Is the motivation behind these faceless attacks simply greed? Talos Intelligence Group interviewed a hacker referred to as “Aleks”, a university-educated Russian male who says he taught himself cybersecurity skills to find new vulnerabilities and gain recognition.
Aleks said that he started with legitimate cyber testing and would warn companies when he detected vulnerabilities that left their data unsecured, but he was often ignored. The lack of response from these businesses and a feeling that his work was also not being recognized appropriately within the Russian cybersecurity community eventually led to him turning from the pursuit of improving cybersecurity to beginning to launch his own attacks.
Initially, Aleks used distributed denial-of-service attacks to gain attention but he moved to ransomware to increase the impact on the affected businesses by also causing financial losses for them (while the attacks also became very profitable to him). His malware of choice is LockBit, a “ransomware-as-a-service” (RaaS) that is available via the Dark Web and pays the original developer(s) a cut from the ransom payments collected using the code. He chose LockBit in part because the Developer’s cut is less than the 35% of other similar malware. RaaS expands the threat of attack as the attackers do not have to be proficient with coding and can automate the ransomware.
The same motivation for recognition led to the Talos interview. Aleks was boasting about successful attacks and sharing evidence of data he had successfully stolen. He also claimed to have compromised a Talos researcher, and they were able to start a conversation with him online. Key takeaways from this conversation included:
- The rise in cyber insurance actually increases the odds of hackers being paid a ransom
- US state and local governments are being targeted with 10x the typical ransom amounts
- Entities in EU are more likely to pay than in the US
- Hospitals pay the ransom 80-90% of the time because “they have no choice”
- Russia is a haven for hackers and it’s easy to run operations from Russia
Aleks gave an ominous warning at the end of the interview, “Ransomware and its operations will expand in the near future.”