The ransomware infection that disrupted Hollywood Presbyterian Medical Center in 2016 and the worldwide WannaCry attack in 2017 caused an ethical and philosophical rift among members of the Russian and Eastern European cybercriminal community, according to a new report.
Based on an analysis of dark-web chatter conducted by Flashpoint and Anomali, both of these ransomware incidents crossed a line with certain cybercrime forum administrators and members, causing them to condemn the attacks and in at least one case even call for the banning of ransomware. Others showed no mercy, asserting that ransomware is a lucrative business, and the end justifies the means.
Those who disavowed or showed distaste for ransomware following the attacks often did so for one of two key reasons: the potential of causing actual physical harm to individuals, and the negative impact that ransomware incidents could have on their future business prospects.
Concerns over causing physical harm emerged after the February 2016 Hollywood hospital attack, which disabled computer systems at the medical facility, affecting daily operations and forcing administrators to transfer some patients elsewhere.
According to the report, a "majority" of the Russian and Eastern European cybercriminal community condemned the attack, with one reputable member of a top-tier Russian cybercrime forum declaring, “From the bottom of my heart, I sincerely wish that the mothers of all ransomware distributors end up in the hospital, and that the computer responsible for the resuscitation machine gets infected with [the ransomware]…”
However, others were unmoved, with one forum member arguing that, ultimately, the attack worked, as the hospital paid the $17,000 (or 40 bitcoin) ransom.
The May 2017 WannaCry attack also triggered a new round of ethical debates. But on a more pragmatic level, cybercriminals also expressed concern that ransomware attacks were become too high-profile and could ultimately damage their other revenue streams.
"We're digging our own grave," lamented one threat actor, who suggested prohibiting ransomware from cybercriminal forums. Nearly half of the responses to this comment – 48.5 percent – were in favor of such a ban.
The individual also griped that the ransomware business lacks sophistication, noting that it's "built not on intelligence and mental dexterity, but on brute-force and luck.”
Researchers also observed cybercriminals expressing concern that ransomware attacks could easily inflict damage on organizations in Russia and other former Soviet nations comprising the Commonwealth of Independent States (CIS). If that happens, Russian authorities could crack down heavily on local cybercriminal forums, which experts say are normally left alone as long as CIS assets are not impacted.
Again, not all forum members agreed, with one threat actor calling one's use of ransomware, including who gets victimized, a personal decision.
“There is only one rule: don't target Russia," the actor said.
The WannaCry and the hospital attacks were not the only incidents to create a divide between cybercriminals. "The NotPetya ransomware outbreak also contributed to the rift due to its significant impact on Russian individuals and institutions," said Vitali Kremez, director of research at Flashpoint, in an email interview with SC Media.
Kremez suggested that the WannaCry and NotPetya attacks could even impact how cybercriminal forums operate moving forward.
"By and large, the WannaCry and [NotPetya] ransomware attacks will likely cause underground administrators to more strictly enforce the rule about not targeting Russia in regards to ransomware sold on Eastern European underground forums," continued Kremez, who authored the report along with Anomali's director of security strategy Travis Farral. "Ransomware may also continue to fall under scrutiny within cybercrime communities if it attracts the attention of the Russian government and causes that government to increase measures to monitor and collect telecommunications data from such communities.