Search

It might be wrong, but there was a good reason: Neutralization through an appeal to higher loyalties

Authors: Adam Ridley, Diana Selck-Paulsson

Introduction

This piece is part five in an ongoing series on how cyber extortion (Cy-X) and ransomware threat actors employ neutralization techniques to drift away from social norms to participate in malicious activity. Part one presented our research approach and the theory of what neutralization techniques are. In parts two and three, we showed how threat actors deny that they are causing an injury, and how threat actors deny the existence of a victim or their victim’s claim to victimhood.

Our most recent addition to this series examined how threat actors divert attention away from their own actions by criticizing people or institutions that oppose their malicious activity – the technique known as ‘condemning the condemners’.

As we have described throughout this series, the different forms of neutralization are techniques for people who participate in crime to temporarily drift away from accepted norms without compromising societal morality (Sykes and Matza, 1957).

The focus of this piece is the technique known as the ‘appeal to higher loyalties’. This is where social norms or expectations are sacrificed in favor of, in the mind of the threat actor, a seemingly more pressing value. These values might be loyalty to family or a sense of responsibility arising from belonging to a social group.

Items in dataset containing ‘appeal to higher loyalties’ neutralization

Figure 1: Items in dataset containing ‘appeal to higher loyalties’ neutralization

Whatever the norm accorded ‘higher loyalty’ may be, Sykes and Matza suggest the conflict between this norm and societal morality leads to an internal dilemma that ultimately gets resolved “at the cost of violating the law” (Sykes and Matza, 1957: 669). They suggest that societal norms are not necessarily rejected, but that other norms are given precedence instead.

For example, the person might acknowledge it is ‘wrong to steal’ but might steal anyway because the rest of their gang expects them to conform.

In what follows, we discuss three variations of these appeals to higher loyalties. The first is helping people in need. This is where threat actors appealed to altruism, suggesting that their cyber extortion activities had charitable or philanthropic benefits through donations or pro bono work.

In the second theme, societal progress, threat actors argued that their actions forced organizations to take cybersecurity seriously. In particular, they suggested that their attacks served as a catalyst for technological developments and procedural innovations.

Third, we also found that political values can serve to frame threat actors’ descriptions of their behavior, particularly as a justification for target selection. In doing so, threat actors used this framing to argue they are making society better, in a way that appears to align with their ideological worldview.

In addition, please note once again that the quotes from threat actors included below have not been edited for grammar or syntax.

Theme 1: Helping people in need – appeal to altruism

The first theme we observed emerging from the data was an appeal to altruism. Rather than focusing on the detrimental impacts of ransomware infection and extortion on victims, some threat actors emphasized philanthropic donations or charitable intentions. For example, DarkSide acknowledged that their cyber extortion activities might be seen as being ‘ethically dubious’. However, they also wanted to be seen favorably by contributing some of their proceeds to charities:

As we said in the first press release – we are targeting only large profitable corporations. We think it's fair that some of the money they've paid will go to charity. No matter how bad you think our work is, we are pleased to know that we helped change someone's life.

Today we sended the first donations:

- children.org - helping poor children to get education.
Donation amount: $ 10,000.

- thewaterproject.org - helping Africans with access to drinking water.
Donation amount: $ 10,000.

Let’s make this world a better place :)

(DarkSide, Announcement 2)

The final line reads as a call to action, seemingly inviting the readers, or possibly even victims, to get on board with DarkSide’s ransomware and cyber extortion project. The phrase also sounds similar to a slogan that a charity might use. In this way, DarkSide appears to be characterizing themselves as benevolent, rather than malicious.

The threat actor HolyGhost overtly sought to present themselves altruistically, with their name and logo seeking to position themselves as morally superior to other ransomware criminals.

HolyGhost, About Us 1

 

The image of the dove and the name ‘HolyGhost’ both symbolically allude to the divine ‘Holy Spirit’ of the Christian faith, who Christians believe works as a helper. Furthermore, HolyGhost’s manifesto explicitly appeals to this religious altruism. They did this by claiming to be helping the “poor and starving” by giving money extorted from victims to charity. Even the use of the word “struggle” implies that for HolyGhost, their work to help the poor is a moral burden that they have taken upon themselves.

