The war between Ukraine and Russia has disrupted the business model of ransomware attackers, or so it’s said.
It’s an idea that’s been discussed since the war began in February, and now we have some official confirmation that perhaps this isn’t entirely wishful thinking.
The venue was the recent U.K. National Cyber Security Centre’s CYBERUK 2022 conference, and the bearer of good news was none other than the U.S. National Security Administration’s (NSA) director of cybersecurity, Rob Joyce.
“One interesting trend we see is in the last month or two ransomware is actually down. There’s probably a lot of different reasons why that is but I think one impact is the fallout of Russia-Ukraine,” said Joyce.
“As we do sanctions and it’s harder to move money and it’s harder to buy infrastructure in the West, we’re seeing them be less effective. That is one of the knock-on effects.”
(Credit to ZDNet’s Danny Palmer for spotting this nugget, because if you didn’t sit through the many conference presentations you’d probably have missed it. For anyone who wants the full context for the remarks, the video presentation is available here.)
Realistically, it should be too early to make a definitive judgement about the war’s effect on ransomware, although there is no doubt that U.S. sanctions on the Russian financial sector (including the bitcoin exchanges vital to cash in ransoms) has been a big inconvenience.
That matters because Russia is widely agreed to be the home of the most active ransomware threat groups. Anything affecting its financial relation with the rest of the world would be expected to have an effect on every business, not only ransomware.
But not everyone is as upbeat as Joyce. Anti-malware vendor Avast mentioned “a slight decline in ransomware” in its Q1 2022 report, the caveat being that most of the quarter’s reporting covered the period before the war began on Feb. 24.
Elsewhere, GuidePoint’s ransomware trends report noticed a recent increase in the volume of publicly released victim data across most ransomware threat groups, including public enemy No. 1: Conti. Their conclusion is a bit depressing:
“Leading up to the Russian invasion of Ukraine, ransomware operations remained at or above the 2022 average for victim postings per day, and with the exception of the second week of the Russian invasion, the number of ransomware public victim postings increased as the invasion continued.”
Notice that GuidePoint‘s measure is based on public data exposures rather than recorded attacks, the former being a more reliable indicator of ransomware activity.
The Measurement Problem
A difficulty here is which baseline is used to measure whether ransomware is increasing or decreasing. Clearly, any period in 2021 is problematic as a yardstick because it was already a record year for these attacks. Meanwhile, January also saw a major ransomware bust when police action disrupted (possibly temporarily) the REvil group, which might have depressed ransomware incidents for a while.
Or perhaps looking for a statistical decline in ransomware is looking for the wrong kind of hope. Until network security improves, or moral hazard is introduced by law enforcement, ransomware is likely to continue its upward trajectory with a few yo-yos here and there come what may.
More likely, the conflict in Ukraine will alter the behavior of threat groups, possibly by making them more destructive. More optimistically, the political undertone to some of these attacks might finally motivate organizations to change their ways, treating defense as a strategic priority, or undermining the business model by refusing to pay ransoms.
The Ukraine conflict has reminded us that ransomware has probably always been part of a covert Cold War nobody wanted to face up to. Defending against it will require more Cold War era realism and resilience.