[BreachExchange] The 5 Motives of Ransomware

Audrey McNeil audrey at riskbasedsecurity.com
Mon Jan 8 20:22:07 EST 2018


When 2017 began, we knew that ransomware  was going to be a major topic.
However, who would have foreseen the impact of both WannaCry and NotPetya?

WannaCry hit the world on May 12, infecting more than 230,000 systems in
over 150 countries. In the process, it caused havoc in the UK’s National
Health Service, using the EternalBlueexploit that was part of the Vault7
leak of the U.S. National Security Agency (NSA) offensive tools. The impact
was huge, causing many disruptions around the world and highlighted the
importance of patching systems with security updates.

Was the lesson learned? The answer is no.

Shortly after WannaCry, we were introduced to NotPetya in late June, this
time escalating out of the Ukraine and quickly cascading around the world,
impacting system after system. This caused major issues with energy
companies, transportation, medical, power grid, bus stations, airports and

The financial gain from both variants of ransomware was quite low with
approximately a combined total of $150k compared to older variants, such as
Zeus, that claimed more than $100 million.

In my experience in digital forensics, I have always been taught to follow
two things when trying to understand cybercrime and that is to follow the
motive or follow the money. Either or both will lead to the criminal. In
both WannaCry and NotPetya, it looks like the motive was not the financial
part of the crime or that the payload and financial portion has been
constructed by two different groups or cybercriminals.

When we look at the motives of those who use ransomware, it is usually the

- Destructive – This means they do not care about the financial reward it
is purely to cause disruption and fear. Of course, the cybercriminals may
decide to take the financial takings if it is untraceable.
- Financial Motivation – This is to get as much financial reward as
possible and usually to ransom is a premium to get the data or access back.
- Cryptocurrency Manipulation – Knowing that ransomware usually requires
payment in the form of cryptocurrencies and that the value is derived from
the number of wallets you could use ransomware to cause a significant
increase in value.  The best way to get away with the crime is to make
money legally.
- Disguise Real Motive– This is usually to hide the real crime. After
committing a cybercrime and you need to hide your traces, what better way
to do it is to cause disruption with a ransomware. While the world is
racing to keep secure and reduce the impact, cybercriminals have escaped
from the real crime, hiding traces of what happened. Make a disaster or
catastrophe to cover tracks.
- Misdirection – Like disguising, the real motive is similar to a trick
used by magicians to get your eyes to focus on something else. I believe we
have seen examples of this in the recent nation state attacks in which if
you leave breadcrumbs that lead the investigators to focus time on another
country when in fact it was attributed by another. This is quite common in
cybercrime in the hope that time will prevent the true criminal from being

I will leave you to consider what the real purposes of recent ransomware
threats have been. However, remember it can also be a combination of
multiple threat actors involved with different motives.

Remember: It is always important to step back and think if this was your
crime how would you have done it. Sometimes it's crucial to be able to
think and look at the world through the eyes a hacker or cybercriminal.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180108/441f8a9e/attachment.html>

More information about the BreachExchange mailing list