Ransomware that avoids Russian speakers gets 90% of payments

Left to right: U.S. Secretary of State Antony Blinken, U.S. President Joe Biden, Russian President Vladimir Putin and Russian Foreign Minister Sergei Lavrov meet during the U.S.-Russia summit at Villa La Grange on June 16, 2021, in Geneva. (Photo by Peter Klaunzer – Pool/Keystone via Getty Images)

It has long been known that ransomware as a service groups are largely located in Russia’s sphere of influence. A new Chainalysis study shows just how much volume of ransom depends on ransomware designed specifically not to target Russian victims, a signifier that the ransomware group is taking advantage of Russia’s lenient policy towards domestic cybercriminals who target victims outside of Russia. It’s a lot. And the fact that it is a lot demonstrates just how important working out international agreements to force Russia to prosecute its local cybercriminals will be to tackling global ransomware. 

Chainalysis calculates that since 2020, more than 90% of ransoms attributable to major strains of ransomware come from ransomware hard-coded not to victimize members of the Commonwealth of Independent States (CIS) — a Russia-based group of post-Soviet countries.

“We're seeing very clear trends, especially with the top strains, where they don't attack CIS and Russian-speaking countries. And this is, this is a trend that the right people are going to have to start putting their heads together with, cooperating cross borders,” said Kim Grauer, Chainalysis director of research. 

Russian cybercriminals indicted by other countries, including the U.S., are rarely arrested in Russia. Arrests tend to take place when criminals go on vacation to countries with extradition agreements. 

Malware designed in Russia reflects what intelligence officials describe as a tacit understanding between Moscow and criminals that only crimes within Russia’s borders will be investigated. In many cases, malware will check to see if systems use Cyrillic-language keyboards before deploying, preventing an attack on Russian-speaking victims. 

Experts have advised international cooperation to pressure Russia into taking a more active role in prosecuting its criminals, including various degrees of sanctions and other diplomatic measures.   

At the June summit between U.S. President Joe Biden and Russian President Vladimir Putin following the Colonial Pipeline ransomware attack, Moscow’s permissive stance on allowing cybercriminals to operate unfettered was a topic of conversation. Colonial Pipeline had been infected by a ransomware from group widely believed to be Russian. 

“I looked at him and said: 'How would you feel if ransomware took on the pipelines from your oil fields?' He said: 'It would matter,'" said Biden, at a post-meeting press conference.

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.