It has long been known that ransomware as a service groups are largely located in Russia’s sphere of influence. A new Chainalysis study shows just how much volume of ransom depends on ransomware designed specifically not to target Russian victims, a signifier that the ransomware group is taking advantage of Russia’s lenient policy towards domestic cybercriminals who target victims outside of Russia. It’s a lot. And the fact that it is a lot demonstrates just how important working out international agreements to force Russia to prosecute its local cybercriminals will be to tackling global ransomware. 

Chainalysis calculates that since 2020, more than 90% of ransoms attributable to major strains of ransomware come from ransomware hard-coded not to victimize members of the Commonwealth of Independent States (CIS) — a Russia-based group of post-Soviet countries.

“We're seeing very clear trends, especially with the top strains, where they don't attack CIS and Russian-speaking countries. And this is, this is a trend that the right people are going to have to start putting their heads together with, cooperating cross borders,” said Kim Grauer, Chainalysis director of research. 

Russian cybercriminals indicted by other countries, including the U.S., are rarely arrested in Russia. Arrests tend to take place when criminals go on vacation to countries with extradition agreements. 

Malware designed in Russia reflects what intelligence officials describe as a tacit understanding between Moscow and criminals that only crimes within Russia’s borders will be investigated. In many cases, malware will check to see if systems use Cyrillic-language keyboards before deploying, preventing an attack on Russian-speaking victims. 

Experts have advised international cooperation to pressure Russia into taking a more active role in prosecuting its criminals, including various degrees of sanctions and other diplomatic measures.   

At the June summit between U.S. President Joe Biden and Russian President Vladimir Putin following the Colonial Pipeline ransomware attack, Moscow’s permissive stance on allowing cybercriminals to operate unfettered was a topic of conversation. Colonial Pipeline had been infected by a ransomware from group widely believed to be Russian. 

“I looked at him and said: 'How would you feel if ransomware took on the pipelines from your oil fields?' He said: 'It would matter,'" said Biden, at a post-meeting press conference.