“We are not responsible for that” – Neutralization through denials of responsibility

Authors: Ivanche Dimitrievski, Adam Ridley, and Diana Selck-Paulsson

This is the sixth piece in a series exploring how cyber extortion and ransomware threat actors use “neutralization techniques” to legitimate their malicious behavior.

Sykes and Matza (1957) argue that people who engage in criminal activity make use of rhetorical techniques to neutralize the guilt that comes with committing a crime. In so doing, they can commit crime while remaining committed to the dominant normative system and interpret their deviant actions as acceptable.

We addressed this approach conceptually in the first part of this series, where we also outlined our research material. Part two, then, explored the neutralization technique called “denial of injury”, showing how threat actors try to reframe and reposition their malicious behavior as a business service.

In part three, we examined “denials of the victim” which involved, in this case, a villainization of the victim while presenting the threat actor as a vigilante figure. In part four, this was followed by an examination of threat actors’ attempts to justify their behavior by condemning those who oppose it.

Part five looked at threat actors’ “appeals to higher loyalties”. Using this neutralization technique, threat actors seek to display an image of themselves as sacrificing social norms in favor of a more pressing value, such as loyalty to family or “the greater good”. We deliberated on this as an organizational branding strategy, but also as a motivational force behind criminal activity.

This is the last piece in the series, and we will be focusing on the neutralization technique called “denial of responsibility”. According to Sykes and Matza, offenders deny responsibility by claiming that their behaviors are unintended or the result of forces that are beyond their control. Thus, they present themselves as victims of circumstance and as products of their environment.

We have noted in previous parts of this series that Sykes and Matza’s approach is not concerned with the validity of such orientations, but rather with their function of “deflecting blame attached to violations of social norms” (1957: 667). By learning to view themselves as being acted upon rather than acting, the offenders prepare the way for “deviance from the dominant normative system without the necessity of a frontal assault on the norms themselves” (ibid).

In what follows, we look at diverse materials, including negotiation chats, published interviews with threat actors, and leak pages to uncover some of the discursive strategies threat actors use to assign and distribute relations of responsibility. On this basis, we deliberate on the potential effects of this process. We will explore threat actors’ attempts to fashion a view of themselves as “regulated” and “trustworthy” entities, to diffuse responsibility for a crime by “blaming the victim”, and to incite fear by positing zones of no responsibility.

In addition, please note that the quotes from threat actors included below have not been edited for grammar or syntax.

Trust plays an important role in cyberattacks. Data is locked, after which a ransom is demanded in exchange for unlocking the data. But the victim needs some form of assurance that the data will indeed be unlocked, after paying the ransom. And since this process is not regulated normally, i.e., there are no official entities who would ensure data retrieval, the victim’s trust in the threat actor is imperative.

If the threat actor loses that trust, they may not get paid, which is not the preferred outcome for the threat actor.

One way in which threat actors generate trust is through crafting a public image of themselves as socially responsible entities. In the following excerpt, Cl0p makes a declaration to hold to a principle of not attacking a set of organization types, and to do right by such organizations in the event of an attack.

We have never attacked hospitals, orphanages, nursing homes, charitable foundations, and we will not. Commercial pharmaceutical organizations are not eligible for this list; they are the only ones who benefit from the current pandemic. If an attack mistakenly occurs on one of the foregoing organizations, we will provide the decryptor for free, apologize and help fix the vulnerabilities. (Announcement_Cl0p_1a_txt, Pos. 4)

The excerpt projects an image of the threat actor as a moral agent that follows a certain ethical principle as a basis for their attacks. We can observe a similar effect in the following excerpt from an interview with ALPHV. Responding to a journalist’s question about the ways they control their affiliates, the ALPHV representative says:

(…) we do not run an active advertising campaign and easily cut ties with non-compliant partners, but no matter how hard we try to filter people when creating an account — shit happens. There was already one episode with, I quote, “not the neighboring countries.” Decryption keys were issued automatically with the affiliate getting banned. (Interview_ALPHV_1a txt)

Lösch, Heil and Schneider (2017) describe “responsibilization” as a visioning process which involves the ascription of responsibilities among the actors that collectively shape sociotechnical arrangements. The statement above can be seen as an instance in such a process, producing an image of the threat actor – ALPHV, as a responsible entity that keeps others in its network in check. We are led to believe that these “partners” are held to a moral standard, and that any violation of that standard is being met with adequate sanctions.

