By Azim Khodjibaev, Dmytro Korzhevin and Kendall McKay.

Ransomware is still highly prevalent in our current threat landscape — it's one of the top threats Cisco Talos Incident Response responds to. One such ransomware family we encounter is called LockBit, a ransomware-as-a-service (RaaS) platform that's known for its automation and the speed at which it attacks its victims.

At Cisco Talos, we strive to understand the malware utilized in ransomware, the infrastructure leveraged by operators to launch these attacks, and even the ransomware operators themselves. In September 2020, Cisco Talos established contact with a self-described LockBit operator and experienced threat actor. Over the course of several weeks, we conducted multiple interviews that gave us a rare, first-hand account of a ransomware operator’s cybercriminal activities. Through these exchanges, we gleaned several valuable takeaways for executives and the broader cybersecurity community.

As you read, we hope you'll begin to understand how threat operators view cybersecurity, their motives, and how they portray themselves to others. We hope these insights can show you how threat operators view the technology and the meta of running a ransomware operation.

You can read our report here.