Why Criminals Love Ransomware: In Their Own WordsCisco Talos' Craig Williams and Matt Olney on Attacker Psychology, Business Goals
What are top takeaways from threat analysts who have directly interacted with criminal affiliates of ransomware-as-a-service operations?
See Also: Top 50 Security Threats
One such interaction, which happened recently between Cisco Talos researchers and a LockBit ransomware-as-a-service operation affiliate called "Aleks," revealed numerous insights into how such criminals operate (see: Charm Offensive: Ransomware Gangs 'Tell All' in Interviews).
"What ... really surprised us the most were the guy's insights into himself that he accidentally shared - namely, the belief that he wanted to convey that he didn't target healthcare and other targets that are likewise ethically charged," says Craig Williams, director of outreach at Cisco Talos. "Now, the reality was: We knew the entire time that he was targeting healthcare. But it was really interesting to see that he wanted to convey this almost 'Robin Hood' type view of himself that he was really a good guy who was misunderstood and who had to struggle in life and to feed his family."
Aleks is one of a number of affiliates who work with one or more RaaS operations such as LockBit, says Matt Olney, director of threat intelligence at Cisco Talos. "The LockBit group provides a set of services - usually collecting the ransom, providing the infrastructure necessary to distribute and encrypt and apply the decryption tools and chat communications between the 'client' and the 'business,'" he says, with the affiliate gaining access to networks and infecting them. "A cut of that final ransom ... goes to the affiliate and a cut is retained by the LockBit ransomware operators."
In a video interview with Information Security Media Group, Williams and Olney discuss:
- Top takeaways from threat intelligence analysts' conversations with a Russian ransomware affiliate;
- How ransomware-as-a-service operations function;
- Strategies for more effectively combating ransomware, including the Institute for Security and Technology's Ransomware Task Force recommendations.
Williams is the director of the Cisco Talos Security Intelligence and Research Group outreach team. He joined Cisco to research vulnerabilities, threats and network detection techniques. Over the past decade, his research efforts have included running the Cisco malware lab and trying to outwit the security products he has helped Cisco to design.
Olney is the manager of the Talos Interdiction Group. Working with organizations and intelligence partners around the world, he handles efforts to disrupt malicious activities before they reach customer networks.