Russia-based ransomware gangs are some of the most prolific and aggressive, in part thanks to an apparent safe harbor the Russian government extends to them. The Kremlin does not cooperate with international ransomware investigations and typically declines to prosecute cybercriminals operating in the country as long as they do not attack domestic targets. A long-standing question, though, is whether these financially motivated hackers ever receive directives from the Russian government and to what extent the gangs are connected to the Kremlin’s offensive hacking. The answer is starting to become clearer.
New research presented at the Cyberwarcon security conference in Arlington, Virginia, today looks at the frequency and targeting of ransomware attacks against organizations based in the United States, Canada, the United Kingdom, Germany, Italy, and France in the lead-up to these countries’ national elections. The findings suggest a loose but visible alignment between Russian government priorities and activities and ransomware attacks leading up to elections in the six countries.
The project analyzed a data set of over 4,000 ransomware attacks perpetrated against victims in 102 countries between May 2019 and May 2022. Led by Karen Nershi, a researcher at the Stanford Internet Observatory and the Center for International Security and Cooperation, the analysis showed a statistically significant increase in ransomware attacks from Russia-based gangs against organizations in the six victim countries ahead of their national elections. These nations suffered the most total ransomware attacks per year in the data set, about three-quarters of all the attacks.
“We used the data to compare the timing of attacks for groups we think are based out of Russia and groups based everywhere else,” Nershi told WIRED ahead of her talk. “Our model looked at the number of attacks on any given day, and what we find is this interesting relationship where for these Russia-based groups, we see an increase in the number of attacks starting four months before an election and moving three, two , one month in, up to the event.”
The data set was culled from the dark-web sites that ransomware gangs maintain to name and shame victims and pressure them to pay up. Nershi and fellow researcher Shelby Grossman, a scholar at the Stanford Internet Observatory, focused on popular so-called “double extortion” attacks in which hackers breach a target network and exfiltrate data before planting ransomware to encrypt systems. Then the attackers demand a ransom not only for the decryption key but to keep the stolen data secret instead of selling it. The researchers may not have captured data from every single double-extortion actor out there, and attackers may not post about all of their targets, but Nershi says the data collection was thorough and that the groups typically have an interest in publicizing their attacks.
The findings showed broadly that non-Russian ransomware gangs did not have a statistically significant increase in attacks in the lead-up to elections. Whereas two months out from a national election, for example, the researchers found that organizations in the six top victim countries were at a 41 percent greater chance of having a ransomware attack from a Russia-based gang on a given day, compared to the baseline .