Natto Thoughts: Ransom-War Series

Ransom-War in Real Time, Final Case Study: Tumultuous 2021

Natto Team — Wed, 30 Oct 2024 16:01:20 GMT

In this Ransom-War series,1 we have made the argument that at least some Russia-origin ransomware attacks are “hybrid.” They are hybrid in two senses: 1) they have some political, not just financial, motivation, and 2) they align with Russia’s undeclared “hybrid war” against the “collective West.”

The previous posting in the series characterized the social and political context in which Russian cybercriminals operate. As we pointed out, in Russian society, business, crime and politics overlap. Citizens cannot trust in impartial legal and judicial institutions to ensure their safety and well-being; they have to rely on informal mechanisms to protect themselves, often by finding patrons among influential figures in Russian government or intelligence. In return for protection, the criminals may find themselves doing favors for intelligence services. Moved by patriotism and/or duress, some Russian ransomware groups align at least some of their activities with Russian state strategic priori…

Ransom-War and Russian Political Culture: Trust, Corruption, and Putin's Zero-Sum Sovereignty

Natto Team — Wed, 16 Oct 2024 16:01:21 GMT

Note added April 30 2025:
 
Originally posted October 16, 2024 in a very different global geopolitical context, this analysis remains relevant today. Subsequent revelations, especially a set of leaked messages from the Black Basta group – a successor to the Conti group – reaffirm the complexity of relations between Russian ransomware actors and security officials. (The Natto Team discussed the value of leaks here). The Black Basta leaks show that group's members as: 

     Receiving Protection: Black Basta chief “Tramp” – who chose as his moniker the Russian version of the current US president’s name – boasted of receiving high-level help from Russian authorities after Armenian officials arrested him in June 2024.   
  
    But Still Vulnerable: Tramp speculated in July 2024 that someone from their circle had snitched on him, “tempted” by the rewards the US State Department has offered for information on Tramp. He also received tipoffs from criminal acquaintances and from “my law enfo…

Ransom-War In Real Time, Case Study 1: Conti, EvilCorp and Cozy Bear

Natto Team — Wed, 11 Sep 2024 16:01:04 GMT

Introduction:

Previous installments of our “Ransom-War” series1 set the context for Russian cybercriminal/intelligence interaction by showing that Russian ransomware criminals do not operate in a vacuum and that the Russian political context colors everything they do. This helps explain why, in at least some cases, the ransomware actors allow themselves to be coopted for operations in Russia’s hybrid war against Ukraine and the West.

Skeptics of the Natto Team’s “hybrid ransomware” thesis have raised numerous important questions: Can Russian cybercriminals seriously be receiving direct government tasking? If so, how do they communicate? Or are they improvising based on more diffuse “patriotic entrepreneurialism”? If so, how do they know what Putin’s government wants them to do and when? Whether they receive direct instructions or improvise, how could criminals unleash ransomware on short notice? More broadly, how can Russian intelligence services work with such an unruly bunch? Who hol…

Ransom-War Part 4b: Ransomware Diplomacy

Natto Team — Wed, 17 Jul 2024 16:01:31 GMT

Dedicated to the memory of John J. Foarde III, a diplomat devoted to his country, a longtime observer of China and shrewd geopolitical analyst, a caring mentor, and a true gentleman.

This is part 4b of Natto Thoughts’ “Ransom-War” series.1 The series argues that Russian ransomware actors are not solely financially motivated; rather, whether they like it or not, they are immersed in a geopolitical context and mindset of confrontation with the “collective West”; in at least some cases the targeting and timing of their attacks align with Russian strategic interests, suggesting some degree of state inspiration or even coordination.

Part 4b, the present section, argues that sometimes-puzzling Russian law enforcement patterns in recent years resemble less a desire to crack down on cybercriminals than an effort to use the threat of ransomware as a bargaining chip in pursuit of Russian strategic goals.

