Cybercrime , Fraud Management & Cybercrime , Malware as-a-Service

Charm Offensive: Ransomware Gangs 'Tell All' in Interviews

REvil, MountLocker and LockBit Operators Describe Strategies and Target Selection
Charm Offensive: Ransomware Gangs 'Tell All' in Interviews
Ransom note for a REvil - aka Sodinokibi - ransomware infection (Source: Cisco Talos)

Ransomware-wielding attackers have been in the limelight lately - not just for hitting Acer, Dassault Falcon and celebrity law firms, but also for granting tell-all interviews.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

Ransomware operators' publicity efforts raise the question: Are they seeking to burnish their brand before they hit their next high-profile victim? Whatever their motivations, three recently published interviews appear to provide insights into ransomware-as-a-service operations:

  • LockBit: The Cisco Talos threat intelligence team interviewed a self-described "LockBit operator" in September 2020 and published the interview in January with "Aleks" - a fictitious name used for the purpose of the interview. Talos says it believes Aleks "resides in the Siberian region of Russia and has probably been an active ransomware operator for at least several years." Talos says it first spotted him publishing access to a VPN vendor's keys in June 2020 using the Twitter handle "uhodiransomwar," which transliterates from Russian as "go away, ransomware."
  • MountLocker: This group was first spotted in June 2020, and has since been tied to attacks against Dassault Falcon, Forrester, HTC, Thyssen Krupp and others. French technology news site Zataz recently published an interview with "A," who appears to run the ransomware operation.
  • REvil: Also known as Sodinokibi, this operation first appeared in April 2019 and continues today, reportedly including Acer among its most recent victims. Speaking with threat intelligence firm Recorded Future, which translated the interview from Russian to English, a REvil representative using the alias "Unknown" claims that the gang purchased crypto-locking malware code from the now-defunct GandCrab group. Researchers say the RaaS operation appears to have made more than $150 million in income since then.

Here are 10 takeaways from these interviews with ransomware operators:

1. Wanted: Large Victims

Ransomware gangs have increasingly been targeting larger organizations in search of much bigger payoffs.

"We prefer to target only large, multibillion-dollar companies. They can pay over $10 million. Small businesses can't afford a lot," the MountLocker operator says. "But it takes a lot more time and work" to target larger organizations, the operator says.

2. Public Naming and Shaming Works

One tactic gangs sometimes use is threatening to shut a company down by running a distributed denial-of-service attack. But the REvil gang uses such tactics sparingly, preferring to rely instead on call centers that phone victims after listing the target on the gang's dedicated site for naming and shaming victims and dumping samples of stolen data in hopes of pressuring victims into paying.

"We call each target as well as their partners and journalists; the pressure increases significantly," Unknown says. "And after that, if you start publishing files, well, it is absolutely gorgeous. But to finish off with DDoS is to kill the company."

3. Cyber Insurance Pays

Attackers appear to prefer victims with cyber insurance, with LockBit's operator noting that it's "all but guaranteed" he'll see a ransom payment.

Extract from the Cisco Talos interview with the LockBit operator

REvil's Unknown refers to organizations that carry cyber insurance as "one of the tastiest morsels," while the MountLocker operator's advice for victims is that "insurance, speed and action are your best friends when you get stuck."

Even better, apparently, is "to hack the insurers first - to get their customer base and work in a targeted way from there. And after you go through the list, then hit the insurer themselves," REvil's operator says. Whether REvil has put that strategy into practice remains unknown.

While there's been some debate about whether organizations that carry cyber insurance are more at risk of being hit, in general, attackers have no way of knowing, in advance, which organizations carry such insurance - unless, of course, they're able to hack the insurers (see: Do Ransomware Attackers Single Out Cyber Insurance Holders?).

4. RaaS Affiliates Come and Go

Many ransomware operators now use the ransomware-as-a-service model to maximize profits. Such services provide crypto-locking malware to affiliates, who infect systems. Whenever a victim pays, the operator takes a pre-agreed cut, then gives the rest to the affiliate. Experts say this model has enabled many RaaS operations to maximize their revenue (see: More Ransomware-as-a-Service Operations Seek Affiliates).

