Over 100 years ago, the Great War was being waged in what is now central and eastern Europe, along with Russia. During the “war to end all wars,” the world saw significant technology changes that brought new, and often terrifying, ways to inflict damage on people and countries. Fast forward to early 2022 and the Russia-Ukraine war, where we are seeing another wave of technological improvements being utilized to gain an upper hand in the conflict.
As we have discussed over the past few years, ransomware attacks are far and away the largest attack vector impacting organizations globally. These numbers have grown exponentially over the past five years. In the 2021 FBI Internet Crime Report, it is reported that there were 3,729 ransomware complaints filed resulting in a reported loss of $49.2 million.
Ransomware attacks originate from around the world, however CBS reported that a number of attacks originate from a cartel of Russian based ransomware gangs. An article published by The Guardian quoted Lindy Cameron, the chief executive of the UK’s cybersecurity agency (National Cyber Security Centre), as stating that “…cybercriminals based in Russia and neighbouring countries are responsible for most of the devastating ransomware attacks against UK targets”.
Silence is golden… and scary
In our Russia Ukraine Conflict Observables War Room blog from March 9, 2022, we discussed a number of topics surrounding the Russia Ukraine conflict including Certified Information Systems Auditor’s (CISA’s) “Shields Up” guidance. All indications at the time pointed to a significant response from Russian cyberattackers against organizations in the U.S., as well as other countries that were sympathetic to or supporting Ukraine in their defense against Russia’s invasion.
Interestingly enough, we are seeing a significant reduction in traditional ransomware attacks impacting our clients. In discussions throughout the incident response community, as well as our own observations, we are seeing a significant reduction in traditional ransomware attacks impacting the small-to-midsize business community. As the Russia-Ukraine war continues to grind on, it is time to better understand what is occurring, as it will ultimately impact our clients and the industry as a whole.
Infrastructure attacks, but not here yet
Not that long ago, the thought of anyone launching a cyberattack against Russia would have been unthinkable, but now we see Russia fending off numerous major cyberattacks. The Washington Post reported that these attacks “have plundered the country’s [Russia’s] personal financial data, defaced websites and handed decades of government emails to anti-secrecy activists abroad. One recent survey showed that more passwords and other sensitive data from Russia were dumped onto the open web in March than information from any other country.”
According to Recorded Future, on February 24, 2022, the Anonymous group officially declared “The Anonymous collective is officially in cyber war against the Russian government. #Anonymous #Ukraine”. Since then, a number of other threat actors have joined the effort to wage a cyber war on Russia, including the Russian-state-controlled international TV network website, Russia’s biggest financial lender, the Official Russian Information Website and the Ministry of Economic Development of Russia, to name but a few.
These hacktivist attackers are spreading their attention to supporters of Russia, including its close ally, Belarus. Bloomberg has detailed how these attackers effectively disabled the Belarusian train system to disrupt Russia’s movement of troops and equipment as it prepared to stage the attack on Ukraine.
On the other side, Russia military-linked hackers have attempted to attack the Ukrainian power grid, according to CNN. Leading up to the invasion, Russian hackers stole data from a number of key entities, including the Ukraine Ministry of Internal Affairs, which oversees the police, national guard and border patrol, according to The Associate Press (AP). The AP further detailed that Russian attackers were developing dossiers on “committed patriots,” which the Russian military has likely used to kidnap and kill local leaders and other pro-Ukrainian activist and supporters.
Microsoft has detailed that, just before the invasion of Ukraine, “at least six separate Russia-aligned nation-state actors launch[ed] more than 237 operations against Ukraine—including destructive attacks that are ongoing and threaten civilian welfare.”
Hackers taking sides
In November 2021, we detailed in our War Room blog Digital piracy through ransomware: A change in tides, how a disgruntled affiliate of the Conti ransomware group leaked a treasure trove of information about the innerworkings of the group. The Conti gang is a Russian group who has been one of the most financially damaging organizations in the past few years.
According to CNBC, at the start of the conflict in Ukraine, the Conti leadership decided to side with Russia leading some supporters of Ukraine to start leaking thousand of internal messages, along with pro-Ukraine messages.
In late February 2022, Recorded Future had a very insightful observation about how the conflict is causing loyalties to be split.
“While in the past Russian and Ukrainian hackers previously worked side by side, since Tuesday [February 22, 2022], this fraternity has been under strain, with several groups choosing sides in the armed conflict between the two countries.
Several gangs have come forward to announce plans to launch cyberattacks in support of one of the two sides, with Conti being one of the many gangs that chose to side with Russia.
‘The Conti Team is official announcing a full support of Russian government,’ the group said in a very aggressive message posted on Friday.
‘If anybody will decide to organize a cyberattack or any war activities against Russia, we are going to use our all possible resources to strike back at the critical infrastructures of an enemy. [sic]’”
What does this mean for you?
The leading base of operations for ransomware attacks is Russia and other eastern European countries. However, these hacking groups are currently fighting on the cyber front of this war and are not actively perpetrating their normal financially motivated ransomware attacks. What does this “ransomware recession” mean for you?
- A reduction in financial and business interruption costs for companies
- Less financial losses for cyber insurance providers to cover
- More opportunity for organizations to increase their cybersecurity posture ahead of an attack, instead of during and after an attack
However, do not rest too easy.
CNN recently reported that Russian intelligence agencies are actively attacking government systems both in the U.S. and amongst our allies. This report indicates that, as Russia becomes more isolated, it has a greater need to gain information and intelligence through cyberattacks.
Companies should continue to follow CISA’s “Shields Up” guidance and be vigilant. To be better prepared for the wave of financially motivated ransomware attacks to return, you should increase your cybersecurity defenses:
- Deploy multifactor authentication.
- Secure remote connection access.
- Implement a regular update and patch program.
- Create network segmentation.
- Use a backup strategy that reduces the ability for attackers to destroy or corrupt backup data.
- Know your data and protect critical and sensitive information
Just remember, this too shall pass. The cyber soldiers will turn their attention back to the normal financially motivated criminal activity—and you may become a victim.
For additional information about how RSM can help you prepare for these ongoing threats, please contact us for a cybersecurity rapid assessment.