Russian ransomware gang are some of the most prolific and aggressive, thanks in part to the apparent safe haven the Russian government provides them. The Kremlin does not cooperate with international ransomware investigations and generally does not prosecute cybercriminals operating in the country as long as it does not attack domestic targets. A long-standing question, however, is whether the financially motivated hackers ever received orders from the Russian government, and to what extent the gangs were involved in aggressive Kremlin hacking. The answer is starting to become clear.
A new study presented today at the Cyberwarcon security conference in Arlington, Virginia looks at the frequency and targets of ransomware attacks against organizations in the United States, Canada, United Kingdom, Germany, Italy and France. National elections of the country. The findings reveal a loose but clear alignment between the Russian government’s priorities and activities and the ransomware attack that led to elections in six countries.
The project analyzed a dataset of more than 4,000 ransomware attacks carried out against victims in 102 countries between May 2019 and May 2022. Led by Karen Nershi, a researcher at the Stanford Internet Observatory and the Center for International Security and Cooperation, the analysis shows a statistically significant increase in ransomware attacks by gangs from Russia against organizations in six victim countries ahead of the national election. These countries suffer the most ransomware attacks in the dataset each year, accounting for about three-quarters of all attacks.
“We used this data to compare the timing of attacks before the election, especially before the election, which groups attributed to Organizations outside of Russia and elsewhere.” The model looked at the number of attacks on any given day and was based on our findings on the increase in attacks before the election. “
The dataset was culled from dark web sites maintained by ransomware gangs used to name and shame victims and try to force them to pay. Nershi and Shelby Grossman, an academic and researcher at the Stanford Internet Observatory, focused on popular so-called “double extortion” attacks, in which hackers compromise targeted networks and leak data before planting a ransomware encryption system. The attacker would then not only demand a ransom for the decryption key, but also keep the stolen data secret rather than sell it. Researchers may not have captured data from every dual extortion actor out there, and attackers may not publish all of their targets, but Nershi said the data collection is thorough, and the groups are generally interested in publicizing their attacks.
The findings broadly showed that there was no statistically significant increase in attacks by non-Russian ransomware gangs ahead of the election. For example, with national elections two months away, the researchers found that organizations in the six top victim countries were 41 percent more likely to be hit by a ransomware attack from Russian gangs on a given day than the baseline.