As the world’s first ransomware distribution center, the Russian model can prove itself in several countries around the world. Unless we find an effective way to destabilize our adversaries.
In 2017, the first destructive ransomware, WannaCry and NotPetya, spread widely around the world. Over the past few years, cybercriminal gangs have realized that they can make even more money by attacking large corporations and demanding multi-million dollar ransoms from them. Some groups have improved their activities to integrate methods more widely associated with APT (Advanced Presistent Threat) players, in particular through the use of legitimate tools that allow further navigation through networks without triggering any warnings.
The ransomware-as-a-service model and partner programs have enabled a whole new set of actors to carry out attacks. The perpetrators get richer, the victims continue to pay despite government advice (often funded by insurance policies) and, most importantly, the Russian state turns a blind eye to these activities. Result ? Since the beginning of this year, the number of victims of ransomware sites has already exceeded the number recorded in 2020. It is estimated that it represents only about 10% of the total number of victims.
Why are Russian cybercriminal groups so numerous?
The point is not only that the state turns a blind eye to their activities if they are directed abroad. We are also talking about a very large number of graduates who are competent in the field of technology, which is a legacy of the Soviet era, when the state made science a priority. This situation is also due to the fact that many of these individuals cannot find well-paid jobs without good contacts. It is also linked to a thriving underground cybercrime ecosystem built around dark web forums and marketplaces in their own language, where criminals can obtain new TTPs (tactics, methods, and procedures), sell stolen data, or respond to “jobs” ads. .
This Russian model could very easily spread to other countries, jeopardizing businesses in the US, Europe and elsewhere. Take an example from China. It has a large, highly skilled IT workforce, a powerful underground cybercrime economy, and an autocracy more than willing to turn a blind eye to illegal activities as long as they are targeted in strategic countries such as Taiwan, the United States, the United Kingdom, or Australia, and this just some of them.
Iran has a similar profile: well-trained but not able to use their skills and be properly remunerated. In addition, the government is likely to be relatively content to take on an old enemy: the United States. And it doesn’t stop there. Take Brazil. The country has long been a hotbed of cybercriminal activity, mostly related to data breaches and banking trojans. It won’t take long for Brazil to become the protagonist of ransomware-as-a-service. It is unlikely that this democratic country will voluntarily protect such criminals, but all scenarios are possible. We have already witnessed sporadic ransomware campaigns with clear links to Chinese, Iranian or Brazilian cybercrime groups. If we start to see the growth of these new activities, we are likely to see more regular and successful cybercrime activity.
Can we stop them?
The bad news is that, so far, diplomatic attempts to change Russia’s geopolitical calculations have failed miserably. In recent months, the Biden administration has stepped up pressure on the Kremlin, going so far as to threaten unilateral action against groups like REvil. He also imposed sanctions on certain groups such as Evil Corp and presented President Putin with a list of essential infrastructures that should not be attacked. Little has changed.
Similar attempts to involve Iran and China in the fight against cybercrime have failed. After an agreement reached in 2015 between Barack Obama and Xi Jinping, China decided to stop all economic cyber espionage activities. It only lasted a few weeks.
What are the chances of observing evolution?
It will be interesting to see what the implications of US sanctions against a Russian cryptocurrency exchange accused of facilitating ransom payments to cybercriminal groups are. Trying to stop just one actor will not be enough to prevent further attacks. On the other hand, if the model seems to work and creates a hotspot that prevents attackers from receiving and laundering funds in their operations, it might be worth exploring the idea further. The cybersecurity industry, as well as the boards of directors of companies around the world, are eagerly awaiting news on this matter.