Russia is part of the Ransomware Problem

It is hard to determine who is the actual perpetrator behind cybercrime operations, with enough confidence for law enforcement to issue warrants for arrest. Even pinpointing which country the actors are operating from is hard to do with 100% certainty.

At the same time, there are more than enough indices to say with relatively high accuracy that there seems to be a lot of cybercriminals operating out of Russia and the former Soviet Union.

Most Ransomware Originates from Russia

There are numerous indications that the majority of the big ransomware gangs are in fact based in Russia. These indications include recruiting members on Russian-speaking cybercrime forums, specifically demanding criminals wishing to join their group to speak Russian, and the fact that they forbid operators to attack targets in Russia or the CIS. Many ransomware types even have hardcoded checks to see if the network has a Russian language setting or obtains a Russian IP address.

Nowadays many ransomware groups operate on the Ransomware-as-a-Service model, where a group of cybercriminals hires affiliates to do the hacking for them. In these cases, lone operators from all over the world can become affiliates, but there is still a central, usually Russian, team organizing the whole operation.

Big ransomware attacks that affect large networks, and yield ever bigger ransom amounts (also known as “Big-Game-Hunting”), require organized teams of cybercriminals working together. The most successful such group in 2020 was arguably the Ryuk Group. According to a study from Chainalysis, the Ryuk group alone netted almost a third of all ransom money last year.

In fact, the top 10 ransomware groups listed in Chainalysis report are all probably Russian in origin. We have researched and they all have at least two or more of the above-mentioned characteristics that mark them as likely Russian in origin.

The Cost of Russian Cybercrime

As mentioned above, some of these groups may include operators from all over the world. Still, the organization is provided by a Team of cybercriminals operating out mostly out of Russia. According to a study by Dr. Michael McGuire, ransomware groups made around 1 billion USD in 2020, most of which ends up in Russia.

The total cost of ransomware attacks is much higher though and includes downtime, restoring networks other damage. Truesec’s own Threat Intelligence Report 2021 shows that the total cost of cybercrime in Sweden alone is approximately the equivalent of 3,5 billion USD.

Why Russia?

Why then do all the large, organized Ransomware gangs come from Russia? There are probably multiple reasons. Russia has a relatively good system for science education, but comparatively low salaries for computer specialists. Add a corrupt business environment that favors insiders in Russia and the ability to succeed as a legitimate tech innovator is limited. An interview with a Russian ransomware operator published by Talos gives a good insight into the mind of a Russian cybercriminal.

Given the talent for organization and technical skill required to run a successful cybercrime group, it is in fact possible that, had these individuals grown up in the West, they would be CEOs of a tech start-up instead of criminals.

As mentioned above, the big ransomware gangs, as a rule, also avoid targets in Russia. It is doubtful that this is something they do out of patriotism. A more probable explanation is that they are trying to avoid attention from Russian security services. This, in turn, implies that Russian law enforcement leaves these groups alone if they do not strike at targets in Russia or its allies.

Several sources also cite big Russian cybercrime groups actively cooperating with the Russian security service FSB, either willingly for cash or under duress. There is even the remarkable case of how the Russian government actively tried to help a known Russian cybercriminal evade US law enforcement.

How to Stop Organized Cybercrime

Regardless of whether it is because they actively cooperate with the Russian government, or because they are simply left alone, the fact remains that Russian cybercriminals have relative freedom to operate in Russia, at least if they follow the rules. This makes it possible for them to organize and turn their criminal business into big enterprises.

The success of the actors like the Ryuk gang suggests that the organization provided in the Russian cybercrime ecosystem is also instrumental in the exponential growth of Ransomware. If so, this is a problem that cannot be solved by technical means alone, or by law enforcement. It also has a political dimension. Can the governments in the West convince Russia to stop accepting, and even profit from, this parasitic behavior?

We at Truesec can do our part and explain to decision-makers how the Russian cybercrime ecosystem works and what must be done, both with technical and non-technical means, to limit the damage these criminals cause. We invite anyone who wants to know more to contact us for information.


By Mattias Wåhlén

Threat Intelligence Lead at Truesec

Lead and further develop Truesec’s Threat Intelligence capabilities for anticipating data breaches and averting threats.

Active 12 years as a senior analyst in FRA’s cyber defense operations. Has spent almost 35 years in the Swedish intelligence services, both at FRA and Swedish Defence Forces.