What comes to mind when you think about the perpetrators behind ransomware attacks? A well-organized underground network of arch-villains bent on chaos and wanton destruction? A loose affiliation of disaffected computer geniuses taking advantage of individuals and organizations to demonstrate their superiority? The truth probably lies somewhere in between, if a recent profile of a ransomware attacker can be believed.
The Cisco Talos security team established contact with a LockBit ransomware controller in September last year. In the intervening months, the team conducted several interviews with the ransomware actor, identified only with the pseudonym Aleks. Cisco Talos recently issued a full report on their interactions with Aleks, which the group says are ongoing. Their observations provide a rare look behind the curtain of ransomware operators.
A Good Tech Worker Gone Bad
Aleks is believed to be a male Russian in his 30s and based in or near Siberia. He has been an active ransomware operator for several years, according to Talos, and describes himself as self-taught in penetration testing, network security and intelligence collection. Aleks began working in the IT field while at university and continued in that career path after his graduation.
At some point, Aleks became disenchanted with his legitimate IT work, even expressing resentment for not receiving greater appreciation for his skills. “His frustration was evident during our conversations, with him disparaging several well-known Russian cybersecurity companies,” the report states. It added that his “perceived under-appreciation and low wages” might have led him to embrace criminal activity.
A Lone Wolf with a Loose Moral Code
Aleks began his criminal activity by exploring distributed denial-of-service attacks and compromising websites with malware. But he told Talos that ransomware offered two key advantages: high profitability and the chance to educate companies about what can happen when they don’t adequately secure their data.
Talos noted that Aleks expressed moral reservations that affected his selection of targets. But his statements were at times contradictory. On one hand, he identified as a patriot. On the other, he claimed that “for a cybercriminal, the best country is Russia.” He further stated that he doesn’t target healthcare providers, labor unions, or educational institutions. And he condemned ransomware operators that did, saying “just because you are a criminal doesn’t mean you have to stop being a human being.”
But the Talos team noted that other statements by Aleks betrayed a rather intricate knowledge about how vulnerable healthcare targets were and how willing they were to pay ransoms. This suggested a more fluid moral approach to target selection. Many of his targets were IT companies, and the tools he used to compromise them were largely common, open-source utilities that are easily acquired and easily implemented.
Important Lessons for Security Professionals
The Talos report notes that network security strategies are often geared toward large-scale attacks that receive considerable media attention and cost organizations millions of dollars. In doing so, simpler and far more common threats get overlooked. The report further identified key takeaways that every cybersecurity specialist should keep in mind.
- Unpatched systems are easy targets: Routine patching in large organizations is difficult to maintain. Exploiting unpatched systems is made even easier by the public availability of exploit codes.
- Unsophisticated tool sets: Many operators rely on easily available and easy to use open-source tools to perpetrate attacks.
- Cybercriminals are also threat researchers: Ransomware operators continuously update their skill sets to identify new vectors of attack. Cybersecurity experts need to do the same.
- No moral crusaders: Ransomware operators may state moral objections to attacking entities such as healthcare providers, but in practice they go after the easiest targets.
A Primer on LockBit Ransomware
Ransomware remains a potent threat to large organizations. Amid the COVID-19 pandemic, operators have increasingly targeted healthcare providers and even the vaccination supply chain. LockBit might not have the same name recognition as Ryuk or WannaCry, but it remains a considerable threat, particularly as it has adopted a secondary ransom strategy of extorting additional ransom to prevent data leaks after systems are decrypted.
First identified in 2019, LockBit is a self-propagating and targeted form of ransomware. Once it infects a host, it automatically searches and infects other accessible hosts without the need for human intervention. LockBit operates as ransomware as a service, with independent contractors like Aleks paying a fee or percentage of any ransom received to developers.
Don’t Take Cybersecurity for Granted
If the Talos profile of a LockBit operator tells us anything, it’s that complacency about data security can lead to disaster. It also tells us that some of the easiest exploits are also the easiest to remedy. Practicing good digital hygiene can help avoid a great many cybersecurity threats. But protecting your data ultimately requires a comprehensive and multilayered approach.
SecureData has driven data security innovation for more than a decade. Our award-winning SecureDrive® and SecureUSB® hardware-encrypted storage devices are at the heart of our total security solution that also incorporates offline encrypted backup systems, remote drive management, and impenetrable endpoint security.
Ransomware has numerous vectors of attack. Our secure data storage solutions and software products will keep your access points protected. Call us at 1-800-875-3230 to speak to one of our data security experts.