Hypocrisy doublespeak in ransomware gangs

Sergio de los Santos    14 July, 2022
Photo: Tyler Daviaux / Unsplash.

The hypocrisy, doublespeak and even, we assume, sarcasm that ransomware gangs display on their websites has no limits. As an anecdote, we are going to show some of the statements or terms used by ransomware gangs to justify their services, as if it were not a full-fledged illegal extortion.

We assume that the intention of the attackers is similar to classic mafias. Far from outwardly acknowledging their illegal activity, the intention is to cloak the attack in some (albeit perverse) logic in which the victim becomes a “client” of the ransomware gang or even guilty of the extortion itself for not caring about their data or infrastructure.

Here are a few examples after taking a look at their websites

Babuk, a double standard

They attack everything they can and are very active and popular. They have a special grudge against Elon Musk. If they were to get into his systems, they would publish it without negotiation, they say. But they have a red line: hospitals, NGOs, schools and small companies with profits of less than 4 million. Interesting difference that is not found in many other groups.

Image: Organisations safe from Babuk
Image: Organisations safe from Babuk

Babuk spend a lot of time “justifying themselves”.

Image: Babuk's philosophy
Image: Babuk’s philosophy

They call themselves cyberpunks who go around ” testing cybersecurity”. Of course, they literally call themselves “specialised, non-malicious software that exposes a company’s cybersecurity problems”. They add that their “audit” is not the worst thing that could happen, and that it would be much worse if fanatic terrorists who don’t just want money, like them, were to attack the infrastructure.

Lorenz, nothing personal

They don’t talk about their morals; they attack as much as they can. On their blog they keep a slot with the attacked companies that have paid (and therefore removed their data), and others with the data published for not having paid.

Image: slots for future or victims who have already paid
Image: slots for future or victims who have already paid

But they remind on their website that of course, it is nothing personal. Just business.

LV, you are the one to blame

If LV attacks the company, encrypts and steals the data and ends up displaying it on its website, it is the victim’s fault for not having fulfilled their obligations and refusing to correct their failures. They have preferred to sell the company’s own data and that of its customers. This is the cynical message of this gang that blames the victim as if they had done something wrong.

It is worth remembering here that ransomware gangs do not always exploit security flaws: they use all sorts of techniques, such as extorting workers to get the data they need for the theft.

Image: LV says the victim is careless
Image: LV says the victim is careless

LockBit, the most professional

They are so professional that they recently announced a Bug Bounty of their own in which they could award up to a million dollars just for finding bugs in their infrastructure. They are very active and very good at marketing themselves as an affiliate campaign for ransomware, with very advanced encryption and exfiltration software, fast and very serious about their business. That’s what they say. On their FAQ page, we can find statements like these.

Image: What to target and what not to target
Image: What to target and what not to target

Neither they nor their affiliates can encrypt critical systems such as nuclear plants, pipelines, etc. They can steal information, but not encrypt it. They can steal information, but not encrypt it. If in doubt, they can contact the organisation’s helpdesk. They are also not allowed to attack post-Soviet countries, although this has long been common in malware.

They do allow NGOs without problems, and educational institutions as long as they are not public. They recommend not attacking hospitals if they can cause deaths. And they encourage attacking as much law enforcement as possible, because they say they don’t appreciate the important work they do in raising awareness of cybersecurity.

If the victim doesn’t pay up, they promise to store the stolen company data available on their blog for as long as possible, so they can learn. And so that they can’t take down this website they maintain a very robust antiDDoS system with dozens of mirrors as well as the aforementioned bug bounty to find potential flaws in their encryption system that could allow access to the data without paying.

Bl@cktor, the ransomware gang that claims not to be one

It’s not that they’re a ransomware gang, it’s that they love to go around looking at vulnerable companies, break into their systems, and ask for ransom money. But they don’t mean any harm… unless you don’t pay, of course.

Image: Bl@ckt0r, neither numbers nor deletes
Image: Bl@ckt0r, neither numbers nor deletes

And they don’t lie. They don’t actually encrypt anything; they leak the data directly and sell it. This way they do not break business continuity. According to them, a bargain for their services as they have alerted about potential security breaches.

They also seem to have a lot of resources to make everyone aware that the data has been stolen. For instance, contacts in the media. Hospitals, of course, are not touched.

Main image: Tyler Daviaux / Unsplash.

* * *

How Lokibot, the malware used by Machete to steal information and login credentials, works
Sergio de los Santos
Sergio de los Santos

Innovation and Labs Leader at Telefónica Tech. He holds a bachelor’s degree in Computer System Engineering and a master’s degree in Software Engineering and Artificial Intelligence from the University of Málaga.

Other posts you may be interested in

Leave a Reply

Your email address will not be published. Required fields are marked *