The 5 Motives of Ransomware

Thursday, January 04, 2018

Joseph Carson


When 2017 began, we knew that ransomware  was going to be a major topic. However, who would have foreseen the impact of both WannaCry and NotPetya? 

WannaCry hit the world on May 12, infecting more than 230,000 systems in over 150 countries. In the process, it caused havoc in the UK’s National Health Service, using the EternalBlue exploit that was part of the Vault7 leak of the U.S. National Security Agency (NSA) offensive tools. The impact was huge, causing many disruptions around the world and highlighted the importance of patching systems with security updates. 

Was the lesson learned? The answer is no.

Shortly after WannaCry, we were introduced to NotPetya in late June, this time escalating out of the Ukraine and quickly cascading around the world, impacting system after system. This caused major issues with energy companies, transportation, medical, power grid, bus stations, airports and banks. 

The financial gain from both variants of ransomware was quite low with approximately a combined total of $150k compared to older variants, such as Zeus, that claimed more than $100 million. 

In my experience in digital forensics, I have always been taught to follow two things when trying to understand cybercrime and that is to follow the motive or follow the money. Either or both will lead to the criminal. In both WannaCry and NotPetya, it looks like the motive was not the financial part of the crime or that the payload and financial portion has been constructed by two different groups or cybercriminals. 

When we look at the motives of those who use ransomware, it is usually the following:  

  • Destructive – This means they do not care about the financial reward it is purely to cause disruption and fear. Of course, the cybercriminals may decide to take the financial takings if it is untraceable. 
  • Financial Motivation – This is to get as much financial reward as possible and usually to ransom is a premium to get the data or access back. 
  • Cryptocurrency Manipulation – Knowing that ransomware usually requires payment in the form of cryptocurrencies and that the value is derived from the number of wallets you could use ransomware to cause a significant increase in value.  The best way to get away with the crime is to make money legally.
  • Disguise Real Motive– This is usually to hide the real crime. After committing a cybercrime and you need to hide your traces, what better way to do it is to cause disruption with a ransomware. While the world is racing to keep secure and reduce the impact, cybercriminals have escaped from the real crime, hiding traces of what happened. Make a disaster or catastrophe to cover tracks.
  • Misdirection – Like disguising, the real motive is similar to a trick used by magicians to get your eyes to focus on something else. I believe we have seen examples of this in the recent nation state attacks in which if you leave breadcrumbs that lead the investigators to focus time on another country when in fact it was attributed by another. This is quite common in cybercrime in the hope that time will prevent the true criminal from being found.     

I will leave you to consider what the real purposes of recent ransomware threats have been. However, remember it can also be a combination of multiple threat actors involved with different motives. 

Remember: It is always important to step back and think if this was your crime how would you have done it. Sometimes it's crucial to be able to think and look at the world through the eyes a hacker or cybercriminal.

About the author: Joseph Carson is a cyber security professional with more than 20 years’ experience in enterprise security & infrastructure. Currently, Carson is the Chief Security Scientist at Thycotic.

Possibly Related Articles:
Infosec Island Breaches CVE DB Vulns US-CERT Privacy Vulnerabilities Webappsec->General
Ransomware cybercrime WannaCry NotPetya
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.