One of the most unexpected trends of recent years is the way ransomware has turned high-impact cybercrime incidents into a public spectacle.
For ransomware criminals, the more public the better. Extra publicity equals more embarrassment for the victim, which even if it doesn’t result in a ransom being paid serves as a warning to future victims.
Public Exposure
For organizations being ransomed, there are really only three ways to approach public exposure. The first—and until recently the default option—is to pay the ransom and hope (probably in vain) that this keeps the attack private.
The second is to ignore the demand and take the consequences on the chin, which today usually means expecting your company name and sample data to be posted on Telegram or the dark web.
The third—let’s call this the rare brave approach—is to be as transparent as possible about what has happened in an effort to impose order on the narrative (the famous example of this approach is how aluminum company Norsk Hydro reacted after being hit by a major attack in 2019).
Black Box Mystique
None of this explains how criminals have become the people with more to say in public about their attacks than either the victims or the police whose job it is to stop them. This possibility wasn’t on anyone’s radar 15 years ago. Commercial cybercrime back then was inscrutable by design. That was the point—cybercrime was all about black box mystique.
What changed things was hacktivism, a cyberattack attack crafted specifically to grab attention, sometimes out of proportion to its real effect. The insight of the hacktivists was to notice how easy attention was to grab, especially from journalists, an occupation which functions symbiotically with anyone looking for attention.
Who might be gaining the most from this relationship today?
According to security company Sophos, ransomware groups are increasingly using journalists and bloggers as a publicity asset. Where their predecessors stuck to the shadows, these days ransomware gangs bother to publish FAQs for anyone visiting leak sites, complete with contact addresses for further questions or to offer themselves for interview. Writes Sophos:
“Media engagement provides ransomware gangs with both tactical and strategic advantages; it allows them to apply pressure to their victims, while also enabling them to shape the narrative, inflate their own notoriety and egos, and further ‘mythologize’ themselves.”
In effect, without realizing it, journalists have become part of the MO, a channel inadvertently promoting bad but newsworthy people. Sophos recommends:
“[Not] engaging with threat actors unless it’s in the public interest or provides actionable information and intelligence for defenders.”
The opposite argument is that exposing what ransomware gangs are up to fills an information vacuum in an area people still don’t know a lot about. The job of the journalist is to reveal and explain, not judge—that’s something for criminal justice.
Arguably, the problem here is not about traditional journalism at all. In the last 20 years, the number of people covering cybercrime has boomed, taking coverage far beyond the realm of trained news gatherers.
If one journalist won’t cover a ransomware group, there are plenty of amateurs and self-starters out there who will. Unfortunately, there’s no getting away from this democratization of news. Today, everyone can have a go—at the crime itself but also at writing about it.