gillespie’s site from about 750 different IP addresses worldwide.

At first, the agents sought information about the origins of a specific ransomware attack, something Gillespie does not investigate. Then they began requesting lists of IP addresses that had uploaded files to ID Ransomware, which could help identify victims, as well as ransom notes and other material. Gillespie, who discloses on the ID Ransomware homepage that email or bitcoin addresses uploaded to the site may be shared with “trusted third parties or law enforcement,” complied.

His assistance appears to have paid off. Gillespie said agents indicated to him that his information may have been instrumental in last year’s indictment of two Iranian hackers wanted in connection with SamSam ransomware, which paralyzed computer networks across North America and the U.K. between 2015 and 2018. Although the suspects have not been arrested, it was the U.S. government’s first indictment of cyberattackers for deploying a ransomware scheme.

Gillespie continues to meet regularly with FBI agents. He tips them off, for instance, when a ransom note or extension on a file uploaded to the site identifies the targeted business. Cooperation from such victims could help law enforcement learn more about the source of the ransomware, he said.

Some other ransomware hunters are warier of the FBI. Abrams expressed concern that, despite the ID Ransomware acknowledgment, there could be “repercussions” from victims who might be upset that Gillespie identified them to the bureau. Gillespie “is a little too trusting” of law enforcement, Abrams said. “I do think that he’s not very worldly and that he sees things a little more black and white than with a lot of shades of gray. And I think in that case he could be easily manipulated and taken advantage of.”

In 2017, the FBI awarded Gillespie a Community Leadership Award for his “public service, devotion and assistance to victims of ransomware in the United States and Internationally.” Gillespie prominently displays the award in his home. In April 2018, he and his wife flew to Washington for the award ceremony, accompanied by his boss at Nerds on Call. The joke around the office was that the boss “went with him to try to nerf anybody trying to recruit him,” said Gillespie’s former co-worker, Jacobs. “He would be very difficult to replace.”


Philosophically opposed to charging victims, Gillespie keeps ID Ransomware free. He put up a link for donations to help cover the costs of running the site, but he didn’t bother to register it as a nonprofit, which would have enabled donors to deduct gifts from their taxes. Contributions were scarce. One $3,000 donation through PayPal proved to be a scam — Gillespie speculated that it may have been revenge by hackers whose ransomware he disabled — and PayPal demanded the money back. He couldn’t repay it and switched to another service.

Gillespie “doesn’t chase money,” Jacobs said. “If he were chasing money, he would have been living on the East or West Coast by now and doing something for some company that we’d all heard of instead of a little service provider in the Midwest. But he’s one of those guys, he operates very heavily on principle.”

To make ends meet, Gillespie supplemented his Nerds on Call salary with a 2 a.m. paper route, delivering the local newspaper on his bike. While he had enjoyed having a paper route in junior high, the job now depressed him. But the family bills were mounting, especially for health care. Morgan Gillespie struggled with diabetes and other medical issues. Over the years, Michael Gillespie noticed blood in his urine, and in the fall of 2017, his wife finally made him see a doctor. The physician removed a tumor and diagnosed bladder cancer, which rarely affects young adults. Gillespie took one day off for surgery and one to recover before returning to work. He underwent immunotherapy treatment weekly for two months, and the cancer has been in remission since. Although he was insured through Nerds on Call, the costs for his care still added up.

The couple reached a financial breaking point. They racked up credit card debt and fell behind on payments on Morgan Gillespie’s Nissan. They rotated which utility bills they would pay; one month their electricity would be turned off, and the next month it would be gas. They surrendered the car to the bank, which sold it at a loss at auction and forced them to make up the difference. Last year, around the time his wife lost her job as a nanny, they missed four mortgage payments on their house and began to receive foreclosure notices, Michael Gillespie said.

Gillespie said he’s considering charging other security researchers for the statistics he gathers on the site, but he will always keep the tools free for victims. Friends and family members nagged Gillespie to collect fees from ID Ransomware users. Even his wife’s grandmother, whom Gillespie calls “grammy,” brought it up. “I try to not interfere in that area,” Rita Blanch said. “Unless, being silly at times, when I would say to him, ‘Babe, you need to charge, you could, like, be rich.’”

Other relatives “have been like: ‘Why isn’t he charging? Why isn’t he making money off of this?’” said his wife, who recently found a part-time job as a babysitter. “They think it’s almost dumb, the fact that he does what he does. But that was just never what the deal was for us. He just doesn’t want to take advantage of people who are already being taken advantage of.”

Instead, his fellow ransomware hunters stepped in. Abrams covered the $400 cost of obtaining a certificate that lets users know they’re downloading from a trustworthy site. Wosar began donating to ID Ransomware, and his employer, Emsisoft, hired Gillespie part-time this year to create Emsisoft-branded decryptors. The money enabled the Gillespies to catch up on mortgage payments.

“He’s doing so much, how do you not support him if you can?” Abrams said.


After dinner one summer evening, Gillespie took a visitor to the Normal office of Nerds on Call, one of the company’s three locations in central Illinois, nestled in a strip mall between a check-cashing store and a Great Clips hair salon. Gillespie, who has worked for Nerds on Call for 11 years, has keys, so he was able to open the office and disable the alarm system. In the back, behind the retail area, is his desk, adorned with framed photos of his cats.

As his wife’s relatives often remind him, he could earn three times as much somewhere else. But he’s happy at Nerds on Call, which gives him the freedom to work on ransomware in his downtime. This year, he figured out fixes for the STOP Djvu ransomware, which was infecting files through pirated software. Victims — who were unlikely to seek law enforcement assistance since they were committing a crime themselves — continue to press Michael for help unceasingly. “It’s borderline harassment,” he said.

His frustration with the deluge of entreaties occasionally boiled over in his tweets. “Everything you could possibly need to know is IN THE FUCKING FAQ, and its in BIG BOLD RED LETTERS,” he once responded. “I’m losing sleep, losing time at my job, losing fucking sanity at this point.”

Some STOP Djvu victims thanked Gillespie. Adam Hegedus of Szolnok, Hungary, was surfing the internet on his girlfriend’s laptop in August when he disabled the anti-virus and firewall protections. Ransomware crippled the computer, and a text file demanded $1,000 to restore access. Hegedus’ girlfriend is a teacher, and her lesson plans, thesis and other important documents were encrypted. Hegedus felt so guilty that he couldn’t sleep, and he sought assistance from several forums, including BleepingComputer.com. This month, Gillespie replied with some good news; he had a decryption key. Hegedus called his girlfriend, who rushed home and was delighted to be able to use her files again.

“You cannot imagine how grateful I am,” Hegedus wrote to Gillespie. “Everything has been decrypted and this is only because of your hard work.” Hegedus offered a donation, but Gillespie declined.

Gillespie hopes that someday his services will no longer be needed, because businesses and people will have learned proper cybersecurity. “If the world had backups, then we wouldn’t have ransomware,” he said.

In the meantime, he said, he plans to keep plugging away, even as hackers and their enablers pile up profits. “There’s a time in every IT person’s career where they think, ‘I’m on the wrong side,’” he said. “You start seeing the dollar amounts that are involved. But nah, I can’t say that I ever have. I just don’t care to go that way.”

ProPublica research reporter Doris Burke contributed to this article.