The world might just have experienced its first ever hacktivist ransomware attack. It came by way of a claim by campaigners opposed to the regime of President Lukashenko that they encrypted computers belonging to the Belarusian Railway service.
The highly unusual attack is said to have happened on Jan. 24, when a group calling itself the “Belarusian Cyber Partisans” tweeted that it had encrypted servers, databases, and workstations belonging to the country’s railway service.
Instead of demanding a ransom, the group said it would only supply the encryption key if Belarussian authorities released 50 “political prisoners” needing medical attention and stopped allowing Russian troops to enter the country as part of the standoff with Ukraine.
The attack and any disruption caused by it hasn’t been confirmed by the Belarusian authorities—information has been tightly rationed in the country since social unrest in 2020—but the Cyber Partisans posted screenshots of financial and other documents compromised during the attack to back up their claim.
A former Belarusian Railway worker quoted by the U.S. Government-funded Radio Free Europe said he believed the attack had caused operational problems:
"All the archives have been destroyed. It is impossible to see statistics for the last year or the last month. Nothing in electronic format remains. Some of the information could eventually be restored by gathering data from the tax service and other agencies."
Two security weaknesses emerge, the first of which is this source’s claim that political purges have robbed the service of experienced staff. Compounding this, a document posted by the attackers appears to show an internal request for the railways to migrate workstations from Windows XP, a sitting duck OS that is now more than eight years beyond its end-of-life date.
Ransomware attacks attributed to genuine hacktivists are unheard of for a good reason: ransomware requires lot of complex software and infrastructure to work successfully. Apart from being illegal and therefore risky in most countries, it’s difficult to acquire and maintain, let alone guard.
Launching a hacktivist DDoS attack or website defacement, as the infamous Anonymous Group did a decade ago, is kindergarten stuff by comparison. It might be possible to piggyback infrastructure using ransomware-as-a-service, but even here affiliates fees are high, and users are vetted by background.
That leaves two possibilities. The first is that the attackers stole files and deployed more conventional destructive malware such as disk wipers—not good for Belarus Railways come but not as serious as a fully-fledged ransomware attack.
The second is that the group used an unknown custom ransomware, in which case that is now a known quantity and therefore less useful for future attacks.
Nevertheless, for anyone whose job it is to defend organizations against ransomware, even the possibility that a new wave of hacktivism might be reborn in 2022 through ransomware will sound alarming. Today, the Belarusian Cyber Partisans are on the warpath, but they could quickly be joined by copycats with broader objectives.
That possibility remains some way off. The 2010 wave of hacktivism was aided by lax laws and few examples of perpetrators being jailed. A wave of prosecutions changed that, turning ransomware into a phenomenon predominantly of countries that shield attackers from accountability.
For now, a single hacktivist incident using a probably unsophisticated ransomware changes little. What it has done is strike a mostly symbolic blow while reminding us that no country’s critical infrastructure is safe from attack.