As we saw in Part 4a, on January 14 2022 the Russian Federal Security Service (FSB) announcem…

Ransom-War Part 4a: CyberCriminals as “Combat Resource” and Bargaining Chip

Natto Team — Wed, 10 Jul 2024 16:01:08 GMT

Epigraphs:

The Russian government treats oligarchs, organized crime, and associated businesses as tools of the state, rather than independent, private entities. The Kremlin uses these entities to pursue Kremlin priorities, including money laundering, sanctions evasion, and influence operations. This is a fundamentally different model than in the United States. (Report of the Select Committee on Intelligence United States Senate on Russian Active Measures Campaigns and Interference in the 2016 U.S. Election, volume 5, 2020)

...information security specialists...can be compared with snipers. A person who knows how to shoot well is a real combat resource. A modern programmer, who knows how to breach any operating system from a distance, is also a combat resource.” (Natalya Kasperskaya, Co-founder of Kaspersky Lab, IT contractor and advisor to Russian government ministries, 2017)

The approach our special services use to interact with talented guys [like us] is like a chapter of the “operatio…

Ransom-War Part 3: Inflict Maximum Damage

Natto Team — Wed, 19 Jun 2024 16:00:49 GMT

Summary:

This is Part 3 of Natto Thoughts’ “Ransom-War” series.1 The series argues that Russian ransomware actors are not solely financially motivated; rather, whether they like it or not, they are immersed in a geopolitical context and mindset of confrontation with the “collective West”; in at least some cases the targeting and timing of their attacks align with Russian strategic interests, suggesting some degree of state inspiration or even coordination.

The present section looks at the words and actions of Russian government-linked entities. They offer clues to evolving Russian attitudes on taking advantage of Russian criminal ransomware as part of a perceived ongoing hybrid war against the West.

Former President Dmitry Medvedev’s June 13 2024 call to “find critical vulnerabilities” and “do maximum harm” to Western infrastructures sounds like unusually explicit encouragement of Russian ransomware actors.
However, statements from as early as 2016 suggest the Russian military was alrea…

Ransom-War, Part 2b: Profits Versus Patriotism

Natto Team — Wed, 15 May 2024 16:00:48 GMT

This is part 2b of the series “Ransom-War.”1 Part 1 introduced the concept of hybrid ransomware: how ransomware attacks serve both financial and political motives and may play a role in Russia's ongoing "hybrid warfare" against the West. In part 2a we looked at how Russian cybercriminals portray themselves as warriors for the Russian state against its enemies, particularly the United States. They are willing to work for the Russian government and make business decisions in Russian strategic interests. In this section, we look at how events surrounding the Russian invasion of Ukraine heightened the tension Russian ransomware hackers faced between profit-making and their duty to the Russian motherland.

Tension Between Duty and Profit

Previous postings have explored aspects of Russian cybercriminals’ patriotism and cooperation with state intelligence services, based on online forum …

Ransom-War, Part 2a: Extortion Entrepreneurs and Their Patriotic Obligations

Natto Team — Wed, 08 May 2024 16:01:23 GMT

Russian cybercriminals like to talk: in personal communications, postings on underground discussion forums or social media pages, in the websites where they name and shame victims, in ransomware negotiations, and in media interviews. Analyzing their publicly available statements, we see they often portray themselves as warriors for the Russian state against its enemies. In line with the messaging of Russian media and officials, cybercriminals often focus their ire on the “collective West,” especially Americans and other “Anglo-Saxons.” Particularly after someone in the US has unmasked or indicted Russian cybercriminals or taken down their operations, they call for retribution against the United States. They take a keen interest in US politics and sometimes appear to take sides in US partisan conflicts. They are willing to work for the Russian government and sometimes make business decisions that align with Russian strategic interests. The early weeks of Russia’s war on Ukraine saw Rus…

Ransom-War: Russian Extortion Operations and Hybrid Warfare, Part One

Natto Team — Wed, 01 May 2024 16:01:23 GMT

Epigraphs:

"Hackers are free people. They are like artists. If they are in a good mood, they get up in the morning and begin painting their pictures. Hackers are the same. They wake up in the morning, they read about some developments in international affairs, and if they have a patriotic mindset, then they try to make their own contribution the way they consider right into the fight against those who have bad things to say about Russia." (Russian President Vladimir Putin, June 1, 2017)

“....the government will come and ask us nicely...'Here you go, guys. Now we need you to destroy another country’….we want to destabilize America. You know, destroy it, just as they want to destroy us." (Russian hacker Pavel Sitnikov describes the hacker’s ideal world in a 2020 interview, hxxps://expert[.]ru/expert/2020/39/oni-ne-pomnyat-nas-horoshih-pust-ne-zabudut-nas-plohih/)

“Do you have info linking CL0P Ransomware Gang or any other malicious cyber actors targeting U.S. critical infrastructure to a …