REvil's Unknown says the greatest number of affiliates the operation has had is 60. And affiliates tend to shift among different RaaS operations that offer them a better cut of the proceeds - or they temporarily "retire" before coming back for more. REvil appears to market itself to potential affiliates by trying to give them better tools than its RaaS competitors.

"Due to the closure of the Maze, we have only increased the number of promising affiliates," Unknown claims. LockBit, too, appears to have been recruiting former Maze affiliates.

Affiliates often talk on underground forums and come away with opinions about various operations. The LockBit operator, for example, says that "REvil can make your files unstable and Netwalker slows the system down too much," and says some avoided working with Maze because it kept up to 35% of all profits.

5. Hospitals: Easy Money

The LockBit operator claims to never target the healthcare sector, saying that "if you are attacking hospitals during COVID-19, you are a [expletive]." But despite that claim, Talos notes that he also was able to share this insight: "Hospitals pay 80% to 90% of the time because they simply have no choice." (See: No COVID-19 Respite: Ransomware Keeps Pummeling Healthcare.)

6. Geographical Target Selection

The REvil representative says the operation doesn't go after victims in Russia, or any of the other countries in the Commonwealth of States, "including Georgia and Ukraine." The CIS was formed following the 1991 dissolution of the Soviet Union.

Not attacking the CIS region is typical for any criminals who are based there and want to stay out of jail (see: Russia's Cybercrime Rule Reminder: Never Hack Russians).

Unknown adds that "very poor countries don't pay - India, Pakistan, Afghanistan and so on," and so don't tend to get targeted.

Given the threat of arrest by the FBI and other western law enforcement agencies, REvil's operators and affiliates also avoid most international travel, Unknown says.

7. No Love for (Most) Negotiators

REvil's representative expresses a dislike of ransomware negotiators, saying that "70% are just there to knock down the price" and that "very often they make it harder" for victims by seeking laughable discounts - for example, countering a $1 million ransom demand with an offer to pay $15,000 instead. "They only help purely in buying bitcoins or monero. The rest is harmful," Unknown claims.

On the other hand, Unknown suggests that REvil prefers to work with certain intermediaries. "We give good discounts to decent intermediaries so that they can make a bit of profit and the companies pay less," Unknown says.

8. Reliable Payday

All of the ransomware operators portrayed their activities as being just a day job. "Most of us have families, kids, lovers, parents, pets, hobbies, problems, etc.," the MountLocker operator says.

One of the biggest takeaways from the interviews is that criminality offers opportunities, especially for individuals with technical inclinations - and yes, apparently few moral scruples - in certain parts of the world to make much more money than they might otherwise.

"As a child, I scrounged through the trash heaps and smoked cigarette butts," REvil's Unknown claims. "I walked 10 km one way to the school. I wore the same clothes for six months. In my youth, in a communal apartment, I didn't eat for two or even three days. Now I am a millionaire."

9. 'This Crime is Scalable'

Herein lies the bigger-picture ransomware problem: If criminals, operating remotely, can make massive profits while incurring little risk to themselves, why would they ever stop?

"Global inequitable access to a path to prosperity leads to crime. On the internet, this crime is scalable," bug bounty pioneer Katie Moussouris, CEO of Luta Security, says via Twitter (see: So You Want to Build a Vulnerability Disclosure Program?).

"We've done this to ourselves in building systems too hard for all to secure consistently, while ignoring the growing gulf of wealth disparity," she says. "Ransomware is a guillotine."

10. 'Mirror to Our Neglect'

This is not the first time that organizations and policymakers alike have been running scared from a cybersecurity scourge. At the 2012 RSA conference in San Francisco, Grady Summers - then vice president of Mandiant's cloud security group - said of the famous hacktivist collective then ravaging networks: "The Anonymous attacks hold up a mirror to our neglect."

Now ransomware-wielding gangs have seized that mantle. Or as MountLocker's operator says: "We use network security holes the same way lawyers use legal holes."

Until the state of information security improves, arguably these and other ransomware-wielding criminals will continue to enjoy their advantage.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.