Written by Mark Bowers
CyberClan looks at the ransomware landscape regularly and it has seen a noticeable trend develop this year.
There is talk in the insurance market that incidents of ransom cases are down and some forensic companies have definitely seen a downturn in the volume of ransom cases and data breaches. People talk of the Ukraine/Russian war as if that is, in itself, the simple reason. The fact is CyberClan is seeing, in specific geographic regions in which it operates, a marked increase in instructions and an increase in state-related ransomware attacks in the UK and Europe.
Over the last 18 months, Prolific ransomware groups have shut down pandemic-battered hospitals, key fuel infrastructure such as Colonial Pipeline, schools; local government, specific commercial sectors and there has been a sharp increase in publishing sensitive documents from corporate victims.
However, Russian cyber-related attacks have in part decreased, notably in North America, and we explain why:
unprecedented activity by hacktivists and other organizations have unleashed cyberattacks at levels not previously seen against Russian targets and the current conflict in Ukraine finds Russia, not Europe or the United States, struggling under an avalanche of cyber attacks aimed at government activity, political voluntarism, and criminal action.
Websites have been taken down or their content has been altered, governmental data, financial data, emails, passwords, and other sensitive data have been plundered and displayed on the open-source more than at any other time and more so than any other country during this period. Last month, a quarterly survey of email addresses, passwords and other sensitive data released on the open Web identified more victim accounts likely to be Russian than those from any other country. Russia topped the survey for the first time. The number of presumed Russian credentials publicly published, such as those for email addresses ending in .ru, have jumped to encompass 50 percent of the global total, more than five times as many published as were in January 2022. Usually, the US gets a first place!
A Russian state-owned broadcaster, VGTRK, and the Russian intelligence services have had approximately 20 years of email correspondence exposed. This has been verified by Distributed Denial of Secrets.
Hacktivists are leading the charge although criminals with no ideological views in the conflict have also seen the opportunities as the aura of Russian invincibility falls, taking advantage of preoccupied security teams to hold organizations to ransom and extort money. According to the Washington Post, a group known as Battalion 65 has set up its own operation task force to hack and disseminate any information it can access from Russian state entities and publish its spoils publicly.
Ukraine government hackers are assumed to be acting directly against other Russian targets, and officials have distributed hacked data including the names of troops and hundreds of FSB agents.
Clearly, Russia is not immune and is not on the front foot of activity against western targets as has so often been the case in recent years. That is not to say western organizations should not be prepared for attacks and CyberClan advises that any organization should review its security posture and business continuity plans in anticipation of orchestrated attacks as recently happened to the UK legal profession through well-planned security services.
Let’s not forget Conti, one of the most well know and highly effective Russian ransomware gangs. It declared support for Russia and declared that it would mobilize against any country or entity that opposed the Russian invasion and it stated that it would protect any Russian online interests. However, while many Conti hackers were Russian, citizens of other post-Soviet states often joined the ranks. It is alleged that the majority of Conti hackers earned about $1,500 to $2,000 per month and didn’t get a share of the big ransoms that Conti is alleged to have accumulated in 2021 -around $180 million — a figure that’s almost certainly low because it’s based purely on publicly reported ransomware attacks, many of which go unreported.
Clearly, Conti forgot about some of its affiliations such as those in Ukraine, one of which recently published over 100,000 pieces of data containing internal communications from within Conti. It then went on to leak it’s core program source code enabling security software to detect threats.
Network Battalion 65 claim that it has modified the leaked version of the Conti code to evade the new detections, it has improved the encryption and then used it to lock up files inside government-connected Russian companies.
CyberClan certainly believes the direction and volume of cyberattacks and ransomware cases have changed. However, we are still seeing attacks increasing in more localized regions and we expect to see larger-scale attacks and an increased in-flow against the west this year.
If any reader of this article would like to discuss our findings or CyberClan’s experience in:
- state-related cyberattacks
- crypto facilitation and sanctions screening
- risk management services to determine security posture
- incident response following an attack
- post-breach remediation
- security operations management
Please fill out the form below and a member of our team will contact you.