The word “struggle” could also be a wording error, as English does not appear to be the author’s first language. Instead, another possible meaning of what they might have intended to say could be ‘What do we strive for?’ In doing so, their post describes and justifies their actions, almost like a mission statement.

In other cases, threat actors have sought to portray themselves as benevolent towards some types of victims that had been infected with ransomware. In one of their announcements, Cl0p clearly demarcated some types of organizations as off-limits:

ATTENTION!!!

We have never attacked hospitals, orphanages, nursing homes, charitable foundations, and we will not. If an attack mistakenly occurs on one of the foregoing organizations, we will provide the decryptor for free, apologize and help fix the vulnerabilities.

(Cl0p, Announcement 1)

Cl0p’s offer of a free decryptor and vulnerability fixes for charities and healthcare organizations was hypothetical in the quote above. In contrast, Babuk referenced specific examples where they had put their charitable intentions into action.

It happens that the victim claims that he does not have the means to pay our salary. We then verify the financial situation of the victim and make a decision on the amount of our fee. Recently, we have attacked an African company that traded in fuel, but due to the pandemic, it lost financial liquidity and actually did not have the means to pay us. We resigned from the salary and provided the decryption tool free of charge.

(Babuk, Interview 2)

In this first example, Babuk claimed to evaluate the financial capacity of each victim. When they attacked an African company, they decided to waive the decryption fee. The subtext here is an assumed stereotype that African companies are poor or vulnerable, and therefore cannot afford to pay a ransom. By invoking this stereotype, Babuk was then able to present themselves as being altruistic or benevolent, even though they did actually attack the victim in the first place.

These forms of ‘afterthoughts’ can be observed with other threat actors too, underlining the argument that these attacks are often of an opportunistic nature. If after the initial compromise it turns out that the victim organization cannot afford to pay the ransom, or is from an industry that the threat actor promised not to attack, threat actors may ‘offer’ decryptors for free to rectify their harmful actions.

In the second example below, Babuk claimed to help a nursing home free of charge:

We recently helped a nursing home. We found vulnerabilities in their networks and patched them, totally pro bono. We respect the elderly and those who help them. It is not a question of culture or religion – it is just that each person should respect the elderly, the disabled and those people and institutions that help them.

(Babuk, Interview 2)

Babuk is also appealing to readers’ sense of altruism by justifying their engagement in crime through showing how it can be applied to charitable causes too.

These three quotes above serve a dual purpose for the threat actors. On the one hand, the threat actors are trying to demonstrate that they have the capability to ‘do good’ – or so they want us to believe. On the other hand, they appear to position themselves as ‘judges’. Cl0p and Babuk appear to assume authority over deciding who is ‘good’ or ‘innocent’ (and should not be attacked), and who is a legitimate target (worthy of being attacked).  In other words, these quotes enact a moral setting for their actions.

In contrast to Cl0p and Babuk, LockBit made an appeal to a specific form of altruism on the grounds of helping a sick family member. This is in line with one of the archetypal examples of this neutralization technique described by Sykes and Matza (1957).

Q: When you became a dollar millionaire, how much did this feeling change you as a person? What in your worldview has fundamentally changed?

A: It gave me confidence in the future, and also the ability to pay for a very expensive surgery required for my brother. Attitude to security and anonymity has fundamentally changed.

(LockBit, Interview 2)

So, throughout the examples above, we can see evidence of threat actors portraying their cyber extortion activities in a positive, altruistic light. This appeal presents a moral dilemma, where the behavior is seen as both a breach of societal morality, yet simultaneously can also be charitable in nature.

Theme 2: Societal progress – forcing strengthened network security

The second main theme we see in our dataset are instances where threat actors suggested that ransomware attacks and cyber extortion were forcing changes in information security practices across organizations the world over.

This was the most frequent line that we observed used by threat actors to neutralize their actions using the ‘appeal to higher loyalties’ technique, occurring in 12 unique items in the dataset from seven different threat actors.

Neutralizations such as these were appeals to rationality, where threat actors portrayed their attacks as part of a larger pattern of behavior that would ultimately force organizations to change and strengthen their cybersecurity posture.

The neutralization taking this form has previously been observed by Hutchings and Clayton (2016) who found that hackers believe that their actions contribute to an increase in network security more broadly. As we find in our own dataset,  threat actors justify the criminal nature of cyber extortion attacks because they are allegedly creating a safer and more secure society.

