In April 2021 the Babuk ransomware gang, already a concerning entity, gained additional notoriety for compromising the Washington, DC police department. As part of this incident, the criminals threatened to release confidential files relating to police operations to spur payment. The group in question earlier gained attention for the combination of a failed ransomware decryptor followed by a primitive public relations campaign to advertise a “fix” for their malicious software. This “flair” for public communication grew in late April 2021 when some member of the criminal gang entertained an interview from Polish information security publication Sekurak.
Interviews with ransomware operators, even during active intrusions, are not novel. For example, multiple articles from BleepingComputer reference direct conversations, if not formal interviews, with ransomware operators in 2020. In 2021, matters became more interesting as actual information security companies⸺specifically Cisco Talos and Recorded Future⸺engaged in lengthy interviews with actual ransomware operators. While the latter opens up especially strange discussions as to the roles and responsibilities of security vendors with respect to direct interaction with active, malicious threat actors, we can identify an overall trend in public reporting: an increasing willingness (if not outright desire) to actively engage criminal entities to give further information and “tell their side of the story”.
In asking this question publicly on media or at least public coverage of ransomware gangs, I was met with varied (and often enlightening) responses justifying the practice. While I don’t think the simple observation that media has always covered criminal entities (including interviews) really suffices to answer the question, as this falls into the simple fallacy that just because something has always been done does not prove or imply that such things are right or good, other responses were more interesting. Specifically, Joe Uchill’s observation concerning media interactions with Guccifer 2.0 noted that a number of articles (including interviews) from Lorenzo Franceschi-Bicchierai and analysis performed by Kevin Collier in conjunction with ThreatConnect were instrumental in providing public, accessible evidence linking this persona to Russian intelligence operations. Media interactions, including direct interviews and conversations with the entity, were necessary in gathering evidence to support the subsequent claims and analysis. Absent such a willingness to engage with the threat actor, such discoveries would not have been possible until (much later) information in subsequent US Department of Justice indictments.
I am very sympathetic to this argument for the value of journalism, and find myself agreeing with it. Yet this discussion requires further clarification. In the Guccifer 2.0 instance, Messrs. Uchill, Franceschi-Bicchierai, and Collier did not passively provide a platform for the entity to make their claims. Instead, these journalists aggressively pursued the entity’s statements and persona⸺from testing Romanian origins via an impromptu language check through exploring technical connections to Russian networks⸺to arrive at a truly valuable story, revealing the actual nature of this entity not as a private hacktivist but as a cut-out for government-sponsored disinformation operations. When done in this fashion, I think journalism, as a means to get closer to and expose the truth concerning events, can be exceptionally valuable and will in many cases require some degree of interfacing with malicious entities.
Yet this argument falls apart when journalism shifts from active investigation to arrive at something near “truth” and instead decays into merely providing a platform for the entity in question to speak. In the latter case, “journalism” simply becomes a vector for amplification or for “humanizing” a subject absent any critique or analysis. While this may be somewhat benign or at least not concerning when covering fairly straightforward matters, the issue becomes problematic quickly when dealing with entities who are strongly incentivized to distort or mask the truth. When interaction with these entities becomes more casual, polite conversation rather than analysis and investigation of the criminals, we, as information consumers, should question the value and the utility of such “reporting.”
There is a cynical argument to be made that such casual conversations are simply “part of one’s job,” and are no different than similar “puff pieces” surrounding figures of public interest, from celebrities to politicians. Yet given the clear disruptive and actively harmful impact ransomware thugs have on society, a higher bar would appear not only desirable but, in the schema of wider professional ethics, necessary. Simply letting these entities “talk” not only gives them a wider platform to gain notoriety, but also enables these deceitful entities to mold popular perception in their favor. For example, the recent Polish article on Babuk allows the criminal to make the following claim (translated from Polish to English):
“We will not attack government entities anymore because we do not want to cause a conflict between the Russian Federation and the United States.”
sekurak.pl
Along with other items surrounding purpose, motivation, and targeting, such claims are typically left unexamined and unexplored. As a result, criminal, disruptive entities are free to spin narratives such as the altruistic claim above of not wanting to inflame US-RU relations. While this claim may be true, there is no real exploration or follow-up probing the sincerity or accuracy of this claim. Looking at nearly any of the “popular” ransomware interviews, the type of rigor displayed in Franceschi-Bicchierai’s work with Guccifer 2.0 is completely absent. Instead, these become passive listening exercises.
Occasionally, as pointed out by some media members, such disclosures can prove valuable in gaining further insight into criminal behaviors or identifying cases where victims have been less than truthful in their public descriptions of an incident’s impact. Yet I would caution that such items must be treated very carefully, require vetting, and cannot simply be repeated absent thorough analysis. As implied multiple times throughout this article, the entity in question is a criminal, disruptive presence with two primary goals: first, to not get caught; second, to make as much money as possible through their activities. Therefore any claim coming from such criminals should be treated as suspect and likely manipulative in nature. Simply providing a “sounding board” to see the criminal’s “perspective” merely provides another vector for messaging, “branding,” and potential monetization.
Overall, journalists and others have a need to report on items of public interest such as ransomware. As part of such reporting, possibilities exist for interacting with actual perpetrators. When these opportunities arise though, a combination of wariness and professional ethics should step in to ensure that such interactions are treated as suspicious and require far more than just letting the subject speak. Failure to do so not only represents a lazy type of journalism, but also allows these entities to control their own publicity and messaging, when we should be doing all in our power to disadvantage these thugs at every turn.
