Contrary to popular belief, ransomware is not a new phenomenon. We’ve seen digital extortion in one form or another for almost three decades. Yet, few could have predicted 10 years ago that cyber-criminals would be causing the shutdown of oil pipelines, disrupting food supply chains and even endangering lives. Russia has the dubious honor of being the world’s number one ransomware hub. It was widely believed that this was due to a unique set of circumstances. The problem is, they’re not actually that unique.
The Russian Story
Ransomware first emerged into the national media spotlight when WannaCry and NotPetya spread recklessly around the globe back in 2017. Until that point, ransomware was primarily the concern of IT and security teams. Yet, WannaCry and NotPetya demonstrated the devastating impact a ransomware attack could have. As devastating as WannaCry and NotPetya were, over the past few years, ransomware has evolved significantly. Cybercrime gangs calculated that they could make more money from targeting corporations with multimillion-dollar ransom demands instead of indiscriminate phishing campaigns with low-dollar ransom demands. Some groups honed their activities to include techniques more commonly associated with sophisticated APT actors, including the use of legitimate tooling to move laterally inside networks without triggering any alerts.
Then came the advent of ransomware-as-a-service and the affiliate model that democratized the ability to launch attacks on whole new groups of actors. Fortunes are being made, and victims continue to pay despite the advice of law enforcement – often funded by insurance policies – and, crucially, the Russian state turned a blind eye.
What makes Russian cybercrime gangs so prolific? It’s not just a state that turns a blind eye to their activity, as long as it focuses outwards. It’s about having many technologically proficient graduates, a hangover from Soviet days when the state prioritized STEM subjects. It’s also a product of the fact that many of these individuals can’t find well-paid jobs without the right connections. It’s also due to the thriving underground cybercrime ecosystem, built around native language dark web forums and marketplaces where budding criminals can source new TTPs, sell stolen data and answer ‘job’ ads.
Follow the Leader
The danger for organizations in the US, Europe and elsewhere is that the Russian model could take hold in other countries very easily. Take China. It has a large workforce proficient in IT, a robust underground cybercrime economy and an autocratic government more than willing to turn a blind eye to illegal activity, as long as it’s directed at targets in the right countries – Taiwan, the US, the UK and Australia to name but a few.
Iran has a similar profile: a well-educated technical workforce but few opportunities to use and be adequately remunerated for their skills. Plus, a government that would certainly be quite happy if they decided to attack the old enemy: the United States. It doesn’t stop there. Take Brazil. The country has long been a hotbed of malicious cyber-activity, focused mainly around info-stealing and banking Trojans. It wouldn’t take much to adapt that into a thriving ransomware-as-a-service scene. It’s less likely that this democratic country would willingly harbor such criminals, but it’s not beyond the realms of possibility. We have already seen sporadic ransomware campaigns that appear to be tied to Chinese, Iranian and Brazilian cyber-criminal groups. If we start to see progress with these nascent activities, we might see more consistent and continuous success going forward.
Can We Stop Them?
The bad news is that, thus far, diplomatic efforts aimed at changing Russian geopolitical calculations have failed miserably. The Biden administration has been turning up the pressure on the Kremlin in recent months, even threatening at one stage to take unilateral action against threat groups like REvil. It has applied sanctions to some groups like Evil Corp and presented President Putin with a list of no-go critical infrastructure sectors. Little has changed.
Similar efforts at engagement with Iran and China on cyber matters have proved largely ineffective. A 2015 agreement hammered out between Barack Obama and Xi Jinping saw China agree to ‘cease’ economic espionage activity. It lasted for a few weeks.
So what hope is there for progress? It will be interesting to see what happens as a result of US sanctions against a Russian cryptocurrency exchange accused of facilitating ransomware payments for cybercrime groups. Of course, going after a single-player won’t stop attacks. Yet, it may be worth expanding if the model is seen to work and creates a frustrating bottleneck for threat actors trying to receive and launder funds. The cybersecurity world, and boardrooms across the globe, await more news with bated breath.
Allan Liska Senior Solutions Architect, Recorded Future