Fascinating interview with a ransomware designer
-
From a Matt Levine newsletter, the commentary surrounding the interview is his.
Interview with a hacker
A story that you see a lot in the broad financial-technology sector is that some brash startup comes in with some simple business model that relies on (1) building good technology and (2) not worrying too much about the legal and reputational concerns that hold back legacy players. In fact the startup emphasizes its rebelliousness and thumbs its nose at staid confused regulators. And then the brash startup gets in trouble and sheepishly pivots or slinks away, and a second generation of startups arises that learns the technological and user-experience lessons of the first generation but also pays attention to compliance, works with regulators, and generally tries to present itself as a good and reputable business rather than a bunch of wild outlaws.
The ransomware industry is not quite like that, in that the entire business is crime. But nor is it quite not like that? Here is a delightful “interview with BlackMatter: A new ransomware group that’s learning from the mistakes of DarkSide and REvil” conducted by analyst Dmitry Smilyanets. From the introduction:
Named BlackMatter, the gang said it was specifically interested in targeting large companies with annual revenues of more than $100 million. However, the group said some industries were off limits: It would not extort healthcare, critical infrastructure, oil and gas, defense, non-profit, and government organizations.
We have talked before about the compliance function at ransomware firms: If you make ransomware, you want it to be used to hack big companies that can pay big ransoms, but you don’t want it to be used on hacks that are too big, because then you will attract unwanted attention and bring down the full force of the U.S. government on you. You have to vet your targets carefully. And ransomware seems to work largely on a franchising model, where groups like BlackMatter mostly build software that is then deployed by independent licensees, so you have to vet your clients carefully too. You want to provide your software to criminals, sure, but you need to screen the criminals to make sure that they are competent and ambitious, but not too ambitious. It is all sort of like a normal company. And sort of not.
Anyway the interview spends a lot of time on these sorts of compliance-function questions:
[Dmitry Smilyanets]: Most recently, the largest groups—DarkSide, REvil, Avaddon, BABUK—have disappeared from the scene. Many researchers believe that this was due to the attention of the top leadership of the United States and Russia to the situation with ransomware attacks. Is it true? Do you think your product will have the same fate?
[BlackMatter]: Yes, we believe that to a large extent their exit from the market was associated with the geopolitical situation on the world stage. First of all, this is the fear of the United States and its planning of offensive cyber operations, as well as a bilateral working group on cyber extortion. We are monitoring the political situation, as well as receiving information from other sources. When designing our infrastructure, we took into account all these factors and we can say that we can withstand the offensive cyber capabilities of the United States. For how long? Time will tell. For now, we are focusing on long-term work. We also moderate the targets and will not allow our project to be used to encrypt critical infrastructure, which will attract unwanted attention to us. ...
DS: I have already seen several recruiting announcements for your team. How many penetration testers would you like to recruit? Is it easier to work with a small but strong team, or with an army of script kiddies?
BM: We are geared at strong, self-sufficient teams with experience, their own technical solutions, and a real desire to make money, not someone who wants to try the business out. We usually filter out script kiddies before they get access to our admin panel. …
DS: What do you think about the attacks carried out against Colonial Pipeline’s infrastructure or JBS? Does it make sense to attack such large networks?
BM: We think that this was a key factor for the closure of REvil and DarkSide, we have forbidden that type of targeting and we see no sense in attacking them.
But there is also a certain amount on just the nuts and bolts of ransomware design:
DS: Are you planning to add new features to the product, following the example of StealBit?
BM: Yes, the software is constantly being improved, in terms of the new functions that will appear in the near future—printing the text of the note on all available printers. We also watch our competitors and always implement what we consider promising and in demand by our clients.
If you seize control of a company’s computers and encrypt all of its files, you have to tell the company that you’ve done that. A pop-up message on every screen saying “hahaha we locked your files, send us Bitcoin” is useful, but printing a similar message on every printer on the network is a good redundancy? I don’t know, I am not an expert in ransomware user-experience design, but the point is that these guys are. That is just a thing that you can be an expert in, and there is a competitive market for good ransomware design.
Also here’s a good question with a good answer:
DS: Obviously, there are many talented professionals on your team. Why is it that this talent is aimed at destructive activities? Have you tried legal penetration testing?
BM: We do not deny that business is destructive, but if we look deeper—as a result of these problems new technologies are developed and created. If everything was good everywhere there would be no room for new development. There is one life and we take everything from it, our business does not harm individuals and is aimed only at companies, and the company always has the ability to pay funds and restore all its data. We have not been involved in legal pentesting and we believe that this could not bring the proper material reward.
I can’t fault the logic. Why do you use your hacking talents for crime, rather than legally helping companies identify and eliminate vulnerabilities? Well, see, crime pays better. “There is one life and we take everything from it.”
When you shake someone's deep sense of self-worth, leaving a scar in their ego, they will persistently try to diminish you through petty arguments & obsessive captious criticism of your actions, just to soothe the wound.
- Nassim Nicholas Taleb
-
@jon-nyc said in Fascinating interview with a ransomware designer:
There is one life and we take everything from it, our business does not harm individuals and is aimed only at companies,
"There is one life and we take everything from it, our business does not harm individuals and is aimed only at companies:
What a self-righteous prick.
-
@jon-nyc said in Fascinating interview with a ransomware designer:
our business does not harm individuals and is aimed only at companies
Mitt Romney needs to give him a talking to.
