The Russian government and human-operated ransomware

Assessing possible links between the Russian state and destructive “criminal” cyber attacks

At the end of November, a tweet rapidly made its way around the cyber security community, claiming to show evidence a number of prominent human-operated ransomware groups were “directly connected with the Russian government”.

Regardless of the contents of this tweet, I don’t think there is enough evidence to make a credible overall assessment on whether the Russian government is connected to human-operated ransomware. However, there are four relevant things we can credibly talk about, and that can inform the overarching discussion.

1. The Russian government has strong links to serious and organised crime
2. Russia-based cyber crime groups have been linked to the Russian intelligence and security agencies
3. Russia seeks to destabilise the West via “hybrid” means
4. Human-operated ransomware is having a destabilising impact on the West

The Russian government has strong links to serious and organised crime

The Russian government has strong links to serious and organised crime, and frequently co-opts organised crime groups to do its bidding. This came to prominence in the early 2000s, in what Mark Galeotti calls the “emergence of a conditional understanding that Russia now had a ‘nationalised underworld’” when Russia-based organised crime groups began acting on behalf of the state both domestically and abroad.

Since then, the Russian government has continued these links and frequently co-opted organised crime groups to do their bidding. For example, Mark Galeotti also writes: “during the 2011 State Duma elections there were clear indications that criminal gangs were being used to get out the vote and disrupt opposition campaigns”. These links were reiterated in the Intelligence and Security Committee’s 2020 “Russia Report”:

GCHQ told the Committee that there is “a quite considerable balance of intelligence now which shows the links between serious and organised crime groups and Russian state activity” and that “we’ve seen more evidence of *** serious and organised crime *** being connected at high levels of Russian state and Russian intelligence”, in what it described as a “symbiotic relationship”.

Russia-based cyber crime groups have been linked to the Russian intelligence and security agencies

In many instances, Russia-based cyber crime groups (or cyber crime acts conducted by organised crime groups) have been linked to the Russian intelligence and security agencies. These groups often provide services to the Russian government (i.e. conduct operations directed by the intelligence and security services) in return for freedom from domestic prosecution and extradition from Russia. For example, Russian highly likely used organised crime groups to support offensive cyber operations targeting Georgia in 2008.

Mark Galeotti writes:

Although there is evidence that Russian security agencies are increasingly developing their own in-house hacking capabilities, Moscow still depends, to a considerable extent, on recruiting cybercriminals, or simply calling on them from time to time, in return for their continued freedom.

In some cases, specific groups and even individuals have been linked to the Russian intelligence and security agencies. The US Government’s 2019 indictment and sanctioning of the self-styled “Evil Corp” (the group behind DoppelPaymer and BitPaymer ransomware strains) specifically called out links between the group’s leader and the FSB (Russia’s domestic security service). The Treasury writes:

In addition to his leadership role within Evil Corp, Yakubets has also provided direct assistance to the Russian government. As of 2017, Yakubets was working for the Russian FSB, one of Russia’s leading intelligence organizations that was previously sanctioned pursuant to E.O. 13694, as amended, on December 28, 2016. […] Additionally, as of 2017, Yakubets was tasked to work on projects for the Russian state, to include acquiring confidential documents through cyber-enabled means and conducting cyber-enabled operations on its behalf.

Russia seeks to destabilise the West via “hybrid” means

In recent years Russia has used a broad range of (generally) non-military means to destabilise the West and help it to achieve its own policy goals (for example, weakening NATO, annexing territory, and ensuring access to European markets). This is broadly referred to as “hybrid war”, and relies on information operations, offensive cyber operations, economic and political influence, and “active measures”.

Specific examples of this include:

• Targeting the 2016 US Presidential election with a combined offensive cyber and information operations campaign, designed to undermine what Russia saw as the future Presidency of Hillary Clinton.
• Creating and spreading online content through organisations such as the Internet Research Agency to amplify cultural and political divisions in Western society and increase perceptions of polarisation.
• Attempted to incite a coup in Montenegro in 2016, in order to prevent the country’s shift towards Europe and NATO.

Human-operated ransomware is having a significant destabilising impact on the West

Human-operated ransomware, as of December 2020, is one of the most significant cyber threats that organisations in Europe and North Americas (and arguably worldwide) face.

Attacks have targeted hospitals and healthcare providers during the COVID-19 pandemic, caused manufacturing lines to grind to a halt, and forced organisations into administration. Such actions have arguably caused a significant destabilising impact.

It’s also worth stating that human-operated ransomware is having comparatively little effect on Russia and the Former Soviet Union. In many cases, ransomware variants perform region-checking (for example, by detecting keyboard locales) in order to avoid infecting computers in these countries.