Ransomware groups such as LockBit have ethics policies, pledging to avoid certain sensitive victims - what's really going on?
Late last year, Canada’s largest children’s hospital, the Hospital for Sick Children, was hit by a cyberattack on several network systems.
The hospital warned that it would take weeks to get everything back up and running, with doctors unable to access lab and imaging results.
And this seems to have pricked the conscience of the ransomware group that carried out the attack, LockBit, which apologized for the disruption and announced it would release a free decryptor for the seized data.
"We formally apologize for the attack on sikkids.ca and give back the decryptor for free, the partner who attacked this hospital violates our rules, is blocked and is no longer in our affiliate program," the group said on Twitter.
It was presumably the fact that this was a children's hospital that prompted LockBit's gesture, given that the group has been perfectly happy to target other healthcare organizations in the past. It does, though, apparently have a policy that attacks on medical institutions which could lead to the death of patients are not acceptable.
And this isn't the first time that a ransomware group has apparently been affected by conscience. Nearly two years ago, the Conti gang relented after an attack on Ireland’s publicly funded health service, the HSE.
While the group warned that it would still sell or publish the stolen data if its $20 million ransom demands weren't met, it, too, offered the victim a free decryptor.
And in 2020, after the DoppelPaymer ransomware group apparently attacked the University Hospital Düsseldorf by mistake, believing it was the university itself, it withdrew its ransom demand and handed over a decryption key.
Ethical guidelines
In the case of LockBit, the group actually has a set of ethical guidelines distinguishing between legitimate and illegitimate targets.
Attacks on critical infrastructure are allowed only if data is stolen without encryption. Non-profits are seen as legitimate targets, as are private educational institutions.
However, reads the policy, "It is forbidden to encrypt institutions where damage to the files could lead to death, such as cardiology centers, neurosurgical departments, maternity hospitals and the like, that is, those institutions where surgical procedures on high-tech equipment using computers may be performed."
The psychology of crime
So what's going on? Do these hackers really have a conscience?
According to Sykes’ and Matza’s highly-regarded thesis of techniques of neutralization, criminals use five techniques to justify their behavior to themselves.
Through denial of responsibility, they perceive themselves as victims of circumstances not responsible for their actions; denial of injury allows them to play down the effects.
Denial of the victim characterizes the victim as being deserving of the crime, while condemnation of the condemners sees the police or other authorities accused of being corrupt and unjust.
And finally, an appeal to higher loyalties sees the criminal claiming to have acted in the interest of others or under pressure from orders.
In the case of hacktivist groups, it's items four and five on the list that come into play. Best-known, and probably the largest, is Anonymous, which first came on the scene in 2003.
The group has been responsible for attacks on governments and organizations accused on censorship with, for example, attacks on the Minneapolis police department website in 2020 following the death of George Floyd.
More recently, there has been a proliferation of attacks since Russia's invasion of Ukraine. On the one hand, pro-Russia groups are targeting national infrastructure with DDoS attacks.
As the FBI pointed out late last year, "Hacktivists will often publicize and exaggerate the severity of the attacks on social media. As a result, the psychological impact of DDoS attacks is often greater than the disruption of service."
The other side of this coin, however, is a major upswell in hacktivists acting in defense of Ukraine, not least from Ukraine's own IT Army, along with the Belarusian Cyber Partisans.
Meanwhile, in Central and South America, the Guacamaya hacktivist group last summer claimed to have hacked mining companies and leaked their internal emails in an effort to expose environmental damage.
Groups like this justify their activities to themselves and others through the fifth of Sykes’ and Matza’s techniques, with the hackers genuinely believing they're on the side of righteousness - the Russian ones included. But groups like LockBit? Not so much. Here, there's a bit more going on.
Sykes’ and Matza’s neutralization techniques are certainly coming into play, with the group appearing to be relying primarily on denial of the victim and denial of injury to justify most of its attacks.
However, far more important to the group is PR. LockBit, like one or two other criminal hacking groups, goes to great pains to appear professional. It's set up like a normal commercial organization, complete with an affiliate program, tech support, and professional ransom negotiators, and makes a point of assuring victims that, if they follow instructions, LockBit will go through with its part of the deal.
An ethics policy is all part and parcel of that, allowing the group to boost its reputation. And perhaps more significantly, it gives the impression that the organizers are actually in control of their affiliates — something that's increasingly difficult as the group continues its seemingly unending expansion.
Your email address will not be published. Required fields are markedmarked