Financial Incentives May Explain the Perceived Lack of Ransomware in Russia’s Latest Assault on Ukraine
Ransomware has been notably absent the barrage of cyberattacks faced by Ukraine since the Russian invasion in February. Financial concerns are likely the reason ransomware groups have stayed out of the conflict.
In early May 2022, a state of emergency was declared in Costa Rica following a ransomware attack against government systems. The hacking group linked to the attacks–Conti–is thought to work from Russian territory. In a dramatic message, the gang even encouraged Costa Ricans to overthrow the government if officials do not transfer the ransom. In Italy, a ransomware attack that security officials believe is linked to Russian actors disrupted railway ticket vending machines. In Austria, Russian hacking group Black Cat demanded $5 million to unlock encrypted servers and refrain from leaking sensitive information.
What about Ukraine? Ukraine has, in recent years, not suffered large financially motivated ransomware attacks. This might have been because, Ukraine has been historically more a provider of ransomware operators (e.g. Maksim Yakubets) rather than a target. In 2020 and 2021, Ukraine suffered less than 1 percent of ransomware attacks globally. This aligns with a trend where criminal groups avoid attacking systems on territories of the former Soviet Union.
But Russia’s assault earlier this year could have triggered an increase in ransomware attacks launched from Russian territory on Ukraine. Already in February 2022, the Conti ransomware group stated that it fully supported the Russian government’s war in Ukraine and that it is “going to use all possible resources to strike back at the critical infrastructures of an enemy.” And indeed, Conti launched several campaigns against Ukraine in recent months. The attacks have differed from Conti’s typical modus operandi, utilizing Cobalt Strike malware in highly targeted campaigns, aimed at Ukrainian government networks and critical infrastructure as opposed to previous more indiscriminate attacks.
Despite all the above incidents no major ransomware attacks targeting Ukraine have been reported since the onset of the Russian invasion. What came closest to an actual ransomware attack was the WhisperGate malware in January 2022, days before the Russian invasion was launched. The malware had disguised itself as ransomware but was in fact a wiper, code that simply destroys data. This tactic may have been intended to confuse defenders and make them believe the attack was not a preparation for war, but rather a financial motivated.
Despite this lack of major ransomware attacks, they could be a useful tool in this war. Ransomware could be a way to hamper government services in Kiev and other Ukrainian cities. Russian forces are already putting pressure on Ukrainian infrastructure, mainly through missile strikes, and ransomware deployed by cybercrime groups could further increase the political pressure on Ukrainian officials to deliver basic services. In addition, the data that is gathered in government systems during these operations could be shared with Russian intelligence services and shed a light on Ukrainian strategy and inform Russian war operations.
So why a lack of ransomware attacks? There are plenty of potential reasons. One may be that Ukraine has increased the resilience of its network in recent years, facing increased Russian activities on a day to day basis, while receiving assistance from U.S. Cyber Command and private companies. Another alternative explanation is that Russian hacking groups were instructed by the Kremlin to refrain from conducting ransomware operations against Ukraine not to interfere in ongoing cyber operations conducted by Russian intelligence agencies. Keeping in mind the historical closeness between Russian criminal actors and the various Russian intelligence agencies (Conti with the FSB; EvilCorp [PDF] with both the FSB and SVR) communication with proxies is conceivable.
But the major reason is likely financial. From a Ukrainian perspective, engaging with Russian criminal groups would be counterintuitive, since it would feed the Russian war machine. Thereby Ukrainian payments are less likely to occur. What is more, it is unclear if insurance companies would cover a ransomware payment in times of war, further disincentivizing criminal activity against entities in Ukraine by reducing the likelihood that attackers will be paid. Many entities in economically poor Ukraine might not be the most lucrative targets for criminal operations. What is more, a series of recently imposed financial roadblocks make it harder for cyber criminals to conduct business in Ukraine and elsewhere. This includes Ukraine’s central bank banning payments to Russia and Belarus, the exclusion of Russian banks from systems like SWIFT, and Russia making crypto payments illegal. These financial disincentives on both sides of the warring parties may have prevented an uptick in major disruptive ransomware operations in Ukraine. Ransomware operators have clearly participated in the conflict, as evidenced by Conti’s attacks against Ukraine, but they have not leveraged their attacks to make a profit. Ransomware operators also have other ways to participate in the conflict, without jeopardizing their business, given the wide variety of hacktivist groups on both sides of the conflict
In recent decades, criminal activities in times of war have always been a headache for policymakers. This was the case in Bosnia and Herzegovina as well as Afghanistan and it also applies to the current war. While some criminal sectors have benefited from Russia’s illegal assault on Ukraine, such as human trafficking, the war does not appear to have increased the activity of Russian ransomware groups in Ukraine and globally, at least for now.