Cisco tells the human side of ransomware

What drives a cybercriminal to carry out a malicious campaign in order to infect his victims with ransomware, block access to their data and demand a ransom, otherwise threatening its publication or final elimination? The most immediate and obvious answer to the question is: the gain. Cisco Talos researchers have tried to go deeper, getting in touch with one of the protagonists of this field and trying to investigate his activity by taking into consideration aspects usually ignored.

Who is there behind a ransomware attack: the story of Aleks

Aleks, this is his invented name, told himself by sharing details about his professional background, personal interests and ideas, about what prompted him to embrace the dark side. He is credited with managing the @uhodiransomwar account (now suspended) on Twitter through which the attacks carried out (mostly through LockBit) have been announced on several occasions, complete with summaries of the stolen information as can be seen in the example here below: credit cards, documents, etc.



The protagonist of the story does not spend 24 hours a day in front of the computer monitor in search of his targets. He defines himself as a lover of cooking, music and history, he claims to have to deal with deadlines at work like all of us and to devote free time to family and hobbies. He is about 30 years old and resides in the Siberian region, his education is university level. He has been active in the world of ransomware for several years and claims to have learned his skills independently, studying network protocols, markup and scripting languages ​​as well as frameworks since the early 2000s. Even before getting his degree, he started working in IT. To push him towards cybercriminal activity, he says, also the disappointment for not having been appreciated and listened to in the professional context and for never having received an adequate salary.



These according to Cisco Talos i more interesting passages than emerged in the interview.

Hackers are constantly looking for unpatched systems to break into corporate networks. Most cybercriminals rely almost exclusively on open source tools. Cybercriminals are often self-taught and avid consumers of security news, updated on research and vulnerabilities. They aim to hit the simplest goals without taking into account any moral obligation. The use of the Maze ransomware (but also LockBit) was based on a franchise with a real affiliate program. The managers of Maze withheld up to 35% of the profits generated by its affiliates' ransomware attacks. Those who carry out the attacks seem to have a rather contradictory code of ethics: Aleks, for example, expresses a strong contempt for those who attack health organizations but, at the same time, provides weak evidence that they are not a target of him. Hospitals are considered easy targets to hit and pay the ransom with percentages ranging from 80% to 90%. The GDPR of the European Union plays in favor of the bad guys: victims of ransomware in Europe are more likely to pay the ransom to avoid the legal consequences of an attack if it becomes public. Source: Cisco (Front Page)