The Psychology Behind “Trolling” Ransomware Gangs – And Why Law Enforcement Agencies Should Keep Doing It
Written by Tim Pappa, Senior Behavioral Consultant
Introduction
The most surprising thing about the LockBit takedown and arrests in February was that no one asked why American and UK law enforcement agencies finally “trolled” this ransomware gang.
Following the seizure of some LockBit infrastructure and arrests of a handful of LockBit criminals, law enforcement agencies cloned what appeared to be a LockBit victim landing page, using it instead for their own web page to release official communications and LockBit decryption keys. This cloned landing page included a countdown to reveal the identity of LockBit leader LockBitSupp but did not name him. There were other claims, such as LockBitSupp “cooperated with law enforcement”.
While LockBitSupp disregarded many of these claims and continued to demonstrate limited LockBit operations, much of the commentary has focused on whether LockBit was disrupted.
For nearly a half dozen years, I was a profiler with the FBI’s Behavioral Analysis Unit (BAU), specializing in online influence and developing approaches for causing distrust among attackers. The behaviorally based recommendations I made to law enforcement agencies during that period often explored the reputation of attackers, and how they might respond behaviorally to engagements online where they were mocked or ridiculed by who they believed were their peers.
This LockBit takedown, however, is a rare example of law enforcement agencies overtly incorporating this kind of “trolling” approach, in addition to traditional enforcement actions.
In this article, I will explain some of the psychological underpinnings of “trolling” ransomware gangs, namely why we love it so much and why they hate it.
But more importantly, why this kind of approach is behaviorally effective.
This kind of “trolling” approach can heavily influence not only how we form or reform impressions of attackers, but especially how other attackers rethink their impression of attackers. “Trolling” an attacker can overload an attacker cognitively and emotionally in a moment or prolong their decision making as they consider how others respond to the content trolling them.
The reputation of an attacker is often a singular reflection of their real and imagined threat. Attackers are motivationally driven to respond to “trolling” to protect their reputation, like we have seen several times from LockBitSupp.
Even when LockBitSupp has not been named – because he was not named – he appeared to react by offering $1 million to anyone or any FBI agent who could identify him.
In this situation, the government was simply offering reward money for unnamed Russian attackers, but LockBitSupp channeled attention to himself perhaps because he was not named. The need to maintain his reputation like other attackers often drives these responses or reactions.
Positively violating expectations and the mystique of ransomware attackers
Some of the appeal of mocking or ridiculing LockBitSupp may be because LockBit has victimized so many organizations and people.
This kind of “trolling” showmanship positively surprised most people.
Burgoon established much of the foundational understanding of expectancy violations theory, which finds that when our expectations about an event or an encounter with someone are positively surprised or ‘violated’, our response to them or that event is that much more positive. If someone or some event only met expectations, we might just feel ambivalent.
Burgoon noted in her work that who the person is violating or surprising our expectations is important, too. That person must have credibility and be likeable.
That may be questionable when talking about nameless faceless governments, but that is why governments should feel encouraged to troll or mock these ransomware personalities more often. Displaying this kind of bravado can arguably signal confidence in their investigations, but it also projects a much more credible and likeable law enforcement enterprise, willing and able to respond to ransomware attackers who continue to victimize organizations around the world, including hospitals and small-town school districts.
We expect ‘name and shame’ indictments and so do the attackers, but no one including attackers really expects this kind of humorous ridiculing and mocking of an attacker’s reputation.
These ransomware attackers could be characterized as “hypervisible”.
Kraidy described projecting figures or leaders as hypervisible as a form of theater and framing used by the Islamic State to portray their leaders with mystique, because no one has really seen them much or really knows where they are. This kind of hypervisible framing amplifies them and any moment or content featuring them.
Kraidy wrote about how governments struggled to counter the spectacles that Islamic State created in the form of violent content, until people began trolling them back.
Kraidy found that creating “counter spectacles” of humorous content was effective, however, surprising audiences that wanted to share funny and emotional content, as well as Islamic State audiences that wanted to share the same content because it angered or outraged them.
Zakem et al. explored some of the same campaigns by activists and hacktivists targeting Islamic State, and how images and memes played a significant role in not only consuming the attention and response of Islamic State personalities online, but in driving sharing of the humorous content among broad audiences, including audiences Islamic State was likely trying to influence.
Zakem highlighted how images more than most written content can quickly induce emotional responses from people engaging and sharing the content.
Until recently, we have not seen much “trolling” like this targeting ransomware gangs.
How emotions and affect influence everything and everyone
There is a hierarchy of what people generally find the most appealing to share with other people, which is emotional content that is either humorous or angering depending on who made it.
LockBitSupp would understandably be angry about the content made to “troll” him because it was made by law enforcement agencies in an “out group” rather than from inside his “in group”.
People within their own “in group” including others who are like them in some way generally characterize or perceive “out group” people as different than them. These groups are based on relationships and may not include any organizational boundaries. Relational “groups” could include everything from two people working together on infrastructure development or dozens of ransomware gang affiliates around the world.