In these excerpts, internal breaches of these attack policies are described as “accidents” and “mistakes”. Cl0p and ALPHV are represented as assuming responsibility for these accidents/mistakes. Not only do they cut ties with the guilty affiliate, but also issue decryption keys, apologize to the victim, and help them fix the vulnerabilities in their security systems to prevent potential future attacks.

It is important to emphasize, however, that assuming responsibility for such “accidental” attacks does not automatically suggest accepting responsibility.

Rather, responsibility is being distributed by representing the threat actor as a constellation of sub-actors and locating the cause of these attacks against a “faulty” part of that allegedly unified whole. In this way, a part, rather than the whole, is rendered accountable for the attacks and the removal of the “faulty” part can thus be understood as an act of reconstituting the threat actor as a trustworthy entity.  

In an earlier paper in this series, we proposed, following Van Lente and Rip (1998), that threat actors’ statements can productively be understood as “forceful fictions”. While they cannot be taken as objective portrayals of cybersecurity scenarios, they can be said to have real effects in the world.

To an important degree, the forcefulness of these statements relies on their reading as “threats”. According to Cavelty (2013), an important feature of cybersecurity discourse is the construction of threat through the evocation of a shady, invisible, but powerful foe. Our research shows that this trope is often mobilized by adversaries during cyberattacks. Consider this excerpt:

Victim organization: I do not fear your threats!

Egregor: That is not the threat, but the algorithm of our actions. (Ransom note_Egregor_1a txt)

Egregor’s response describes the nature of their actions as algorithmic. This projects an image of Egregor as a powerful invisible force that acts according to its own inner logic, unaffected by any actions the victim might initiate to stop it.

In other words, the threat, in this case, consists of representing Egregor as a kind of entity that lacks response-ability, which is another way to think about “responsibility” – namely, a capacity to respond to situational or others’ demands.

Thus, despite explicitly denying the characterization, Egregor’s response to the victim’s attempt to confront them is organized to accentuate the sense of threat.

The following excerpt is from a negotiation chat involving the threat actor Babuk:

We are still waiting for your price. We all realize that if this info will be uploaded to the public sources, you will lose much more. (Negotiation chat_Babuk_2a-j txt)

The excerpt alludes to the dangers of having one’s data exposed to the public. At the same time, the excerpt positions Babuk – the threat actor who currently has control of the data – as outside the constellation of actors that make “the public” a dangerous space.

The latter is a common move amongst threat actors:

Who knows how the third party can use those documents, we are not responsible for that. (Ransom note_Babuk_2a txt)

Companies under attack of Ragnar_Locker can count it as a bug hunting reward, we are just illustrating what can happens. But don't forget there are a lot of peoples in internet who don't want money - someone might want only to crash and destroy. (About us_Ragnar Locker_1a txt)

At this point, all off your files are about to get public on our blog and will be available for anyone, including darknet criminals who are eager to abuse your information for their own evil purposes like social engineering attacks against your customers and vendors, spamming, and other bad actions. (Negotiation chat_Conti_17a-k txt)

In the segments above, threat actors deny responsibility for the data once they are no longer in their possession. Just as in the case of Babuk above, these denials of responsibility invariably allude to the existence of a third party – made available in general terms as “people in internet” or “anyone, including darknet criminals” – with whom the “real danger” resides.

Crucially, the image of a disembodied, anonymous, out of control third party is juxtaposed with that of the threat actor, who is made to appear accountable and in control. Delimiting responsibility in this way enacts the existence of a looming threat out there, positioning the threat actor and the victim as collaborators, who, by working together, can avoid that threat.

We can see, then, that the threat trope is used in these excerpts in conjunction with statements of responsibility to shape the unfolding of the sociotechnical process that constitutes the cyberattack.

In this paper we looked at different texts from threat actors and how these texts enact relations of responsibility as constituents of cyberattacks. Specifically, we examined how these actors might be denying responsibility for these attacks.

Our analysis shows that, for the most part, these are not explicit “denials” of responsibility and, importantly, that the end of such actions is not necessarily exoneration or self-justification. Rather, they constitute shifts, distributions, assumptions, and attributions of responsibility, with different rhetorical consequences.

Sometimes, threat actors use responsibilization to emphasize harm, and sometimes to generate trust, in ways that incentivize particular kinds of action, typically beneficial for the threat actor, such as victim compliance.

More broadly, we can think of the statements analyzed in this piece as “scripts” (Van Lente & Rip 1998) that position the various actors as characters in a story to be played out. As such, these statements are potentially powerful tools for coordinating cyberattacks. Understanding the social dynamics surrounding these scripts is crucial if we are to determine why some of them fail to come through in specific instances while others are successful.