The clowns and fools behind ransomware attacks

• Instead, they're usually battling a group of hackers who lack impulse control and love power, experts say."

What they're saying: "Most criminals are fragile, but the cyber ones are the most self-centered, the most egotistical," James Turgal, a former FBI agent, tells Axios.

• "'There's no honor among thieves,'" Turgal adds. "That old saying is absolutely consistent with the modern-day cybercriminal."

Driving the news: Insurance billing tool Change Healthcare has entered its third week of service disruptions following a ransomware attack on Feb. 21.

• But this week, the ransomware gang behind the attack self-imploded while trying to scam its members out of their share of Change Healthcare's reported $22 million ransom payment.
• After a freelance hacker posted on a dark web forum that they hadn't received their payment, ALPHV (also known as BlackCat) claimed it had been seized by law enforcement and forced to shut down.
• However, law enforcement agencies have said they actually didn't take the group down — again.
• Change Healthcare has not commented on whether it paid a ransom.

The big picture: Cybercriminals have long been willing to scam one another and rat each other out to get ahead.

• A 2022 report from Sophos found that cybercriminals on three dark web forums lost at least $2.5 million to scams in the course of a year.
• REvil, a now-defunct ransomware group, reportedly cheated its own freelance hackers out of payments in 2021.
• Shortly after Russia invaded Ukraine in early 2022, a member of the Conti ransomware gang leaked a trove of internal files about the group's inner workings.

Zoom out: Entry-level hackers have become more valuable in the last five years as the ransomware-as-a-service model has taken over the criminal underground, says Turgal, who is now vice president of cyber risk at Optiv.

• These hackers can lease out a ransomware developer's malware to use in their own attacks, and everyone splits whatever victim payments come in.
• "They are a much younger demographic," Turgal says. "They're a 20-something who has been coding all their life ... and that totally feeds their egos."

• But this splintering between ransomware operators and these freelance hackers has prompted constant in-fighting on dark web forums, Kurtis Minder, CEO of ransomware negotiation firm GroupSense, tells Axios.

Between the lines: Victims still think they're up against a far savvier adversary when facing a ransomware attack, Minder says.

• "The unfortunate story is that you don't have to be a cyber genius" to conduct a ransomware attack, he says.
• This perception can prompt victims to pay millions of dollars, with the hope that gangs will unlock their systems and delete any stolen data.
• Even after victims pay up, hackers don't always delete stolen information — as seen in the evidence uncovered in a recent law enforcement takedown of the LockBit gang.

Yes, but: If ransomware gangs keep refusing to delete data and unlock systems, eventually victim companies might learn and stop paying them, Christopher Budd, head of Sophos' X-Ops team, tells Axios.

• Getting to that point will likely take "a series of catalyzing moments," he adds.
• "You have to shake people out of the five stages of grief, you have to shake them out of denial and get them moving forward," Budd says.