15 July 2022
Authors: Ivanche Dimitrievski, Adam Ridley and Diana Selck-Paulsson
This is the fourth part in a series on how cyber extortion (Cy-X) and ransomware threat actors make use of neutralization techniques to justify their malicious behavior.
The first part introduced our research approach and gave a more detailed overview of how neutralization theory can be applied to better understand the person or people participating in a crime. In the second part we looked at employments of the ‘denial of injury’ neutralization technique and showed how people engaging in this activity have sought to reframe and position their malicious behavior as a ‘business service’.
The focus of the third part was on how threat actors deny the existence of a victim or seek to diminish a victim’s claim to victimhood. We found that threat actors primarily did this by framing themselves as vigilantes or by blaming the victim for their own misfortune.
To justify their own deviant acts, criminals often shift the focus of attention to the motives and behavior of those who disapprove of their violations. ‘Judges are corrupt,’ they might say. This process is called ‘condemning the condemners’. It’s a type of neutralization technique, which people who participate in a crime use to forgo accepted norms temporarily without compromising societal morality (Sykes and Matza, 1957).
The validity of statements such as ‘judges are corrupt’ is not so important as their rhetorical function. Namely, by attacking others, the wrongfulness of the criminal’s own behavior is more easily repressed or lost to view.
Out of the 232 examined files, we identified this technique being used in 31 instances across 22 documents. This is a low usage, compared to the previous techniques of denying the injury or the victim, which had over 200 and 80 instances respectively.
Figure 1: Items in dataset containing ‘condemnation of the condemners’ neutralization
In what follows, we will present examples of how people engaging in this activity have sought to reposition their behavior in relation to the behaviors of others who condemn it. We will demonstrate some of the discursive strategies threat actors employ to ‘level the field’ in which they operate and consider some key implications of this behavior.
As has been the case in the previous entries to this series, please note that none of the quotes from threat actors have been edited for spelling, grammar, or syntax.
The focus of threat actors’ condemnation attempts were members of the cybersecurity industry, journalists, governments, and institutions. In one set of materials, the neutralization consisted of negatively portraying the nature of these entities.
Thus, Babuk called journalists “sick heads” (Announcement 1) and Conti described them as being capable of “sell[ing] their own mother for a bone from bankers or politicians” (Announcement 2). Moreover, Babuk labelled data security agents as “filthy predators” (Ransom Note 3), and Conti boasted that “the neo-fascist alliance between the US and EU kleptocracies” will not stop them (Announcement 3).
Threat actors described these entities as self-centered, driven by self-interests, and not caring for people and their data. Thus, addressing cybersecurity experts, Maze wrote:
Instead of doing something to improve security, those so-called security professionals are trying to get a few Likes.
(Maze, Press Release March 2020)
These are all direct attempts at condemning journalists, cybersecurity experts, and governments and institutions, by negatively framing their moral makeup, work ethic, ideology, and motives.
In another set of materials, the neutralization involved the making of negative portrayals of the actions of these entities. Thus, in the next excerpts, Egregor, Everest, and Maze claim that recovery companies and negotiators are secretly inflating the final prices during ransom negotiations to take a cut for themselves:
we have facts and proves of some recovery companies who secretly add 10-50% to our price for the client.
(Egregor, Announcement 1)
When hiring third party negotiators listen to what they tell you, try to think, are they really interested in solving your problems or are they just thinking about their profit and ambitions?
(Everest, About Us 1)
While hiring the negotiators from the side, especially those who work on government, and listening to what they tell you, try to think are they really interested in solving your problems or they are just thinking about their own profit and ambitions of the government agency they belong to.
(Maze, Press Release June 2020)
These statements are akin to what Van Lente and Rip (1998) call “forceful fictions”. They are ‘fictive’, in the sense that, clearly, recovery companies and negotiators cannot be reduced to threat actors’ negative portrayals of them. At the same time, they are also ‘forceful’, in that they open space for threat actors’ actions and terms. Namely, by negatively framing the actions of recovery companies and negotiators, the above statements maintain a sense of such entities as foes-in-disguise.
Importantly, the statements are phrased as warnings, emphasizing that a certain harm may come if victims mobilize recovery companies in the negotiation process. The implication is that the victim might be better off without them.
Thus, employments of the ‘condemning the condemners’ neutralization tactic are not simply artifacts of a criminal imaginary. Rather, our analysis suggests that they have the potential to affect the social structure and dynamics of ransom negotiation, often to the effect of securing (and, in some instances, achieving larger) payments from the victim, which resonates strongly with threat actors’ self-characterization as ‘profit-seeking’ (see Figure 2 below). This in turn calls for a serious attention to cyberattacks as socio-technical phenomena, rather than just technical issues, to be understood and resolved technically.
Figure 2: Motivations of threat actors
We observed earlier that threat actors tend to describe ‘condemners’ as profit-seeking and not caring for people and their data. Such claims were often projected against companies – victims to a cybercrime, as in the following example:
The company’s management doesn’t care about the company’s future. It doesn’t care about the data and about its business partners.
(Maze, Press Release April 2020)
These and similar claims were discussed in greater detail in the previous paper, where we focused on ‘denials of the victim’. In the quote above from Maze, the company’s victimhood is not denied, but rather, the cause of its misfortune is being attributed to the company’s management.
However, statements such as the above can also be read as indirect condemnations of the broader system that enables companies (or their management) ‘not to care’ about business partners, people in general, and their data. In the following excerpt, Maze explicitly addresses that system:
The world is a large computer system. But those, who should watch over the safety of that system are irresponsible. Instead of doing their work, they prefer to chat in social networks or watch porn. On the other side, those who have created this system and earn billions using it, they don’t care about the safety of information or privacy problems. The only thing there to care about is to avoid lawsuits and fines for loosing that information.
