Cybercrime , Cybercrime as-a-service , Fraud Management & Cybercrime

Why Criminals Love Ransomware: In Their Own Words

Cisco Talos' Craig Williams and Matt Olney on Attacker Psychology, Business Goals
Craig Williams (left), director of outreach, Cisco Talos; and Matt Olney, director of threat intelligence at the firm

What are top takeaways from threat analysts who have directly interacted with criminal affiliates of ransomware-as-a-service operations?

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

One such interaction, which happened recently between Cisco Talos researchers and a LockBit ransomware-as-a-service operation affiliate called "Aleks," revealed numerous insights into how such criminals operate (see: Charm Offensive: Ransomware Gangs 'Tell All' in Interviews).

"What ... really surprised us the most were the guy's insights into himself that he accidentally shared - namely, the belief that he wanted to convey that he didn't target healthcare and other targets that are likewise ethically charged," says Craig Williams, director of outreach at Cisco Talos. "Now, the reality was: We knew the entire time that he was targeting healthcare. But it was really interesting to see that he wanted to convey this almost 'Robin Hood' type view of himself that he was really a good guy who was misunderstood and who had to struggle in life and to feed his family."

Aleks is one of a number of affiliates who work with one or more RaaS operations such as LockBit, says Matt Olney, director of threat intelligence at Cisco Talos. "The LockBit group provides a set of services - usually collecting the ransom, providing the infrastructure necessary to distribute and encrypt and apply the decryption tools and chat communications between the 'client' and the 'business,'" he says, with the affiliate gaining access to networks and infecting them. "A cut of that final ransom ... goes to the affiliate and a cut is retained by the LockBit ransomware operators."

In a video interview with Information Security Media Group, Williams and Olney discuss:

  • Top takeaways from threat intelligence analysts' conversations with a Russian ransomware affiliate;
  • How ransomware-as-a-service operations function;
  • Strategies for more effectively combating ransomware, including the Institute for Security and Technology's Ransomware Task Force recommendations.

Williams is the director of the Cisco Talos Security Intelligence and Research Group outreach team. He joined Cisco to research vulnerabilities, threats and network detection techniques. Over the past decade, his research efforts have included running the Cisco malware lab and trying to outwit the security products he has helped Cisco to design.

Olney is the manager of the Talos Interdiction Group. Working with organizations and intelligence partners around the world, he handles efforts to disrupt malicious activities before they reach customer networks.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.