For instance, consider this excerpt from one of Maze’s press releases:

Our world is sinking in the recklessness and indifference, in laziness and stupidity. If you are taking the responsibility for other people money and personal data then try to keep it secure. . .  How come that you don’t understand that right now a hacker attack is enough for a large area or a country to lose the access to internet, water, gas and electricity.

Maze, Press Release November 2020

Maze is providing social commentary here, identifying and problematizing the issue of poor internet security around the world. The implication then is that cyber extortion attacks serve the function of being important catalysts for changing and improving security practices.

Maze had previously alluded to this problem in an earlier press release, arguing that one of the primary factors was “irresponsible companies”:

We will change the situation by making irresponsible companies to pay for every data leak. You will read about our successful attacks in news more and more.

Maze, Press Release March 2020

Having described the problem, Maze positions themselves as an agent that “will change the situation”. Maze implies here that “irresponsible companies” will inevitably improve their security practices so that they don’t fall victim to ransomware infections. Accordingly, Maze suggests that their criminal misdeeds serve a higher purpose for a greater good.

Ragnar_Locker made similar claims on four separate leak pages in our dataset. For example:

Unfortunately there are still a lot of companies that are don't want to take responsibility for the personal information that gathered and don't want to improve security measures. That's why we will continue to post news about companies that doesn't values much privacy of their clients and partners.

Ragnar_Locker, Leak Page 2

We are sure that everyone should know about [REDACTED COMPANY NAME] such a decision and careless attitude regarding data privacy. This might seems crazy in 21st century, when all corporates should work harder on their security measures

Ragnar_Locker, Leak Page 3

These themes were repeated on the other two Ragnar_Locker leak pages. In Leak Page 2, the threat actor lifts the curtain here for the reader, giving a clear justification for why they attack companies. Ragnar_Locker appeals to the higher value of making digital society safer, by forcing organizations to change their behaviors and practices, and ‘punishing’ them for their laxity.

Quantum is even more explicit in presenting themselves as filling this role as a catalyst for change, providing enforced ‘consulting’ rather than punishment:

About Us: Team of experienced IT professionals, dedicated to the network security as a main problem of 21st century. We research all aspects in this field and force business to develop IT defense and security.

Quantum, About Us 1

We see a similar vein of argument presented by both BlackMatter and Babuk in public interviews:

We do not deny that [our] business is destructive, but if we look deeper—as a result of these problems new technologies are developed and created. If everything was good everywhere there would be no room for new development

BlackMatter, Interview 1

I don’t want to threaten anyone, I just ask please protect the outer perimeter and there will be no problems

Babuk, Interview 1

Finally, we return to HolyGhost’s manifesto once again. They stated that the third objective of their organization was:

3) To increase your security awareness and let you know what is space in your company.

HolyGhost, About Us 1

The example from HolyGhost is emblematic of this form of neutralization. By framing cyber extortion attacks as a catalyst for improved security awareness, threat actors are then portrayed as important players for strengthening internet security more broadly.

If we think back to the third part in this series where threat actors seek to deny the victim, we can see some conceptual overlap. However, instead of dismissing a victim’s claim to victimhood on the grounds of negligence, threat actors are positively framing their attacks by emphasizing the benefits that come from the attacks. They appear to be muddying the moral waters, even if they may know their behavior to be ethically dubious.

As such, the role and focus on the victim is diminished here because the phenomenon of cyber extortion is presented as a project that will ultimately bring positive benefits to digital society.

Overarching this entire theme though, there appears to be a moral contradiction: the existence of extortion attacks contributes to digital society being less safe. Threat actors claim to be part of the solution to a problem that they themselves are instrumental in creating – and heavily profiteering from.

Theme 3: Political motivations

The third theme that we saw emerging from the data was one relating to the political motivations or sympathies of the threat actors. In particular, we saw that threat actors presented a political dimension to, in some way, mitigate or justify their involvement in the extortion activity.

For example, if we return to the quote from the BlackMatter interview from earlier, we see political undertones in their choice of discourse:

[Interviewer]: Obviously, there are many talented professionals on your team. Why is it that this talent is aimed at destructive activities? . . .

