Ransomware Task Force Members Square Pre-Invasion Assumptions With Reality
When Russia launched its all-out war against Ukraine in February 2022, many cybersecurity watchers feared ransomware groups would serve as a proxy force. But Moscow doesn’t appear to have deputized cybercrime-driven crypto-locking malware brigades.
So said participants in a panel held Friday by the Institute for Security and Technology on the ransomware implications of the Russian invasion of its European neighbor.
Rather than enlisting criminal ransomware groups into Russia’s cyber military operations against Ukraine, the invasion fractured major ransomware groups.
In particular, “political fissures” began to be seen in ransomware groups such as Conti, “as the world understood what Ukraine was about to suffer and started suffering and what Russia was doing in that,” said panelist Laura Galante, who has served as the U.S. intelligence community’s cyber executive and director of the Cyber Threat Intelligence Integration Center since May 2022. Ransomware hackers picked sides, she said.
The panelists were gathering to celebrate the two-year anniversary of the ITF’s Ransomware Task Force recommendations for combating ransomware syndicates, including coordinating international cooperation, having the White House lead by example by launching a “whole of government” approach, focusing on disrupting the groups’ activities, and closely regulating the cryptocurrency sector to disrupt ransomware actors’ profits.
Panel moderator Jason Kikta, CISO of Automox, said Russian military planners may never have even considered tapping cybercriminals, given the many signs suggesting that the Russian government believed toppling Kyiv would take just weeks.
Retired U.S. Army Major Gen. John Davis, who co-chairs the task force, said that beyond just ransomware or cybercrime, cyberspace has featured much less prominently in the conflict than many had predicted.
Davis, who’s now vice president and federal CSO for Palo Alto Networks, said military planners see conventional military warfare as being more effective that cyberwarfare.
Backing from NATO and the European Union has also has made Ukraine “a much tougher target” for hackers. NATO is likely doing whatever it can to “throw sand in the gears of the Russian cyber apparatus,” although he said he has no proof of that.
Also, “Russian decision-makers are uncertain” about where cyber red lines might lie, so they could be hesitant to commission major attacks using criminals whose motivations they might not fully grasp or trust, he added.
Nor do such individuals integrate well into a command structure, Galante said. “These are individuals involved in complex and very frequent criminal acts … who are primarily motivated by money,” she said.
This doesn’t mean that Moscow might not yet turn to ransomware groups, should its military campaign faces further disruptions or if Vladimir Putin fears that his tenure as Russia’s president faces a direct threat, Kikta said.
Panelists said ransomware groups might have few reasons to want to assist such efforts.
“If Gallup had polled the leaders of ransomware groups after Colonial Pipeline, they all would have said, ‘We wish we hadn’t done that,’ because it was not good for them,” said Jeff Greene, senior director for cybersecurity programs at the Aspen Institute.
Despite Russian-language ransomware groups not appearing to directly support the Moscow military machine, crypto-locking malware is still posing a clear and present threat to the West, Galante said.
She said there has been a reminder over the past six months, in particular with so many attackers hitting education and healthcare targets that they’re focusing on organizations that have less ability to repel such attacks.