To discover that members of his so-called trusted “in group” of affiliates were responsible for providing some of this content would be even more detrimental to him. The rest of us are also not in LockBit’s “in group”, so we find this “trolling” content humorous.
Guadagno et al. called this online content sharing among relational groups the “hierarchy of arousal” because audiences consistently appeared to prefer to share emotional content over non-emotional content no matter the topic, for example.
Berger and Milkman in their study of the most emailed New York Times articles also had a similar finding, that there is a relationship between emotion and virality. Their study also found that people prefer to share positive news more than sad news, however, people still shared content that evoked anger and anxiety more than generally positive news. When examining content sharing more broadly, Berger and Milkman emphasized that the content must “activate” emotions or affect to drive sharing behavior and other collective outcomes. They wrote that content sharing is complex, so everyone is different.
Clore et al. noted the “dimensionality of emotional reactions” to different situations and contexts. There may also be other situational demands when experiencing affect, such as a need for LockBitSupp to respond to someone’s criticism or “trolling”, for example.
How a ransomware attacker feels about some experience greatly influences his or her process of thinking and judgment. Brehm characterized it simply as a state of motivational arousal, usually toward some outcome. But there is a distinction between emotions and affect.
Clore referred to a labeled emotion such as happy or sad as identification of the ‘object’ of an emotion because we can label or interpret that experience with an emotion. Clore described affect in contrast as feelings we can’t label or really articulate, but we feel it. Subtle affect or moods can be potentially more “insidious” and “enduring” because people are less aware of how they may be influenced by this kind of affect. Even mild fluctuations in affective states can significantly influence changes in someone’s motivation and attitude.
Forgas et al. wrote that affect can influence what we notice and, when the context is personally relevant, negative affect can appear to trigger more deliberate and confirmatory information processing, perhaps much like negative information seeking curiosity.
There could be a pronounced anchoring effect related to highlighted negative information that causes someone to feel negative affect, namely “trolling” ransomware gangs about their brand.
Clore and Zadra proposed that emotions include information about the costs and benefits of anticipated action, which can be naturalized in a moment without thinking about the possible consequences of how someone might respond behaviorally to a situation.
These motivations shape someone’s perception and their behavior in response, whether attacker peers deciding to share content or deciding to respond to whoever is “trolling” them.
Those decisions may be based on more than just if the content is mocking them, because that content may include information that suggests plausible storylines that may or may not be true.
Fearing and feeling reputational loss
Even when the odds are 50/50, people still prefer to avoid risk and avoid losing what they have, rather than risk any potential gain. Attackers are no different.
Kahneman and Tversky established this concept of loss aversion, highlighting how this cognitive bias reflects the role of affect and emotions in those decisions and how loss can be framed to influence. Yechiam and Hochman found, however, that there is less observable loss aversion in situations where there are repetitive gains and losses.
A ransomware attacker may experience something similar, given the frequency of successful and unsuccessful attacks or ransoms of victim organizations.
LockBit has been very successful, but at times LockBit and other ransomware gangs did not get paid, or they did not get paid what they asked. Does this baseline of loss and gain change when considering reputational loss aversion?
I believe it does, even if we are talking about uniquely individual attackers. Someone’s reputation or branding can change rather quickly, and that change could impact profit and relationships, so that context is arguably different than the gains and losses related to payment from victims.
Can we motivate a response from attackers who fear or prefer to avoid reputational loss because they were “trolled” rather than not responding at all to criticism or ridicule?
I believe we can, because the examples we can point to typically reflect attackers who seem to have confidence in their ability to avoid being identified or they have confidence in however they have obfuscated their activity publicly so that their origin is still concealed.
Although the examples I can reference are anecdotal, there has been more than one instance where an attacker has continued to engage with us when I was with BAU because they were motivated not only to profit but to maintain or protect their reputation, which we had ridiculed.
Despite revealed attempts to compromise them technically and aggravated communications that include disparaging commentary about their capabilities, they kept talking and engaging.
Guttman et al. highlighted that even as loss aversion may increase as a young adult age initially, younger adults that may be more approximate to attackers are still developing how they cope or regulate their emotions, which may explain how affect can also influence a young attacker to engage in risk, because they also want to avoid reputational loss. That may explain some of the attacker behaviors I have seen at moments where I would have anticipated a different response.
Clay et al. found the role of affect in reflecting differences in information processing including loss aversion to be profoundly significant.
“Trolling” or ridiculing and mocking ransomware gang personalities or attackers is ultimately designed to influence their decision making privately and publicly and shape how they make sense of an engagement with law enforcement or other attackers while being “trolled”.
Although difficult to measure, “trolling” ransomware gang personalities like LockBitSupp increase the ambiguity and uncertainty around what law enforcement knows or doesn’t know, especially when current or potential affiliates are considering whether they trust LockBitSupp, who may have cooperated with law enforcement to protect himself.
This kind of “trolling” approach could significantly diffuse the impact of ransomware enterprises.