Updated Mar 9, 2024 - Technology

The clowns and fools behind ransomware attacks

Illustration of a cartoon number zero and number one with their hands up in a police spotlight.

Illustration: Aïda Amer/Axios

The hackers behind devastating ransomware attacks are often just ego-driven, short-tempered coders who are willing to scam everyone, including each other, experts tell Axios.

Why it matters: Organizations facing a ransomware attack tend to believe they're up against organized criminal masterminds.

  • Instead, they're usually battling a group of hackers who lack impulse control and love power, experts say."

What they're saying: "Most criminals are fragile, but the cyber ones are the most self-centered, the most egotistical," James Turgal, a former FBI agent, tells Axios.

  • "'There's no honor among thieves,'" Turgal adds. "That old saying is absolutely consistent with the modern-day cybercriminal."

Driving the news: Insurance billing tool Change Healthcare has entered its third week of service disruptions following a ransomware attack on Feb. 21.

  • But this week, the ransomware gang behind the attack self-imploded while trying to scam its members out of their share of Change Healthcare's reported $22 million ransom payment.
  • After a freelance hacker posted on a dark web forum that they hadn't received their payment, ALPHV (also known as BlackCat) claimed it had been seized by law enforcement and forced to shut down.
  • However, law enforcement agencies have said they actually didn't take the group down — again.
  • Change Healthcare has not commented on whether it paid a ransom.

The big picture: Cybercriminals have long been willing to scam one another and rat each other out to get ahead.

  • A 2022 report from Sophos found that cybercriminals on three dark web forums lost at least $2.5 million to scams in the course of a year.
  • REvil, a now-defunct ransomware group, reportedly cheated its own freelance hackers out of payments in 2021.
  • Shortly after Russia invaded Ukraine in early 2022, a member of the Conti ransomware gang leaked a trove of internal files about the group's inner workings.

Zoom out: Entry-level hackers have become more valuable in the last five years as the ransomware-as-a-service model has taken over the criminal underground, says Turgal, who is now vice president of cyber risk at Optiv.

  • These hackers can lease out a ransomware developer's malware to use in their own attacks, and everyone splits whatever victim payments come in.
  • "They are a much younger demographic," Turgal says. "They're a 20-something who has been coding all their life ... and that totally feeds their egos."
  • But this splintering between ransomware operators and these freelance hackers has prompted constant in-fighting on dark web forums, Kurtis Minder, CEO of ransomware negotiation firm GroupSense, tells Axios.

Between the lines: Victims still think they're up against a far savvier adversary when facing a ransomware attack, Minder says.

  • "The unfortunate story is that you don't have to be a cyber genius" to conduct a ransomware attack, he says.
  • This perception can prompt victims to pay millions of dollars, with the hope that gangs will unlock their systems and delete any stolen data.
  • Even after victims pay up, hackers don't always delete stolen information — as seen in the evidence uncovered in a recent law enforcement takedown of the LockBit gang.

Yes, but: If ransomware gangs keep refusing to delete data and unlock systems, eventually victim companies might learn and stop paying them, Christopher Budd, head of Sophos' X-Ops team, tells Axios.

  • Getting to that point will likely take "a series of catalyzing moments," he adds.
  • "You have to shake people out of the five stages of grief, you have to shake them out of denial and get them moving forward," Budd says.
Go deeper