Corvus observed a 30% reduction in ransomware claims frequency from Q4 2021 to Q1 2022 (through March 15).
Incident response firms have likewise reported a slowdown in ransomware activity through February 2022, with indications of these attack types resurfacing in March.
We believe the Russian invasion of Ukraine threw the ransomware ecosystem into flux, resulting in a slowdown of activity while ransomware actors regrouped.
Russia has been widely recognized as one of the world’s leading cyber powers. Their government’s direct ties to ransomware gangs — and leniency towards their own indicted hackers — puts them in the forefront of most conversations around strategic, offensive cyber attacks.
In January 2022, however, Russia arrested notable ransomware group REvil. The nation’s intelligence bureau, FSB, declared that the group “ceased to exist.” While this marked the first collaboration of the US and Russia on a cybercrime law enforcement operation, it coincided with rising tensions as a result of Russian troops massing at Ukrainian borders.
It's crucial to note that REvil had been widely disbanded since September, months before the arrests. But a dip in ransomware claims didn't begin until the start of 2022, weeks prior to Russia's physical invasion of Ukraine. This prompts the question: what's actually behind the change?
It’s nearly impossible to answer with certainty, but we can make some informed hypotheses as to why there has been a noticeable lull in ransomware activity leading up to the present. The common threads? First, the arrests of REvil worried ransomware actors — suddenly they could see tangible repercussions for their activities. Second, after the Russian invasion of Ukraine, cybercriminals became divided in a way they haven’t been before. Threat intelligence provides unique insights as to why this might be.
Reductions in Ransomware Claims
We noticed the downward trend in ransomware incidents at the beginning of 2022. Specifically, Corvus observed a 30% reduction in ransomware claims frequency from Q4 2021 to Q1 2022 (through March 15). Incident response firms saw a similar trend, with some noting a decline in ransomware response activity in January and February 2022. While ransomware activity appears to be returning in March 2022, the dip in ransomware claims is telling of the impact that the Russian invasion of Ukraine has had on the broader cybercriminal ecosystem.
A Fractured Ransomware Ecosystem
As business gurus love to say, collaboration is the key to success — and this applies to threat actors, too. Right now, the ransomware ecosystem (and its cybercriminals) are going through a fundamental shift in operational strategy. We can chalk that up to a growing divide initiated by the war between Russia and Ukraine. There’s a line being drawn in the sand that didn’t exist before, pushing hackers to one side or the other. This goes beyond just political affiliation; it drives toward a sense of nationalism. This emotionally charged line vastly prohibits their typical collaborative nature, raising the potential for attackers to become the victims of each other’s work. Here are three ways this division is manifesting in the cybercrime environment.
1. Physical Disruption
Many prominent ransomware threat actors operate out of Ukraine. During the invasion, their day-to-day operations have been significantly impacted — not only is their personal safety in question, but also that of their IT infrastructure. This has resulted in a shift in their operational strategy that requires a physical relocation as well as retooling to ensure internal infrastructure is running.
2. Internal Divide
Conti, a Russia-based cybercrime group, announced their allegiance to President Vladimir Putin and vowed to attack any enemies of the Kremlin that dare to intervene. The group stated, “If anybody will decide to organize a cyberattack or any war activities against Russia, we are going to use our all possible resources to strike back at the critical infrastructures of an enemy.” However, following the announcement pledging allegiance to Russia, internal chats and source code were leaked. It is alleged that the leak originated from a Ukrainian cyber security researcher.
In addition, pro-Ukrainian actors are refusing to sell, buy, or collaborate with pro-Russian actors, as reported by Accenture. They are instead focusing their energy on targeting Russian entities in further support for Ukraine.
As we’ve seen with Conti, a group well-known for using ransomware to extort millions from the U.S. and European countries, pro-Russian attackers are focusing on targeting “enemies of Russia,” amplifying retaliation efforts. In mid-February, we saw a large-scale DDoS attack — the largest of its kind ever to hit Ukraine — which impacted two banks and the country’s defense ministry. Later in the month, DDoS attacks targeted Ukrainian government bodies while destructive malware known as HermeticWiper targeted additional organizations. This all came before the physical invasion, but worked to disarm Ukraine and increase chaos. While this has yet to impact other countries, the tides can quickly shift towards nations perceived as enemies of Russia.
3. Increased Hacktivism
Amidst the flurry of activity among threat actors supporting Ukraine or Russia, global hacktivist groups are also getting involved. Suddenly, there’s a lot of new work on their plates. Hacktivists have taken the lead on defacing websites, leaking stolen data, and participating in DDoS attacks. The decentralized and widespread nature of these threat actors allows a level of fluidity that can be particularly difficult to predict.
Continuing Risks to Western Organizations
While reports across the incident response industry have observed a general slowdown in attacks targeting Western countries, a large threat remains to critical infrastructure, something the White House called out. As we have seen with the Colonial Pipeline and JBS Foods attacks, there can be massive consequences to attacks on suppliers of fuel, food, and water. These in particular were also tied to Russian-based attackers, propelling ransomware to the top of the United States’ national security agenda. Critical infrastructure remains the most effective target in the event of any retaliation, due to the sheer impact and cost.
We should also anticipate attacks against organizations that have made public stances against Russia’s invasion. From consumer goods to finance, businesses have made a point to suspend further investments and involvement with the country. Most notably, the decision involves tech companies — such as Apple, Youtube, Netflix, and AWS — who, on their own accord, have taken a range of actions including suspending advertising, preventing new user signups, and fully stopping sales.
You might wonder what the short-term impact is on cyber incidents. We can see there is less focus on ransomware actor’s typical day-to-day activities, which involve attacks on their usual victims — profitable businesses. In the long term, however, cybercriminals will most likely focus on recalibrating their workflows to return to classic income streams. The trend of decreased ransomware will not be a permanent shift, just a waiting period until threat actors effectively develop new strategies.