BlackMatter: We do not deny that [our] business is destructive, but if we look deeper—as a result of these problems new technologies are developed and created. If everything was good everywhere there would be no room for new development.

There is one life and we take everything from it, our business does not harm individuals and is aimed only at companies, and the company always has the ability to pay funds and restore all its data.

(BlackMatter, Interview 1)

The main thrust of BlackMatter’s argument is that their actions are catalyzing the development of new cybersecurity practices and technologies. However, the final sentence on victim selection subtly reveals a political stance. By stating that they only target companies and not individuals, the threat actor is appealing to anti-capitalist values.

Not only that, by separating the idea of a ‘company’ from the ‘people’ that constitute it, BlackMatter is abstracting the victim, potentially to reduce their own moral culpability. In doing so, this skirts around the fact that the release of internal information can easily harm individual employees and customers, rather than just the victim organization as a whole. There is scope for further research to explore the long-term psychological effects individuals experience after becoming a victim of cyber extortion.

BlackMatter also implies here that companies are legitimate targets for funding their project of making the internet safer by catalyzing new cybersecurity developments. Since companies “always [have] the ability to pay funds and restore all [their] data”, BlackMatter appears to hold a negative predisposition to the wealth-generating capacity of corporations.

BlackMatter, Negotiation Chat 2

Moreover, in some negotiation chats such as the excerpt from BlackMatter above, threat actors seem to determine whether or not victims can pay the ransom by looking up the victim’s revenue. They do not seem to perform additional analysis based on profit. If threat actors are still unsure, they ask the victim for proof as to why they are unable to pay the ransom based on the revenue figures gathered.

Furthermore, Haron’s inclusion of the below image on their victim portal also appears to convey political undertones:

Haron, Victim Portal 1

There are two noteworthy elements in this image: the Guy Fawkes mask superimposed onto the military propaganda image of Uncle Sam recruiting soldiers for the United States army during World War I.

The use of the Guy Fawkes mask, popularized in V for Vendetta, alludes to the hacktivist collective Anonymous. Haron’s inclusion of this element suggests that they may see themselves as inflicting damage for some greater (non-descript) good. At the same time, the usage of the mask is widespread in the cyberworld and thus could represent a symbol of belonging to a specific social group, whose agenda is put above societal norms, and thus enables the threat actors to break the law by being more loyal to that group.

Likewise, the image of Uncle Sam invokes the idea of some form of political action. However, inferring the function is less straightforward without more information from Haron. It could allude to a public call to arms to force irresponsible companies to take information security seriously, similar to Maze’s ‘project’ discussed earlier in this post and in part three. Another interpretation could also be literal, with the image is designed to attract new recruits.

Alternatively, the image could be directed towards victims, invoking the symbolism of Uncle Sam as representing the federal government of the United States. In this way, Haron may be attempting to position themselves as an authority, perhaps directing the victim towards what their next immediate actions should be.

Similarly, the DarkSide quote that we discussed earlier in the first section also conveys an appeal to political values:

No matter how bad you think our work is, we are pleased to know that we helped change someone's life. . . . Let’s make this world a better place :)

(DarkSide, Announcement 2)

DarkSide couches their appeal to altruism here within a call to action. They appear to be offsetting their extortion attacks with their charitable donations. However, their invitation of “Let’s [i.e. Let us] make” directly invites the reader and the victim to participate in the process of sharing money with those who face socio-economic disadvantage.

In one of their public announcements following the October 2021 takedown of REvil led by United States law enforcement, Conti combined an appeal to political values with an appeal to ingroup loyalties.

Conti, Announcement 2

While the anti-establishment political overtones to this manifesto are seen through the language of “expel these fat, degraded bankers”, the ingroup solidarity demonstrated by Conti to REvil is not something we observed elsewhere in our dataset.

Conti here is demonstrating a higher loyalty to the hacking subcultural group in response to the REvil takedown. Though it is not explicitly stated, the phrase “And we will be reminding you of this constantly” suggests that Conti’s future extortion attacks will be motivated by what occurred to REvil, at least to some extent.

This ingroup loyalty is something that has been documented directly in the literature on neutralization, where people are faced with a dilemma: either disloyalty to their own social subgroup (such as a gang) or having to commit criminal activity (Sykes and Matza 1957: 669).

