Russia’s rule over criminal ransomware gangs comes into view

Russia-based ransomware gangs are some of the most prolific and aggressive, thanks in part to an apparent safe haven the Russian government provides them. The Kremlin does not cooperate with international investigations into ransomware and generally refuses to prosecute cybercriminals operating in the country as long as they do not attack domestic targets. A long-standing question, however, is whether these financially motivated hackers will ever receive guidance from the Russian government and to what extent the gangs are involved in the offensive hacking of the Kremlin. The answer is starting to become clearer.

New research presented at the Cyberwarcon security conference in Arlington, Virginia, today looks at the frequency and targeting of ransomware attacks against organizations in the United States, Canada, the United Kingdom, Germany, Italy and France in the run-up to these national elections of countries. The findings suggest a loose but visible alignment between the Russian government’s priorities and activities and ransomware attacks in the run-up to elections in the six countries.

The project analyzed a dataset of more than 4,000 ransomware attacks committed against victims in 102 countries between May 2019 and May 2022. Led by Karen Nershi, a researcher at the Stanford Internet Observatory and the Center for International Security and Cooperation, the analysis showed a statistically significant increase in ransomware attacks by Russian-based gangs against organizations in the six victimized countries ahead of their national elections. These countries suffered the most total ransomware attacks per year in the dataset, about three quarters of all attacks.

“We used the data to compare the timing of attacks for groups we think are from Russia and groups based all over the place,” Nershi told WIRED ahead of her speech. “Our model looked at the number of attacks on any given day, and what we find is this interesting relationship where for these Russia-based groups we see an increase in the number of attacks starting four months before the election and three, two, a month in, up to the event.”

The data set comes from the dark websites that ransomware gangs maintain to put victims’ names and pressures on them to pay. Nershi and fellow researcher Shelby Grossman, a scientist at the Stanford Internet Observatory, focused on popular so-called “double extortion” attacks in which hackers penetrate a target network and exfiltrate data before planting ransomware to encrypt systems. The attackers then demand a ransom not only for the decryption key, but also to keep the stolen data secret rather than selling it. The researchers may not have collected data from every single double extortion actor out there, and attackers may not post about all of their targets, but Nershi says the data collection was thorough and the groups generally have an interest in disclosing their attacks.

Broadly speaking, the findings showed that non-Russian ransomware gangs did not have a statistically significant increase in attacks in the run-up to the election. While two months before a national election, for example, the researchers found that organizations in the six countries with the most victims had a 41 percent greater chance of a ransomware attack by a Russia-based gang on any given day, compared to the baseline.

Add Comment