Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

2/2/2021
08:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Interview With a Russian Cybercriminal

A LockBit ransomware operator shared with researchers why he became involved in cybercrime, how he chooses victims, and what's in his toolbox.

IT security practitioners spend a lot of time strategizing ransomware defense, but many know little about the criminals plotting attacks. Who is the person behind a devastating ransomware campaign? Why did they choose a specific target? What about cybercrime appeals to them? 

Related Content:

Ransomware Attacks Show Little Sign of Slowing in 2021

Special Report: 2021 Top Enterprise IT Trends

New From The Edge: FBI Encounters: Reporting an Insider Security Incident to the Feds

To better understand the attacker's perspective, Cisco Talos researchers interviewed a LockBit ransomware operator. Their interaction, as with many in the security world, began on Twitter. This operator, who would not share his name but is referred to as "Aleks," tagged a member of the Talos team in a tweet promoting his compromise of a Latin American financial institution.

Researchers continued to communicate with Aleks, who agreed to an interview in September 2020. The Talos team found him to be credible, as he provided evidence of his standing within the LockBit community, advance knowledge of its operations, and changes to its ransomware, all of which the researchers were able to corroborate. He also shared details of a victim organization compromised days before the incident was publicized, showing knowledge of LockBit activity.

Who is Aleks? The team is confident he's a man who lives in the Siberian region of Russia and has likely been a ransomware operator for several years. They estimate he's in his early 30s and has a university-level education, though he claims to be self-taught in skills such as penetration testing, network security, and intelligence collection. Aleks relies on common tools like Mimikatz and PowerShell, and looks for well-known security flaws to exploit. He operates solo.

Cybercrime became appealing when Aleks grew frustrated and disappointed with his career as an IT practitioner — in particular, the obstacles in sharing vulnerabilities with security companies. Over time, feelings of underappreciation and low wages drove him to engage in criminal and unethical activity, which he now uses to earn "modest financial gains" to provide for his family. 

He chose ransomware because of its profitability and because it presented an opportunity to "teach" businesses about the dangers of not securing their data, researchers report. LockBit is a form of ransomware-as-a-service (RaaS), in which attackers put down a deposit for use of the malware, and ransom payments are split between the LockBit developers and the attackers who use it.

Thinking Like an Attacker
Interacting with a ransomware operator is "unusual, but not that unusual," says Craig Williams, director of outreach for Cisco Talos. Of course, a key challenge in chatting with a criminal is knowing when to trust them. Researchers asked many questions they were able to verify, but there were scenarios in which they felt Aleks wasn't telling the whole story. 

Williams says the strongest example of this related to targeting the healthcare industry. 

"He pointed out how he didn't target healthcare customers … but then knew an awful lot about when healthcare paid, and in what situations they paid, and what type of data they have, and exactly how valuable it would be, and if they had insurance, they were more likely to pay," he explains. For example, Aleks reportedly told researchers hospitals pay 80% to 90% of the time. 

Aleks seems to choose victims based on their ability to pay quickly, Williams says, though the report notes the attacker's views may not represent those of LockBit group. For example, Aleks says the EU's General Data Protection Regulation (GDPR) may work in adversaries' favor. Victim companies are more likely to pay "quickly and quietly" so as to avoid penalties under GDPR.

"I do not like to work in the US because getting paid is harder there, the EU pays better and more," Aleks reportedly told researchers. While the US is still lucrative, laws require victim organizations to disclose breaches anyway, giving the attacker less leverage in an operation. Researchers note a victim may still be motivated to pay if they believe their data will be leaked.

"That took us by surprise," Williams says of Aleks' preference for European victims. "We never thought that GDPR would be a thing that resulted in more of that region being targeted … That was pretty interesting insight." 

Another determining factor is whether an organization has cyber insurance, which ensures a ransom payment is "all but guaranteed," Aleks said in an interview with the team. However, as Williams points out, it's often difficult for an attacker to determine who has cyber insurance.

Aleks lacks the resources of a state actor but acts quickly based on a wealth of information, he explained. Some of this data comes from the Dark Web, where attackers can learn their targets' worth by finding stolen information, but much of his resources are public. Aleks, like many criminals, stays up-to-date on security news and research so as to weaponize that data. 

"As soon as a CVE is published, we take advantage of it because it takes a long time for people to patch," he told the Talos team, noting white-hat research gives an operational advantage. 

When launching campaigns, Aleks uses common tools and tactics employed by other criminals. Most operators aren't looking to "reinvent the wheel," researchers say, and reusing tools is a faster and more effective way for them to carry out attacks. Some of his resources include Masscan, Shodan, Cobalt Strike, PowerShell, and Mimikatz, among others.

What Defenders Can Learn
The Talos team learned a key factor in choosing a form of ransomware is the percentage of profit the malware developers require attackers to pay. While many defenders think in terms of evasiveness or their ability to detect malware, most don't consider why some ransomware is more prevalent than others — it's not always the most advanced malware that proves popular.

"What you're going to end up seeing is what works well enough and charges the least … who takes the lowest percentage but actually has a payload that will be effective," Williams says. "That's what you're probably going to see most often on your network, because obviously the attackers are going to want to maximize profits."

Overall, he says, the interview helped give researchers a better understanding of how RaaS networks operate and what motivates the attackers behind ransomware campaigns.

"It was very humanizing," Williams says of the interview. "I think one of the real takeaways … is to realize the people we're playing against are real people with real issues, and they would talk to our linguists just about random everyday stuff."

However, while this research may help readers see the person behind the criminal activity, he warns organizations that ransomware operators don't always think the same way. They don't think of the people behind these businesses, nor do most consider the damaging consequences of their actions. At the end of the day, a ransomware attack is simply a transaction.

"You need to have a plan," Williams says. "You need to understand that to these folks … they don't care if you're a children's hospital or a supply warehouse. To them you're just a wallet, and they need to take the money out of the wallet." 

He encourages businesses to evaluate the baseline for security of their environment. Look for where you are vulnerable, which assets and services can be patched, and which cannot be patched. If you can't patch an asset where a critical flaw exists, what mitigation is in place? 

"In this day and age, there is not a critical vulnerability, or even a high-severity vulnerability, that won't be trivially targeted in most cases," says Williams. "So, you need to have that mitigation strategy."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21302
PUBLISHED: 2021-02-26
PrestaShop is a fully scalable open source e-commerce solution. In PrestaShop before version 1.7.2 there is a CSV Injection vulnerability possible by using shop search keywords via the admin panel. The problem is fixed in 1.7.7.2
CVE-2021-21308
PUBLISHED: 2021-02-26
PrestaShop is a fully scalable open source e-commerce solution. In PrestaShop before version 1.7.2 the soft logout system is not complete and an attacker is able to foreign request and executes customer commands. The problem is fixed in 1.7.7.2
CVE-2021-21273
PUBLISHED: 2021-02-26
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.25.0, requests to user provided domains were not restricted to external IP addresses when calculating the key va...
CVE-2021-21274
PUBLISHED: 2021-02-26
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.25.0, a malicious homeserver could redirect requests to their .well-known file to a large file. This can lead to...
CVE-2021-23345
PUBLISHED: 2021-02-26
All versions of package github.com/thecodingmachine/gotenberg are vulnerable to Server-side Request Forgery (SSRF) via the /convert/html endpoint when the src attribute of an HTML element refers to an internal system file, such as <iframe src='file:///etc/passwd'>.