A recent article revealed that the U.S. National Security Agency (NSA) would try to counter prolific ransomware gangs beyond using cyber responses, and also include psychological warfare into its toolbox.  At a prominent cybersecurity conference, the former NSA Director of Cybersecurity acknowledged that the United States was trying to take the fight to ransomware groups, many of the prominent ones being headquartered in Russia.  In addition to implementing the technical measures and countermeasures to thwart any attack prior to happening in what has been termed part of the United States’ “defend forward” strategy in cyberspace, U.S. cyber operators are looking to deploy their own version of psychological operations to attack the human element behind the keyboard.

The former Cybersecurity Director illustrated the point with LockBit, perhaps the most prominent and active ransomware gangs in the cybercrime ecosystem.  He highlighted the February 2024 joint effort dubbed “Operation Cronos” spearheaded by the Federal Bureau of Investigation (FBI) and the United Kingdom’s National Crime Agency to takedown LockBit’s dark web website.  The action yielded the intended result, allowing the law enforcement coalition to take over the website, posting as such on the website, a clear message to other dark web actors that law enforcement could reach even a sophisticated cybercrime entity.  The operation forced LockBit operators to relocate to another site, a move that the former NSA Cybersecurity Director suggested was done to incite distrust among the hacker community as to whether that site was under LockBit’s or the FBI’s control.  Perhaps more impactful is the Department of Justice’s (DoJ) assertions that they have charged and received the cooperation of Dimitry Yuryevich Khoroshev, a senior LockBit leader who the DoJ claims of his willingness to detail the identities of his ransomware competitors.

LockBit’s leader quickly responded to these allegations stating that the United States had attached the wrong person to the alias, calling their activities a “bluff.”  Regardless of which side is speaking the truth, it is evident that the FBI’s intent is to sully LockBit’s criminal reputation, as well as obstruct its ability to orchestrate future attacks.  This is not surprising as this tactic is one frequently used by law enforcement to turn criminals against one another, and at the very least, sow discord among the criminal brotherhood.  The law enforcement-criminal dance is a familiar one, and there is little doubt that no criminal organization expects to operate unimpeded by law enforcement at one time or another.  It is more important to demonstrate the ability to avoid capture and show resilience; in essence, surviving to rob another day.  However, law enforcement is well aware that there is no “honor among thieves,” an elusive code of criminal ethics that has proven to be more of an anomaly than the norm.

The extent to which this will work remains to be seen.  At this juncture, LockBit’s senior administration has built solid bona fides in the criminal underground, ranking among the top ransomware earners, making money for both original members and affiliates, and employing a sustainable model that continues to evolve with the times.  Contributing to the challenges for law enforcement will be obtaining the cooperation of hardcore members of this or any group without actually being able to arrest them.  Even if the DoJ and Department of Treasure charged and sanctioned the right person, authorities do not have him in custody when pressure can be applied most effectively for maximum cooperation.

Historically, the FBI has successfully used insiders to attack and cripple more traditional organized crime organizations like La Cosa Nostra.  In the fight against ransomware gangs, it would make sense if the FBI followed a similar approach.  However, a key element of that success was the Bureau’s direct access and involvement with the individuals tied to traditional organized crime.  The big challenge here is the geographic considerations of where ransomware individuals live and operate.  They might be able to be identified and indicted, but flipping them without access is substantially more difficult, especially if they remain in countries whose governments have no interest in extradition.

The validity and effectiveness of implementing psychological warfare largely rests in the perception of its audience to understand potential consequences to their actions.  Creating indifference in the ranks has worked in more traditional PSYOPS campaigns, notably, the First Gulf War.  Thus far, despite successful disruptions of gangs like Conti, ALPHV, and now LockBit, ransomware gangs continue to show their resilience, strengthened by the diversity of malware strains and services, and demonstrating adaptability by rebranding and going dark when need be, making any pause in their activities a temporary gain for law enforcement.  While ransomware actors have been arrested, it has not proven to be a deterrence for those seeing the “easy money” of joining ransomware gangs.  Like with traditional organized crime, there seem always seems to be those willing to fill the void.

The use of PSYOPS to attack the ransomware ecosystem is nascent at best, but due to the decentralized nature of the gangs and their affiliates serves as a Hydra.  Law enforcement will need to strike the right head with the right PSYOP to achieve any long-lasting result.  What that looks like will require a deeper understanding into the inner workings of ransomware gangs, the partnerships and/or alliances with other criminals, plans for consistent evolution and adaptability, and how future members are identified, vetted, and recruited.  These are not unsurmountable obstacles, yet they are obstacles nonetheless, and will undoubtedly require more coordinated and cooperative international law enforcement engagement to make any serious dent.  Otherwise, trying to eradicate or at least greatly impact their ability to operate may be a labor for even Hercules to complete.