Cisco security researchers scored a rare interview with a Russian ransomware hacker — here’s how he chooses vulnerable targets

Male hacker coding.

Summary List Placement

Ransomware — in which cybercriminals lock up victims’ systems and demand cash in exchange for unlocking them — is a rising threat that governments and private companies face across the globe.

But details about the people behind ransomware attacks, including their identities and motives, are often elusive. Last month, researchers with Cisco’s Talos Intelligence Group published insights from a rare interview with a ransomware operator that shines a new light on how such threat actors function.

To Talos researchers’ surprise, the ransomware operator first initiated contact with them in September 2020, apparently seeking acclaim for his hacking skills while remaining anonymous. However, through several interviews conducted via text chats in the months that followed, researchers were able to gradually piece together information about the hacker’s identity, Talos outreach director Craig Williams said in an interview with Insider.

“Slowly but surely, it would trickle out — all the facts about his business,” Williams said. “And then he was just more or less openly sharing with us. But even at that time, he was lying about all these little incidents where maybe he didn’t do the right thing.”

The hacker, who went by the name Aleks, is a Russian man in his mid-30s with a university education living in Siberia, Talos researchers determined. Aleks claimed to be a former IT professional who turned to hacking because he had difficulty supporting himself with “white-hat” security roles.

“He expressed a general sense of disappointment, at times even resentment, for not being properly appreciated within the Russian cyber industry,” Talos researchers wrote in the report.

Aleks primarily targeted victims using LockBit, an increasingly prevalent “ransomware-as-a-service” software whose developers take a cut of the ransom that victims pay. Aleks would scan victims’ online systems to see what web services they use, then search the dark web for employees’ passwords — where login credentials stolen in data breaches are sold by other hackers — to gain entry to those services and install LockBit’s malware.

Unlike sophisticated nation-state hackers that look to exploit brand-new vulnerabilities before they’re patched, Aleks typically targeted well-known security issues already widely circulating online, meaning in most cases his victims would have been protected against the attacks if they regularly installed software updates.

This illustrates how easy it can be for cybercriminals to use readily available ransomware-as-a-service tools to make money, suggesting that the rate of ransomware attacks will continue to rise as long as those tools are available with few barriers to entry.

Aleks told researchers that he primarily targets US organizations, especially government agencies that are likely to have cyber insurance policies because they’re more likely to pay ransoms.

Aleks seemed intent on convincing Talos researchers that he was guided by ethics and primarily wanted to teach victims a lesson about their cyber weaknesses. He also claimed that he didn’t target hospitals. But according to Williams, Aleks subsequently gave away details that contradicted that claim: For instance, he divulged that hospitals were more likely to pay ransoms than other organizations, apparently speaking from experience.

“They would say things like, they would never target the medical industry, and describe scenarios that painted them in a great ethical light,” Williams said. Meanwhile, we had concrete proof that none of that was true.

The episode shows how free-wheeling hackers can be guided by economic circumstances to participate in major cybercrimes, Williams said. It also shows how ostensible moral obligations to avoid targeting healthcare institutions can be easily outweighed by the ability to easily turn a profit.

Healthcare organizations and government agencies are prime targets for ransomware attacks because they’re the most likely to pay ransoms rather than wait hackers out. Local government agencies also typically have low or nonexistent cybersecurity budgets, making them susceptible to attacks. The number of government agencies, schools, and healthcare providers affected by ransomware attacks rose from 966 in 2019 to 2,354 in 2020, according to the security firm Emsisoft.

Join the conversation about this story »

NOW WATCH: A cleaning expert reveals her 3-step method for cleaning your entire home quickly

Related posts