While it has been a long-standing question whether there are political motivations behind ransomware attacks, new research by the Stanford Internet Observatory reveals that some Russian ransomware groups may be timing their attacks against Western nations to support Moscow's geopolitical goals.
The research, presented at the Cyberwarcon security conference last week, analyzed the ransomware landscape in the six most-attacked countries: the United States, Canada, France, Italy, Germany, and the United Kingdom. The dataset shows that there was an increasing number of Russia-based ransomware attacks before these countries’ national elections.
“There is not much difference in the number of attacks between Russia based and non-Russia based groups six or five months ahead of countries’ national elections,” Karen Nershi, a researcher who led the study, told SC Media in an interview. “But we see an increasing number of Russia-based attacks starting around four months before the events [and continuing until the elections], which suggests that there may be political motivations behind those groups.”
Regarding the trends in different sectors, the study found an elevated rate of attacks targeting government entities two months before the elections, which, according to Nershi, demonstrates that Russia might target election infrastructure to disrupt countries’ ability to hold the events. The research, though, has yet to find a significant increase in attacks against communication, finance, energy, and utility sectors before the elections.
In addition, Nershi noted that a spillover effect from other cyber activities could also potentially explain the trend.
“Based on the findings, we theorize that Russia maintains loose ties with ransomware groups,” Nershi said. “These Russian based groups operate as independent criminal organizations who occasionally perform favors for the government. And in exchange, Russia gives these groups a safe harbor from prosecution.”
Nershi told SC Media that the study also comes with some limitations. First, the dataset only looks at the victims of double extortion attacks, which cannot represent the trends of other ransomware attacks. Second, as some groups operate Ransomware-as-a-Service operations with affiliates carrying out the attacks, it can be difficult to analyze the behavior of these smaller groups.
However, the work does align with some previous findings.
Research from Recorded Future last year found evidence of a loose but “symbiotic” relationship between the ransomware groups based in Russia and the government. These relationships are indirect, amorphous and “based on spoken and unspoken agreements” as well as “fluid associations.” These relationships tend to come in three different flavors: direct, a “see no evil” posture towards cybercriminal groups whose work overlaps with or is beneficial to Russian state interests, and demonstrable associations – such as recruitment – between Russian intelligence or law enforcement operatives and the cybercriminal underworld.
While President Vladimir Putin has dismissed claims that such a relationship exists, the Russian government’s robust surveillance system gives it visibility over ransomware operations taking place within their borders, and they are also able to exercise a substantial amount of control over the resources – like local servers, hosting and other infrastructure – that these cybercriminal groups rely on to survive.
This year shortly after Russia's invasion of Ukraine, leaked files and messages from Conti, one the most prolific ransomware group, indicated the group planned to use use all possible resources to support Russian government. Dragos Q3 industrial ransomware analysis last month also reveals that ransomware trends are tied to political reasons, including the conflict between Russia and Ukraine.