Russia-based ransomware gangs were among the most prolific and belligerent, thanks in part to the apparently safe harbor the Russian government opened to them. The Kremlin does not cooperate with international ransomware investigations and generally refuses to prosecute cybercriminals operating in the country as long as they do not attack domestic targets. A long-standing question, however, is whether these financially motivated hackers ever received instructions from the Russian government and whether the gangs were involved in the Kremlin hacking attack to a certain extent. any. The answer is starting to become clearer.
New research presented at the Cyberwarcon security conference in Arlington, Virginia, today looks at the frequency and targeting of ransomware attacks against organizations based in the US, Canada, UK, Germany, Italy and France. national elections of countries. The findings reveal a loose but clear link between the Russian government’s priorities and activities and the ransomware attacks that led to the elections in six countries.
The project analyzed a dataset of more than 4,000 ransomware attacks inflicted on victims in 102 countries between May 2019 and May 2022. Led by Karen Nershi, researcher at the Observatory Stanford Internet and Center for International Security and Cooperation, analysis reveals a statistically significant increase in ransomware attacks from Russia-based gangs against organizations in six victim countries before their national elections. These countries suffer the most total number of ransomware attacks each year in the dataset, about three-quarters of all attacks.
“We used the data to compare the timing of attacks for groups that we think are based outside of Russia and groups based everywhere else,” Nershi told WIRED ahead of the meeting. his talk. “Our model looked at the number of attacks on any given day, and what we found was this interesting relationship, where for these Russia-based groups we see The number of attacks increased starting four months before the election and moved to three, two. , one month from the event. “
The dataset is culled from the dark web sites that ransomware gangs maintain to name and shame victims and pressure them to pay. Nershi and fellow researcher Shelby Grossman, a scholar at the Stanford Internet Observatory, focused on so-called “double blackmail” attacks are common in which hackers compromise the target network and steal data before introducing ransomware to encrypt the system. The attackers then demand a ransom not only for the decryption key but also to keep the stolen data secret instead of selling it. Researchers may not be able to collect data from every single double blackmailer out there, and attackers may not be able to post about all of their targets, but Nershi says data collection is very powerful. thorough, and groups are often interested in making their attacks public.
The findings broadly suggest that non-Russian ransomware gangs do not have a statistically significant increase in pre-election attacks. For example, while two months into the national election, researchers found that organizations in six top victim countries were at increased risk of ransomware attacks from a gang based in the United States. Russia is 41% higher on a given day. .
