Contrary to popular belief, ransomware is not a new phenomenon. We have seen digital extortion in one form or another for almost three decades. Yet few people could have predicted 10 years ago that cybercriminals would shut down pipelines, disrupt food supply chains, and even put lives at risk. Russia has the dubious honor of being the world’s leading ransomware hub. It was generally believed that this was due to a unique set of circumstances. The problem is, they’re not exactly unique.
Ransomware first appeared in the national media spotlight when WannaCry and NotPetya recklessly spread around the world in 2017. Until then, ransomware was primarily the concern of IT and security teams. Yet WannaCry and NotPetya have demonstrated the devastating impact that a ransomware attack can have. As devastating as WannaCry and NotPetya are, over the past few years ransomware has evolved dramatically. Cybercrime gangs have calculated that they could make more money by targeting companies with multi-million dollar ransom demands instead of indiscriminate phishing campaigns with low value ransom demands. Some groups have refined their activities to include techniques more commonly associated with sophisticated APT actors, including the use of legitimate tools to move laterally within networks without triggering any alerts.
Then came the advent of ransomware-as-a-service and the affiliate model that democratized the possibility of launching attacks against whole new groups of players. Fortunes are made and the victims continue to pay despite the advice of the police – often financed by insurance policies – and, above all, the Russian state has turned a blind eye.
What makes Russian cybercriminal gangs so prolific? It is not just a state that turns a blind eye to their activity, as long as it is focused outward. It’s about having many technologically competent graduates, a hangover from the Soviet era when the state prioritized STEM subjects. It is also the result of the fact that many of these people cannot find good paying jobs without the right connections. This is also due to the thriving underground cybercrime ecosystem, built around dark, native language web forums and marketplaces where budding criminals can find new TTPs, sell stolen data, and respond to job postings.
follow the guide
The danger for organizations in the United States, Europe and elsewhere is that the Russian model could very easily take hold in other countries. Take China. It has a large IT-skilled workforce, a strong underground cybercrime economy, and an autocratic government more than willing to turn a blind eye to illegal activities, as long as they are aimed at targets within. the right countries – Taiwan, the United States, the United Kingdom and Australia to name a few.
Iran has a similar profile: a well-trained technical workforce but few opportunities to use and be properly remunerated for their skills. Plus, a government that would certainly be very happy if it decided to take on the old enemy: the United States. It doesn’t stop there. Take Brazil. The country has long been a hotbed of malicious cyber activity, primarily focused on information theft and banking Trojans. It wouldn’t take much to adapt this to a thriving ransomware-as-a-service scene. This democratic country is less likely to happily harbor such criminals, but it is not beyond the possibilities. We have already seen sporadic ransomware campaigns that appear to be linked to Chinese, Iranian and Brazilian cybercrime groups. If we start to see progress with these nascent activities, we might see more consistent and continued success in the future.
Can we stop them?
The bad news is that diplomatic efforts to change Russia’s geopolitical calculations have so far failed miserably. The Biden administration has stepped up pressure on the Kremlin in recent months, even threatening at one point to take unilateral action against threatening groups like REvil. He applied sanctions to groups like Evil Corp and presented President Putin with a list of banned critical infrastructure sectors. Little has changed.
Similar engagement efforts with Iran and China on IT issues have proven largely ineffective. An agreement concluded in 2015 between Barack Obama and Xi Jinping allowed China to agree to “cease” its economic espionage activities. It lasted a few weeks.
So what hope for progress is there? It will be interesting to see what happens in the wake of US sanctions on a Russian cryptocurrency exchange accused of facilitating ransomware payments for cybercrime groups. Of course, chasing a single player won’t stop the attacks. Still, it may be worth expanding if the model works and creates a frustrating bottleneck for threat actors attempting to receive and launder funds. Cyber ââsecurity world and conference rooms around the world are eagerly awaiting more news