Are Cybercriminals Evil or Greedy?
Are cybercriminals by nature evil? Only the 1930s pulp magazine hero The Shadow really knows “what evil lurks in the hearts” of cybercriminals. At first glance, it would appear there is great deal of darkness in the hearts of malicious hackers. But that might not be the whole story – greed might be the primary motivator. Why does it matter if the bad guys are evil or primarily greedy? The reason is that motivation can impact the deterrent factor.
Evil Corp
The case for evil hackers starts with the monikers they adopt. The Chaos Computer Club, Legion of Doom and Masters of Destruction are historical examples. A contemporary organization that epitomizes ‘bad’ is the Russian cybercriminal syndicate branded as Evil Corp, which has been active since at least 2007. They are notorious; known as one of the largest purveyors of malware and spam botnet services. They distribute their own malware, but also are a delivery channel for others. It is estimated they have stolen roughly $100 million from businesses and consumers.
In December 2019, the U.S. Justice Department indicted two of Evil Corp’s leaders. Additionally, the FBI placed a $5 million bounty for information that leads to the arrest of Maksim Yakubetes, aka ‘AQUA.’ Yakubetes leads a team of at least 16 others who are believed to have stolen banking credentials from hundreds of organizations. It is interesting to note that Evil Corp, unlike other criminal gangs operating ransomware scams, are not participating in double extortion attacks that steal data and then threaten to release it if a ransom is not paid. Speculation is that Evil Corp, since they are already on the FBI’s Cyber Most Wanted List, wishes to avoid the additional scrutiny, especially in the media, that these double extortion operations tend to elicit.
Ransomware and Hospitals
“It’s truly vile that people are willing to go after hospitals,” one technician told Wired following an extensive ransomware attack. The indiscriminate ransomware attacks on hospitals provides a strong case that cyber outlaws are simply evil. Devastating results are possible following these ransomware attacks – emergency care is delayed as patients are diverted to more distant hospitals. Attacks that cripple access to medical records make it more difficult to see lab results, imaging scans, medication lists and other critical information required for proper health care.
Hospitals and other medical organizations are targeted because medical information is valuable, and the importance of returning to normal operations can lead to a quick ransom payoff. These targets also provide a much greater financial return. It is hard to determine if these attackers consider what they are doing evil. Many ransomware attacks are crimes of opportunity. The crooks send out thousands of emails, hoping someone will trigger the malware. These attacks also can be indiscriminate; given that the internet dehumanizes many aspects of interpersonal interactions, cybercriminals are less likely to see their deeds as evil.
Only Trying to Make a Living
The strongest argument that supports greed as a motivation is that many cybercriminals reside in poorer countries. Nigeria, for example, is one country often singled out for their online criminal activities. There is a history of scams and shady operations from individual fraud to business email compromise attacks emanating from that country. During the pandemic, Nigerian hackers have reportedly stolen hundreds of millions of dollars in state unemployment funds.
The primary reason behind these activities is to make money. Nigeria, the most populous nation in Africa, saw 23% unemployment in 2018. “I’m just trying to eat and feed my family,” said an unemployed Nigerian economics graduate. For poor people in many nations just trying to make a living, if that means stealing from those they believe have enough, that is OK with them.
You Can’t Deter Evil
This evidence leads to the conclusion that cybercrime is more often about acquiring wealth. There are those who are motivated by malice, but they are rare; most attackers are out for profit, in some manner. Even nation-state efforts have some type of business goal, either to steal secrets, technology or money.
However, the cybersecurity establishment generally reacts to these threats based on the perception that attackers, by nature, are evil. The industry must move beyond this idea of the evil perpetrator, which complicates and befuddles cybersecurity professionals. Acting on the belief that cyber marauders pillage because it is in their nature gives them much more power than they deserve. By that reasoning, no matter how many systems you put in place, you are not going to deter someone who is evil. They are going to continue to assault available targets and cause havoc no matter what.
On the other hand, responding to attackers as fellow businesspeople (however immoral) you can create a deterrent based on risk management, cost-benefit analysis and other business concepts. With an evil hacker, you need to put up as many defenses as possible because they will not stop trying. With a competitive adversary, you can create obstacles that can make future attacks cost-prohibitive or otherwise unattractive to them. By implementing best practices based on a logical security posture, you can create a robust and resilient architecture that will make the cost of an attack more than the value a cybercriminal would receive if they were successful. People tend not to exert extra effort into something they know will not be financially rewarding. Cybercriminals will either move to more lucrative targets or find another line of work.
