Introduction: 

Previous installments of our “Ransom-War” series1 set the context for Russian cybercriminal/intelligence interaction by showing that Russian ransomware criminals do not operate in a vacuum and that the Russian political context colors everything they do. This helps explain why, in at least some cases, the ransomware actors allow themselves to be coopted for operations in Russia’s hybrid war against Ukraine and the West.

Skeptics of the Natto Team’s “hybrid ransomware” thesis have raised numerous important questions: Can Russian cybercriminals seriously be receiving direct government tasking? If so, how do they communicate? Or are they improvising based on more diffuse “patriotic entrepreneurialism”? If so, how do they know what Putin’s government wants them to do and when? Whether they receive direct instructions or improvise, how could criminals unleash ransomware on short notice? More broadly, how can Russian intelligence services work with such an unruly bunch? Who hol…