In the previous posting of the “Ransom-War” series1 we saw Conti and Evil Corp ransomware group members cooperating with government sponsors for espionage and even an apparent hack-and-leak operation. These are some activities consistent with Russia’s ongoing hybrid confrontation with its Western and Ukrainian adversaries.

But hybrid warfare also includes disruptive and destructive activity aimed at paralyzing essential services in a target society, potentially sowing social discord or discrediting an incumbent government. Even without a smoking gun in the form of leaked chats or indictments, in some disruptive ransomware operations we see circumstantial evidence consistent with Russian state inspiration or involvement. Signs that a ransomware operation might be “hybrid,” with political motivations in addition to financial ones, include timing and targeting that align with state priorities; political comments in ransom notes, forum postings, or even words inserted into malware code; and…