Traditionally, ransomware attacks have been regarded as apolitical criminal activities. However, there is growing speculation about possible ties between Russia-based ransomware groups and the Kremlin. Our working paper aims to assess political motives behind ransomware attacks based on a newly gathered dataset of ransomware victims. Our findings challenge the notion that attack trends from Russia-based ransomware groups can be solely explained by financial motives.
To construct the dataset, we collected information from 55 dark web leak sites, focusing on victims targeted by "double extortion" attacks. These attacks involve threatening to publish stolen data even after the victim has paid the ransom. The dataset comprises 4,194 victims from 55 ransomware groups, spanning the period from May 1, 2019, to April 30, 2022.
Our analysis reveals several notable patterns. First, we observe an increase in the frequency of attacks by Russia-based ransomware groups leading up to elections in several major democracies, with no similar increase in attacks by groups based outside of Russia. Second, companies that withdrew from or suspended operations in Russia following the invasion of Ukraine were more likely to experience ransomware attacks in the months following the invasion, potentially indicating retaliatory motives. Third, we find a decline in the number of daily ransomware attacks after the invasion, which could be attributed to Russia enlisting ransomware operators to support its cyber offensive against Ukraine.
We also analyzed over 60,000 leaked messages from a prominent Russia-based ransomware group called Conti. These communications show that Conti generally operated independently from the Russian state. However, they also reveal connections between Conti leaders and Russian government contacts and show cooperation on at least one state-backed cyber operation. The chats also reveal that group members believe the Russian government provides them and other groups with safe harbor.
Our data are consistent with a model where the Russian government maintains decentralized yet cooperative relations with Russia-based ransomware groups. The government offers safe harbor from prosecution in exchange for plausible deniability for attacks and access to skilled cyber actors. The Kremlin also benefits indirectly as groups primarily target victims in Western countries. Our findings suggest ransomware presents an international security threat in addition to functioning as a form of crime.