Moreover, Steinmetz and Tunnell (2013) defined the appeal to higher loyalties as specifically including ingroup loyalty towards the hacking subculture.

As shown in the quote above, Conti’s expression of solidarity with REvil is an instructive example for how threat actors’ neutralizations intersect across multiple layers. Conti’s ingroup affinity cuts across a political disposition that expressly permits the targeting of Western victims – American victims in particular.

Conclusion

We have found evidence that threat actors engaging in ransomware and cyber extortion attacks utilize the appeal to higher loyalties to neutralize the moral consequences of their actions.

In some cases, this is done through an appeal to altruism. Some of the financial proceeds of the attacks might be donated to charities. Alternatively, threat actors may utilize their hacking prowess to highlight vulnerabilities in charitable or non-profit organizations’ environments (e.g. nursing homes), before offering to fix these issues pro bono.

In other cases, threat actors portrayed their actions as being a catalyst for change in the way that organizations handle information security. Our dataset contains many instances of threat actors lamenting the negligence or incompetence of their victims.

Some threat actors also framed their actions in terms of certain political values, such as being anti-capitalist, anti-establishment or anti-American. Doing so may then be enabling the drift away from societal morality described by Sykes and Matza (1957).

For the most part, we see threat actors using these neutralizations as a way to offset the moral implications of their actions. Perhaps these groups and individuals see this approach as a way to ‘balance the scales’ of justice.

At the same time though, it is worth noting that none of the examples of the appeals to higher loyalty in our dataset came from negotiation chats. Instead, all 30 examples were drawn from ‘public-facing’ material intended for public consumption, such as announcements, interviews or leak pages.

It is plausible that these instances were genuine attempts to frame extortion activities in a positive light to neutralize the breaches of societal morality. However, it is also plausible that the appeals to higher loyalties, and especially the appeal to altruism, were a sanitized self-presentation designed for the purpose of organizational branding. Justifications such as appealing to higher loyalties therefore make more sense when used in external facing communication that reaches the public.

Moreover, Dutton et al. (1994) argue that the way organizations present themselves publicly also has an impact on those who work within the organization, affecting the internal culture, direction, identity and sense of belonging for the individuals inside. The leak of Conti’s internal chats in February and March 2022 revealed similarities between the threat actor and conventional organizations, such as complaints about overbearing middle management and working long hours (Dark Reading 2022). As such, the work of Dutton et al. (1994) could feasibly be applied to organized crime groups too.

The lack of evidence for this neutralization technique in negotiation chats does make it difficult to determine whether the ‘higher loyalty’ can be viewed as a primary motivation for the extortion activities. In contrast, ‘financial motivation’ appeared specifically on 46 occasions in 31 unique items in the dataset, including eight negotiation chats and six ransom notes.

Nonetheless, there is sufficient evidence to suggest that higher loyalties are a contributing factor in the willingness to engage in crime. Still, there remains scope for further investigation, perhaps by exploring alternative data sources to those included in our dataset.

In our next piece, we will discuss the fifth and final neutralization technique described by Sykes and Matza: the ‘denial of responsibility’. When using this neutralization, people may claim that they were not responsible for their actions because it was not their fault, or it was an accident, or somehow came about because of forces beyond their control.

Reference List

  • Dutton, J E, J M Dukerich and C V Harquail (1994), ‘Organizational Images and Member Identification’, Administrative Science Quarterly, vol 39, no 2, pp 239-263.
  • Hutchings, A and R Clayton (2016), ‘Exploring the provision of online Booter services’, Deviant Behavior, vol 37, no 10, pp 1163-1178.
  • Steinmetz, K F and K D Tunnell (2013), ‘Under the pixelated Jolly Roger: A study of on-line pirates’, Deviant Behavior, vol 34, no 1, pp 53-67.
  • Sykes, G M and D Matza (1957), ‘Techniques of neutralization: A theory of delinquency’, American Sociological Review, vol 22, no 6, pp 664-670.
  • Webster-Jacobsen, B (2022), ‘What the Conti ransomware group data leak tells us’, Dark Reading, https://www.darkreading.com/attacks-breaches/what-the-conti-ransomware-group-data-leak-tells-us, accessed 17 February 2023.

Incident Response Hotline

Facing cyber incidents right now?

Contact our 24/7/365 world wide service incident response hotline!