Alleged ransomware offenders are using elaborate justifications to excuse their crimes, according to a new study that sheds light on how cybercriminals rationalise their actions. The research offers rare insight into the mindset of individuals operating within highly organised ransomware groups, revealing how they distance themselves from responsibility while targeting victims across sectors. The findings were published in the European Journal of Criminology.
Drawing on interview data from nine self-identified ransomware actors, the study explores how offenders use psychological tactics to neutralise guilt. These individuals often belong to sophisticated ransomware-as-a-service operations, which function like businesses, offering malware tools and support to affiliates in exchange for a share of the ransom.
Rather than viewing themselves as criminals, many of the interviewees depicted their actions as either justified or morally neutral. Several claimed they only target large corporations or so-called “business sharks” rather than ordinary people or essential services. This attempt to position themselves as selective and even principled in their attacks was a recurring theme.
The research found that offenders employed at least nine different techniques to rationalise their crimes. Some invented facts to downplay the harm, insisting that affected companies always have enough money to pay the ransom. Others suggested that poor cybersecurity practices by victims made the attacks inevitable or deserved. A few even portrayed themselves as ethical actors sparing hospitals and schools from harm.
Another common justification involved blaming external circumstances. Some participants claimed they had no realistic alternatives due to poverty, medical emergencies, or lack of opportunities in their home countries. Others said the financial rewards were too great to ignore, especially in countries where their skills were undervalued.
Several offenders also attempted to paint their crimes as socially beneficial. They argued that ransomware incidents push organisations to improve security and that their actions contribute to broader technological advancement. In these cases, cybercrime was reframed as a necessary disruption for the greater good.
A smaller number of participants admitted their actions were wrong but said they had no control over their urges or simply wanted to live well. One interviewee said they had earned enough to never work again and saw no reason to stop. Another openly rejected the idea of living on a salary, suggesting that legal work was beneath them.
What sets this research apart is its focus on how ransomware offenders make sense of their behaviour beyond technical explanations. Unlike most studies that concentrate on malware mechanics, this work delves into the social and psychological frameworks that allow people to commit serious cybercrimes while maintaining a positive self-image.
The study is based on publicly available interviews and intelligence reports collected by cybersecurity firms and media organisations. While the authors acknowledge that these sources cannot be fully verified, the findings offer a rare glimpse into the rationalisations used by individuals who are often hidden behind layers of anonymity.
The researchers hope that understanding these justifications could inform prevention strategies, particularly by undermining the narratives offenders use to justify their actions.
