Ransomware is often thought of as a financial crime. And while the main objective of a ransomware attack is to force a victim into paying to regain access to their data or prevent its publication on the open internet, an interview with a ransomware purveyor by Cisco’s Talos Intelligence Group shows that malicious actors are also motivated by resentment, a desire to be noticed and an appetite for new vulnerabilities.
Research published this week by Talos features the company’s interactions with a hacker, known only as “Aleks,” who is believed to be a user of the LockBit malware, which emerged last year. Talos researchers wrote that Aleks, whom they believe to be a university-educated man in his 30s living in Siberia, “is self-taught in cyber-related skills” including penetration testing and network security.
But, the report says, Aleks transitioned from legitimate IT industry to cybercrime out of personal frustration.
“Despite Aleks’ education and aptitude, he expressed a general sense of disappointment, at times even resentment, for not being properly appreciated within the Russian cyber industry,” Talos wrote.
Aleks claimed that his attempts to warn companies that their websites were unsecured were often rebuffed or ignored, leading him to follow a path taken by many other IT professionals, using his skills for personal financial gain through illicit activities.
“Based on our conversations, it was clear that Aleks was frustrated with being unable to warn about vulnerabilities and often felt like his well-intentioned efforts were ignored,” the report reads. “This became a significant motivator for him to pursue unethical and/or criminal work.”
And while Aleks told Talos he initially tried out several different types of cyberattacks — including distributed denial-of-service attacks— he ultimately favored ransomware because “of its profitability and because it gave him the opportunity to ‘teach’ companies the consequence of not properly securing their data.”
While Aleks said he turned to ransomware out of personal grievance, what he told Talos suggests he’s equally — if not more — motivated by financial gains. The malware he uses, LockBit is ransomware-as-a-service, with users like Aleks giving the developers a cut of any payments collected. It also reportedly takes a lower percentage royalty than similar RaaS products, like Maze, which Talos says took a 35% cut.
While Maze’s authors claimed to shut down their operation last November, other RaaS variants have continued to thrive, often with the gangs behind them sharing financial and organization ties, according to research published Friday by Chainanalysis, a research firm that works with law enforcement.
Talos began communicating with Aleks last September after tweeting about his successful compromise of a Latin American financial institution and sharing evidence of stolen data in an effort to extort the bank into paying. One of the accounts Aleks tagged in his boast belonged to a Talos researchers, leading the company to attempt conversation.
This led Aleks to share several other details of the ransomware trade, such as the relative ease of operation in Eastern Europe. “For a cybercriminal, the best country is Russia,” he said. He also told Talos that while U.S. entities are less likely to pay up than targets in Europe, the rise in popularity of cyber insurance significantly raises the odds hackers get paid.
That comment aligns with a study published last year by Deloitte showing that Ryuk ransomware actors were “specifically targeting U.S. state and local governments and demanding nearly 10 times higher ransom than average attacks,” with the understanding those governments were more likely to hold insurance policies.
An unreliable narrator
While Aleks explained at length his seemingly human motivations for delving into the world of ransomware, Talos’ researchers did not find him to be an entirely reliable narrator. Though he claimed to not take part in operations targeting hospitals during the COVID-19 pandemic, and described those who do with unprinted expletives, Talos questioned this denial.
“He shared information with us during our conversations that presumably would only be known by those involved in such operations, such as that ‘hospitals pay 80 to 90 percent of the time because they simply have no choice,'” the report reads. “Moreover, his impassioned denial about being involved in such activity is somewhat suspicious and suggests he might be overcompensating to hide potential falsehoods.”
Talos’ researchers also came away seeing Aleks’ behavior as consistent with lawbreakers in general.
“There appears to be an underlying contradiction in Aleks’ portrayal of his personal story in which he presents himself as being guided by certain moral codes, while his actions seem to be more opportunistic, financially motivated and self-serving,” the report states. “This is not unusual, as criminals often rationalize their actions to justify their crimes.”
It also goes on to warn that with the continued necessity of remote work and learning as the pandemic continues, and the relative vacuum left by Maze’s supposed retirement, “ransomware and its operations will expand in the near future.”