(Maze, Press Release March 2020)
In the quote above, Maze describes ‘the system’ as corrupt, fundamentally flawed, and therefore in need of fixing. In the following quote, Cl0p assumes the position of a ‘fixer’.
This example of corrupt company who manipulate market and steal knowledge and money from other company and clients. Cl0p fix all this and we make bad corporation pay for their crime even when corrupt government does nothing.
(Cl0p, Leak Page 2)
Following Woolgar (2005), we can think of these statements as enacting a ‘moral universe’ which depicts the responsibilities and expectations associated with the entities which populate it. The statement above, for example, portrays Cl0p as a caring entity, revealing and demonstrating the ‘true nature’ of companies and governments, and forcing them to do better for people.
What we see here is the use of ‘societal critique’ to reposition the threat actor from a mere criminal to a punisher. The statement provides for a reading of what happens to the company, not as an act of violence against an innocent entity, but rather an instance of getting what they deserve.
Threat actors position themselves as moral agents, acting on behalf of ‘the people’, and in this way reframe their behavior as a kind of calling. Put differently, through the statements addressed in this section, threat actors externalize the cause of the criminal act, so that it is no longer about financial motives, for example, but rather about responding to a higher goal.
In these instances, ‘condemning the condemners’ echoes another neutralization technique outlined by Sykes and Matza, ‘appealing to higher loyalties; to which we return in the next paper.
We have shown that neutralization by ‘condemning the condemners’ involves the reframing of relationships between actors in the cybercrime landscape. This also includes attempts to recraft the perceived distances between the threat actor and other entities in this landscape.
Thus, MountLocker compared themselves to lawyers – “unscrupulous and manipulating the system for their own gain” (MountLocker, Interview 1). The comparison diminishes the presumed distance between these two actors by rendering them as instances of the same category, i.e, “unscrupulous manipulators of the system”.
Furthermore, in the following interview excerpt, Babuk argues that, by identifying and disclosing vulnerabilities in their malware, cybersecurity researchers have contributed to the improvement of the malware:
We want to thank all researchers for helping to find the vulnerability in our product. Special thanks to Chuong Dong for improving our encryption, and to Emsisoft for helping us improve our decryptor.
(Babuk, Interview 2)
DarkSide makes a similar claim regarding BitDefender:
Special thanks to BitDefender for pointing out our shortcomings. This will make us even better. Now you will never decipher us.
(DarkSide, Forum Post 1)
In these instances, researchers and BitDefender, which are external to the criminal activity, are rhetorically made internal to it. Through the statements, these entities and the threat actors are made complicit, like collaborators, in the deeds that brought misfortune to the victims. By mocking researchers and BitDefender in this way, these statements provide for maintaining the image that threat actors project about themselves as “unstoppable”.
From our analysis above, we can see that only in some instances does neutralization by ‘condemning the condemners’ have the clear rhetorical effect of ‘justifying’ the threat actors and their actions. For the most part, the employment of this neutralization technique results in the rhetorical effect of ‘levelling the field’ between the threat actors and those who condemn them.
More broadly, then, ‘condemning the condemners’ can be characterized as a balancing act where the assumed authority over the facts, the stories, and their interpretations is being challenged. For instance, by framing journalists as ‘biased’, the facticity of their claims is brought into question. By framing governments, or cybersecurity experts as corrupt, their authority over deciding/acting upon what is right and what is wrong is also being disputed.
In essence, the threat actors are in this way saying that entities such as governments, journalists, and so on, cannot judge them because those entities are not fundamentally different from them. Threat actors are thereby proposing that there is no basis for taking the claims of journalists and governments as ‘the truth’, or relying on these entities as representatives of justice.
We have looked at threat actors’ discourse through the prism of the neutralization technique of ‘condemning the condemners’. Our analysis shows that threat actors are reframing their activity as ‘comparable’ and, in some respects, more ‘ethical’ than the activity and behaviors of those who condemn them, including governments and institutions, journalists, and members of the cybersecurity industry.
It would of course be naïve to readily accept these premises. However, as Sykes and Matza write, their validity is not so important but rather their rhetorical function. Such portrayals of the extended cybersecurity landscape in the very least complicate data recovery and negotiation by casting doubt on the entities involved.
In this sense, ‘condemning the condemners’ is not merely about self-justification and excusing criminal behavior but is integral to cyberattacks (understood more broadly) as socio-technical phenomena. Here, we have scratched the surface of these phenomena by identifying some of their rhetorical mechanisms and effects.
At the same time, questions remain. Are these condemnations merely reactions, or do they reflect shared values and convictions in threat actor groups? How are these condemnations linked to threat actors’ choices of potential victims and types of attack? In what ways and to what extent does ‘condemning the condemners’ influence the course and outcome of ransom negotiations? Understanding these questions is key if we are to devise better ways to tackle cybercriminals.
In the next piece we will consider the technique known as the ‘appeal to higher loyalties’. This is where people participating in criminal activity may justify their actions by claiming to be upholding another value (e.g., financial needs of family) ahead of the need to follow the law.
Sykes, G M and D Matza (1957), ‘Techniques of neutralization: A theory of delinquency’, American Sociological Review, vol 22, no 6, pp 664-670.
Van Lente, H and A Rip (1998), ‘Expectations in technological developments: An example of prospective structures to be filled in by agency’, in C Disco and B J R van der Meulen (eds), Getting New Technologies Together, Walter de Gruyter, Berlin, New York, pp 195-220.
Woolgar, S (2005), ‘Mobile Back to Front: Uncertainty and Danger in the Theory-Technology Relation’, in R Ling and P E Pedersen (eds), Mobile Communications: Re-Negotiation of the Social Sphere, Springer-Verlag, London, pp 23-44.