LockBit ransomware operator: ‘For a cybercriminal, the best country is Russia’

A lone ransomware operator explains why they went down a criminal path.

A LockBit ransomware controller has given researchers a glimpse into lone-wolf operations and the reasons why he chose to go down a criminal route. 

In an interview this week with the Cisco Talos cybersecurity team (.PDF), an operator of LockBit explained his modus operandi, his preferred targets, tool use, and why it is difficult to become a white-hat specialist in his thought-to-be country of residence, Russia. 

Ransomware has become a serious threat to the enterprise in recent years. While ransomware can cause personal devastation to individuals who suddenly find themselves locked out of their PCs and with little recourse to recovering their files unless they pay a ransom demand in return for a decryption key -- usually required in cryptocurrency such as Bitcoin (BTC) -- businesses face consequences that can be far worse. 

Once a ransomware variant has infiltrated a corporate network and has finished its encryption spree, victims are faced with disruption and may be forced to suspend core services. If backups are not readily available, cybercriminals can potentially demand thousands and thousands of dollars, on pain of either keeping resources encrypted or potentially leaking sensitive corporate data. 

According to Coveware, the average payout decreased in Q4 2020 to $154,108 in comparison to $233,817 in the third quarter. However, as long as organizations give in and pay up, the ransomware market will remain lucrative. 

During Cisco Talos' interview with the LockBit operator, referred to as "Aleks" and thought to be located in the Siberian region of Russia, he claimed to be self-taught in skills including penetration testing, network security, and reconnaissance. 

Aleks, believed to be in his early 30s, secured a job with an IT company while finishing a university degree, but demonstrated "a general sense of disappointment, at times even resentment, for not being properly appreciated within the Russian cyber industry," Talos says. 

"His frustration was evident during our conversations, with him disparaging several well-known Russian cybersecurity companies," the interview reads. "He also remarked that, "In the West, I would probably work in white [hat security] and earn easily…" suggesting that his perceived underappreciation and low wages drove him to participate in unethical and criminal behavior."

Several examples of such "underappreciation" were noted, including being rebuffed when he reported security issues in websites, including a Russian social network. His "well-intentioned efforts were ignored," Aleks claimed, which further drove him down a cybercriminal path. 

However, even if your country does not appreciate legitimate researchers, there is still the option of participating in bug bounties -- and there is a demand globally for assistance in securing online assets. 

The LockBit operator appears to be disillusioned with this industry, telling Talos that companies are doing their best to forgo paying bug bounty hunters for their findings. 

"This stands completely at odds with our professional observations from the security community," the researchers noted. "It may be the case that Aleks chooses to view vulnerability programs through this lens to account for his own decision to not participate in them or because he has heard inaccurate stories from other threat actors."

His motives for becoming a ransomware operator, however, do not seem to be purely financial. During the interview, Aleks said that while ransomware is profitable, he also wanted to "teach" companies the "consequence of not properly securing their data."

Aleks also said that "for a cybercriminal, the best country is Russia," and victim organizations in the United States and Europe "will pay quicker and more" than targets in post-Soviet states. 

The threat actor claimed that when it comes to organizations with cyberinsurance, a payout is "all but guaranteed," and in Europe, companies are also under more pressure to pay as they are "scared" of the consequences of violating the EU's GDPR data protection regulations.

"It is not unusual for criminals to view their own actions as justifiable after the fact even if there was no real moral ambiguity to the crime," Cisco Talos concluded. "In this case, the lack of jobs that meet his satisfaction, appears to be the introductory course to cybercrime. His feelings of underappreciation, resentment, and economic incentive are common motivators of illicit cyber activity, and his story, as portrayed to us, illustrates how one could be driven toward cybercrime."

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0