IT security practitioners spend a lot of time strategizing ransomware defense, but many know little about the criminals plotting attacks. Who is the person behind a devastating ransomware campaign? Why did they choose a specific target? What about cybercrime appeals to them?
To better understand the attacker's perspective, Cisco Talos researchers interviewed a LockBit ransomware operator. Their interaction, as with many in the security world, began on Twitter. This operator, who would not share his name but is referred to as "Aleks," tagged a member of the Talos team in a tweet promoting his compromise of a Latin American financial institution.
Researchers continued to communicate with Aleks, who agreed to an interview in September 2020. The Talos team found him to be credible, as he provided evidence of his standing within the LockBit community, advance knowledge of its operations, and changes to its ransomware, all of which the researchers were able to corroborate. He also shared details of a victim organization compromised days before the incident was publicized, showing knowledge of LockBit activity.
Who is Aleks? The team is confident he's a man who lives in the Siberian region of Russia and has likely been a ransomware operator for several years. They estimate he's in his early 30s and has a university-level education, though he claims to be self-taught in skills such as penetration testing, network security, and intelligence collection. Aleks relies on common tools like Mimikatz and PowerShell, and looks for well-known security flaws to exploit. He operates solo.
Cybercrime became appealing when Aleks grew frustrated and disappointed with his career as an IT practitioner — in particular, the obstacles in sharing vulnerabilities with security companies. Over time, feelings of underappreciation and low wages drove him to engage in criminal and unethical activity, which he now uses to earn "modest financial gains" to provide for his family.
He chose ransomware because of its profitability and because it presented an opportunity to "teach" businesses about the dangers of not securing their data, researchers report. LockBit is a form of ransomware-as-a-service (RaaS), in which attackers put down a deposit for use of the malware, and ransom payments are split between the LockBit developers and the attackers who use it.
Thinking Like an Attacker
Interacting with a ransomware operator is "unusual, but not that unusual," says Craig Williams, director of outreach for Cisco Talos. Of course, a key challenge in chatting with a criminal is knowing when to trust them. Researchers asked many questions they were able to verify, but there were scenarios in which they felt Aleks wasn't telling the whole story.
Williams says the strongest example of this related to targeting the healthcare industry.
"He pointed out how he didn't target healthcare customers … but then knew an awful lot about when healthcare paid, and in what situations they paid, and what type of data they have, and exactly how valuable it would be, and if they had insurance, they were more likely to pay," he explains. For example, Aleks reportedly told researchers hospitals pay 80% to 90% of the time.
Aleks seems to choose victims based on their ability to pay quickly, Williams says, though the report notes the attacker's views may not represent those of LockBit group. For example, Aleks says the EU's General Data Protection Regulation (GDPR) may work in adversaries' favor. Victim companies are more likely to pay "quickly and quietly" so as to avoid penalties under GDPR.
"I do not like to work in the US because getting paid is harder there, the EU pays better and more," Aleks reportedly told researchers. While the US is still lucrative, laws require victim organizations to disclose breaches anyway, giving the attacker less leverage in an operation. Researchers note a victim may still be motivated to pay if they believe their data will be leaked.
"That took us by surprise," Williams says of Aleks' preference for European victims. "We never thought that GDPR would be a thing that resulted in more of that region being targeted … That was pretty interesting insight."
Another determining factor is whether an organization has cyber insurance, which ensures a ransom payment is "all but guaranteed," Aleks said in an interview with the team. However, as Williams points out, it's often difficult for an attacker to determine who has cyber insurance.
Aleks lacks the resources of a state actor but acts quickly based on a wealth of information, he explained. Some of this data comes from the Dark Web, where attackers can learn their targets' worth by finding stolen information, but much of his resources are public. Aleks, like many criminals, stays up-to-date on security news and research so as to weaponize that data.
"As soon as a CVE is published, we take advantage of it because it takes a long time for people to patch," he told the Talos team, noting white-hat research gives an operational advantage.
When launching campaigns, Aleks uses common tools and tactics employed by other criminals. Most operators aren't looking to "reinvent the wheel," researchers say, and reusing tools is a faster and more effective way for them to carry out attacks. Some of his resources include Masscan, Shodan, Cobalt Strike, PowerShell, and Mimikatz, among others.
What Defenders Can Learn
The Talos team learned a key factor in choosing a form of ransomware is the percentage of profit the malware developers require attackers to pay. While many defenders think in terms of evasiveness or their ability to detect malware, most don't consider why some ransomware is more prevalent than others — it's not always the most advanced malware that proves popular.
"What you're going to end up seeing is what works well enough and charges the least … who takes the lowest percentage but actually has a payload that will be effective," Williams says. "That's what you're probably going to see most often on your network, because obviously the attackers are going to want to maximize profits."
Overall, he says, the interview helped give researchers a better understanding of how RaaS networks operate and what motivates the attackers behind ransomware campaigns.
"It was very humanizing," Williams says of the interview. "I think one of the real takeaways … is to realize the people we're playing against are real people with real issues, and they would talk to our linguists just about random everyday stuff."
However, while this research may help readers see the person behind the criminal activity, he warns organizations that ransomware operators don't always think the same way. They don't think of the people behind these businesses, nor do most consider the damaging consequences of their actions. At the end of the day, a ransomware attack is simply a transaction.
"You need to have a plan," Williams says. "You need to understand that to these folks … they don't care if you're a children's hospital or a supply warehouse. To them you're just a wallet, and they need to take the money out of the wallet."
He encourages businesses to evaluate the baseline for security of their environment. Look for where you are vulnerable, which assets and services can be patched, and which cannot be patched. If you can't patch an asset where a critical flaw exists, what mitigation is in place?
"In this day and age, there is not a critical vulnerability, or even a high-severity vulnerability, that won't be trivially targeted in most cases," says Williams. "So, you need to have that mitigation strategy."