Ransomware: Threat Actor Motivations are More Than Just a Money Game

Allan Liska, Senior Security Architect, Recorded Future

In the shadowy world of ransomware gangs, the old saying “follow the money” still rings true, but there’s more to the story. The lure of cash is the big driver, but if you dig a little deeper into the tactics and behaviors of the major ransomware groups, you’ll find some nuances in their motivations. 

Scattered Spider: The Anarchists of the Cyber World 

Take Scattered Spider, for example. This ransomware group recently hit Caesars Entertainment, demanding $30 million. They “only” received $15 million – still a hefty sum for sure, half of what they initially asked for – a clear signal that they are in this for more than just the money. The style of their assault, favoring data theft over extensive system-wide havoc, indicates a keener interest in showcasing their capability to impact large corporations, as opposed to merely accumulating wealth. But hey, they might kick themselves for not demanding a bigger ransom once the law finally catches up and they’re frantically scraping together funds for their legal defense!

LockBit: When Malice Trumps Money

Then you have heartless attacks targeting victims who clearly can’t pay hefty ransoms – like schools and food banks. It’s hard to see these as anything but sheer malice. Take, for instance, one of LockBit’s affiliate’s deplorable attack on Toronto’s Hospital for Sick Kids earlier this year. Strangely enough, LockBit got some positive press for saying that the attack was against its policy and handing back the decryption key, which frankly feels as absurd as thanking a thief for giving the key back after he broke into your house. Their actions, despite being against their own policy, caused significant disruption and stress to the hospital, underscoring that such an apology cannot undo the damage already inflicted.

The Open RaaS Model: A Driver of Variation in Ransomware Attacks

LockBit, a likely Russian ransomware gang, is a good case study for why we see such diverse tactics and motivations in ransomware attacks, even when originating from the same groups. Operating as an open ‘ransomware as a service’ (RaaS), LockBit offers its custom-for-hire attack tools to affiliates for an entry fee ranging from $10,000 to $20,000. The ransom payments are then divided, with part of it going to the LockBit developers and the rest to the affiliate attackers.

This open model, which contrasts with the more exclusive RaaS groups like Royal and Black Basta, results in attack approaches and targets running a little bit amok. LockBit typically avoids Russian targets, but its openness to a wide range of affiliates leads to unexpected choices of victims, such as the surprising attack on the Industrial and Commercial Bank of China (ICBC). LockBit certainly doesn’t intend to be involved in such large-scale attacks because it puts the gang at greater risk of being caught. But by running an open ‘ransomware as a service’ model, they inevitably cede some control, leading to actions that don’t align with the core group’s intentions or strategies. 


In summary, the world of ransomware attacks is always shifting, with different motives and methods even among the same groups. Whether it’s the chaos of Scattered Spider or the unpredictable moves of LockBit affiliates, the ransomware gangs keep us guessing.

The key takeaway? Stay prepared. Ensure your data is clean, uncompromised, and easily recoverable. That’s how we keep the upper hand against the bad guys. 

For more on this topic, check out our webinar – Why XDR is not enough to stop ransomware attacks