Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


08:00 AM
Connect Directly

Interview With a Russian Cybercriminal

A LockBit ransomware operator shared with researchers why he became involved in cybercrime, how he chooses victims, and what's in his toolbox.

IT security practitioners spend a lot of time strategizing ransomware defense, but many know little about the criminals plotting attacks. Who is the person behind a devastating ransomware campaign? Why did they choose a specific target? What about cybercrime appeals to them? 

Related Content:

Ransomware Attacks Show Little Sign of Slowing in 2021

Special Report: 2021 Top Enterprise IT Trends

New From The Edge: FBI Encounters: Reporting an Insider Security Incident to the Feds

To better understand the attacker's perspective, Cisco Talos researchers interviewed a LockBit ransomware operator. Their interaction, as with many in the security world, began on Twitter. This operator, who would not share his name but is referred to as "Aleks," tagged a member of the Talos team in a tweet promoting his compromise of a Latin American financial institution.

Researchers continued to communicate with Aleks, who agreed to an interview in September 2020. The Talos team found him to be credible, as he provided evidence of his standing within the LockBit community, advance knowledge of its operations, and changes to its ransomware, all of which the researchers were able to corroborate. He also shared details of a victim organization compromised days before the incident was publicized, showing knowledge of LockBit activity.

Who is Aleks? The team is confident he's a man who lives in the Siberian region of Russia and has likely been a ransomware operator for several years. They estimate he's in his early 30s and has a university-level education, though he claims to be self-taught in skills such as penetration testing, network security, and intelligence collection. Aleks relies on common tools like Mimikatz and PowerShell, and looks for well-known security flaws to exploit. He operates solo.

Cybercrime became appealing when Aleks grew frustrated and disappointed with his career as an IT practitioner — in particular, the obstacles in sharing vulnerabilities with security companies. Over time, feelings of underappreciation and low wages drove him to engage in criminal and unethical activity, which he now uses to earn "modest financial gains" to provide for his family. 

He chose ransomware because of its profitability and because it presented an opportunity to "teach" businesses about the dangers of not securing their data, researchers report. LockBit is a form of ransomware-as-a-service (RaaS), in which attackers put down a deposit for use of the malware, and ransom payments are split between the LockBit developers and the attackers who use it.

Thinking Like an Attacker
Interacting with a ransomware operator is "unusual, but not that unusual," says Craig Williams, director of outreach for Cisco Talos. Of course, a key challenge in chatting with a criminal is knowing when to trust them. Researchers asked many questions they were able to verify, but there were scenarios in which they felt Aleks wasn't telling the whole story. 

Williams says the strongest example of this related to targeting the healthcare industry. 

"He pointed out how he didn't target healthcare customers … but then knew an awful lot about when healthcare paid, and in what situations they paid, and what type of data they have, and exactly how valuable it would be, and if they had insurance, they were more likely to pay," he explains. For example, Aleks reportedly told researchers hospitals pay 80% to 90% of the time. 

Aleks seems to choose victims based on their ability to pay quickly, Williams says, though the report notes the attacker's views may not represent those of LockBit group. For example, Aleks says the EU's General Data Protection Regulation (GDPR) may work in adversaries' favor. Victim companies are more likely to pay "quickly and quietly" so as to avoid penalties under GDPR.

"I do not like to work in the US because getting paid is harder there, the EU pays better and more," Aleks reportedly told researchers. While the US is still lucrative, laws require victim organizations to disclose breaches anyway, giving the attacker less leverage in an operation. Researchers note a victim may still be motivated to pay if they believe their data will be leaked.

"That took us by surprise," Williams says of Aleks' preference for European victims. "We never thought that GDPR would be a thing that resulted in more of that region being targeted … That was pretty interesting insight." 

Another determining factor is whether an organization has cyber insurance, which ensures a ransom payment is "all but guaranteed," Aleks said in an interview with the team. However, as Williams points out, it's often difficult for an attacker to determine who has cyber insurance.

Aleks lacks the resources of a state actor but acts quickly based on a wealth of information, he explained. Some of this data comes from the Dark Web, where attackers can learn their targets' worth by finding stolen information, but much of his resources are public. Aleks, like many criminals, stays up-to-date on security news and research so as to weaponize that data. 

"As soon as a CVE is published, we take advantage of it because it takes a long time for people to patch," he told the Talos team, noting white-hat research gives an operational advantage. 

When launching campaigns, Aleks uses common tools and tactics employed by other criminals. Most operators aren't looking to "reinvent the wheel," researchers say, and reusing tools is a faster and more effective way for them to carry out attacks. Some of his resources include Masscan, Shodan, Cobalt Strike, PowerShell, and Mimikatz, among others.

What Defenders Can Learn
The Talos team learned a key factor in choosing a form of ransomware is the percentage of profit the malware developers require attackers to pay. While many defenders think in terms of evasiveness or their ability to detect malware, most don't consider why some ransomware is more prevalent than others — it's not always the most advanced malware that proves popular.

"What you're going to end up seeing is what works well enough and charges the least … who takes the lowest percentage but actually has a payload that will be effective," Williams says. "That's what you're probably going to see most often on your network, because obviously the attackers are going to want to maximize profits."

Overall, he says, the interview helped give researchers a better understanding of how RaaS networks operate and what motivates the attackers behind ransomware campaigns.

"It was very humanizing," Williams says of the interview. "I think one of the real takeaways … is to realize the people we're playing against are real people with real issues, and they would talk to our linguists just about random everyday stuff."

However, while this research may help readers see the person behind the criminal activity, he warns organizations that ransomware operators don't always think the same way. They don't think of the people behind these businesses, nor do most consider the damaging consequences of their actions. At the end of the day, a ransomware attack is simply a transaction.

"You need to have a plan," Williams says. "You need to understand that to these folks … they don't care if you're a children's hospital or a supply warehouse. To them you're just a wallet, and they need to take the money out of the wallet." 

He encourages businesses to evaluate the baseline for security of their environment. Look for where you are vulnerable, which assets and services can be patched, and which cannot be patched. If you can't patch an asset where a critical flaw exists, what mitigation is in place? 

"In this day and age, there is not a critical vulnerability, or even a high-severity vulnerability, that won't be trivially targeted in most cases," says Williams. "So, you need to have that mitigation strategy."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-22
Improper authorization in handler for custom URL scheme vulnerability in ????????? (asken diet) for Android versions from v.3.0.0 to v.4.2.x allows a remote attacker to lead a user to access an arbitrary website via the vulnerable App.
PUBLISHED: 2021-06-22
Cross-site scripting vulnerability in Welcart e-Commerce versions prior to 2.2.4 allows remote attackers to inject arbitrary script or HTML via unspecified vectors.
PUBLISHED: 2021-06-22
Cross-site scripting vulnerability in ETUNA EC-CUBE plugins (Delivery slip number plugin (3.0 series) 1.0.10 and earlier, Delivery slip number csv bulk registration plugin (3.0 series) 1.0.8 and earlier, and Delivery slip number mail plugin (3.0 series) 1.0.8 and earlier) allows remote attackers to ...
PUBLISHED: 2021-06-22
NoSQL injection vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to obtain and/or alter the information stored in the database via unspecified vectors.
PUBLISHED: 2021-06-22
Improper authentication vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to view the unauthorized pages without access privileges via unspecified vectors.