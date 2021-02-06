Written by Benjamin Freed



Ransomware is often viewed as a financial crime. And while the primary goal of a ransomware attack is to force a victim to pay to regain access to their data or prevent it from being posted on the open Internet, an interview with a ransomware vendor by Cisco’s Talos Intelligence Group shows that malicious actors are also motivated by resentment, a desire to be noticed, and an appetite for new vulnerabilities.

Research published this week by Talos presents the company’s interactions with a hacker, known only as “Aleks”, who is said to be a user of the LockBit malware, that emerged last year. Talos researchers wrote that Aleks, who they believe to be a college-educated man in his thirties living in Siberia, “is self-taught in cyber skills,” including penetration testing. and network security.

But, the report says, Aleks went from the legitimate IT industry to cybercrime out of personal frustration.

“Despite Aleks’ education and skills, he expressed a general feeling of disappointment, sometimes even resentment, for not being properly appreciated in the Russian computer industry,” Talos wrote.

Aleks claimed that his attempts to warn companies that their websites were not secure were often rejected or ignored, leading him to follow the path taken by many other IT professionals, using his skills for a personal financial gain through illicit activities.

“Based on our conversations, it was clear that Aleks was frustrated at not being able to warn of vulnerabilities and often felt his well-meaning efforts were being ignored,” the report said. “It became a big motivation for him to pursue unethical and / or criminal work.”

And while Aleks told Talos that he initially tried several types of cyberattacks, including distributed denial of service attacks, he ultimately favored the ransomware because of “its profitability and because it gave it the opportunity to teach businesses the consequences of not properly securing data. “

As a service

While Aleks has said he turned to ransomware out of personal grievance, what he told Talos suggests he’s just as, if not more, motivated by financial gain. The malware it uses, LockBit is ransomware-as-a-service, with users like Aleks giving developers a cut on all payments collected. It would also need a lower royalty percentage than similar RaaS products, like Maze, which Talos said suffered a 35% cut.

While the authors of Maze pretended to close their operation last November, other variants of RaaS have continued to flourish, often with the gangs behind them sharing financial and organizational ties, study finds published Friday by Chainanalysis, a research firm that works with the police.

Talos began communicating with Aleks last September after tweeting about his successful compromise of a Latin American financial institution and sharing evidence of stolen data in an attempt to extort the bank to pay. One of the accounts Aleks tagged in his bragging belonged to a Talos researcher, which led the company to attempt a conversation.

This led Aleks to share several other details about the ransomware trade, such as the relative ease of use in Eastern Europe. “The best country for a cybercriminal is Russia,” he said. He also told Talos that while US entities are less likely to pay than targets in Europe, the growing popularity of cyber insurance dramatically increases the chances that hackers will get paid.

This comment corresponds to a study released last year by Deloitte showing that Ryuk ransomware actors “specifically targeted US states and local governments and demanded a ransom nearly 10 times higher than average attacks,” with the understanding that these governments were more likely to hold insurance policies.

An unreliable narrator

While Aleks explained at length his seemingly human motivations for delving into the world of ransomware, Talos researchers did not find him to be a fully reliable narrator. Although he claimed not to take part in operations targeting hospitals during the COVID-19 pandemic, and described those who swear unprinted, Talos questioned that refusal.

“He shared information with us during our conversations that would likely only be known to people involved in such operations, such as’ hospitals pay 80-90% of the time because they just don’t have the money. choice ”, we read in the report. “Moreover, his passionate refusal to be involved in such activity is somewhat suspect and suggests that he might overcompensate for hiding potential lies.

Talos researchers also felt that Aleks’ behavior was consistent with offenders in general.

“There seems to be an underlying contradiction in Aleks’ description of his personal history in which he presents himself as being guided by certain moral codes, while his actions appear to be more opportunistic, financially motivated and self-interested,” the report states. . “This is not unusual, as criminals often rationalize their actions to justify their crimes.”

He also goes on to warn that with the continued need for work and distance learning as the pandemic continues, and the relative vacuum left by Maze’s supposed retirement, “the ransomware and its operations will grow in the near future. to come up”.