Ransomware Attacks Machinery Often Works on Russian Power
Russia has been denying for years that is а host of the hackers behind ransomware attacks, but cybersecurity experts claim there is evidence that many of these criminal groups are coordinated from this country. That the ransomware attacks’ machinery usually works on Russian power, can also be ascertained by the fact – inter alia – that one such group claimed responsibility for some of the attacks.
Russia has been denying for years that is а host of the hackers behind ransomware attacks, but cybersecurity experts claim there is evidence that many of these criminal groups are coordinated from this country. That the ransomware attacks’ machinery usually works on Russian power, can also be ascertained by the fact – inter alia – that one such group claimed responsibility for some of the attacks. For example, 6 months ago, Bloomberg reported that a hacker group linked to Russia attacked the Italian energy industry, and claimed responsibility for the attack. Such a predicament produced suspicions that the probable cause was the Russian invasion of Ukraine.
Author: Miroslava Simonovska
The same week when the Health Insurance Fund of North Macedonia was targeted by hacker attacks and Prime minister Dimitar Kovachevski said that it is actually a ransomware attack, i.e., that the attackers demanded ransom to grant access to the data they have encrypted, BBC reported about seven Russians sanctioned for similar attacks in Great Britain and the United States. A few weeks later, the Minister of Interior, Oliver Spasovski, informed that the bomb threats that have been causing panic among the citizens, closing down businesses and interrupting the day-to-day operation of the institutions for months, came from Russian and Iranian addresses.
The American and British authorities even released photos of the people behind the ransomware attacks in these countries, and froze their capital and issued travel sanctions. They were accused for being members of the Russian hacker network called Trickbot that extorted £27 million in cyber-ransoms from 149 UK victims.
Russia has been denying for years that is а host of the hackers behind ransomware attacks, but cybersecurity experts claim there is evidence that many of these criminal groups are coordinated from this country.
Many of the gangs operate on Russian-language forums, there are fewer attacks on Russian organizations, and the frequency of hacks dips during Russian public holidays, BBC reports.
The Health Insurance Fund is not the first institution in North Macedonia to experience a ransomware attack. At the peak of the COVID-19 pandemic, a similar situation occurred in Ireland, when ransomware attacks paralyzed the healthcare system in the country, leading to an 80 percent drop in patient appointments. To make things even worse, confidential data of the patients of the Irish Health Department began to leak online.
The files shared by the Conti Locker Team as evidence, to prove that they have confidential data, Financial Times wrote.
The attack took over the system, stole the data and it is linked to a group operating from Russia and Eastern Europe. Financial Times reviewed one of the documents posted online, which was laboratory findings of a person registered for palliative care, with a great deal of personal and health data. That data corresponded with the data of a published obituary of the same person, reports Financial Times on the attack in Ireland where the hackers demanded a 20 million ransom.
An analysis published by the BBC a year ago, reveals that 74 percent of all the money “made” through ransomware attacks in 2021 went into the hands of hackers linked to Russia. The researchers determined that more than US$ 400 million in cryptocurrencies went to groups likely related to Russia. The research conducted by Chainalysis managed to track the flow of money to and from digital wallets of known hacker groups using blockchain transactions. They claim to know the Russian hacker groups, because they apparently had distinctive features. For example:
Their ransomware code is written to prevent it from damaging files if it detects the victim’s computers are located in Russia or a CIS country
The gang operates in Russian on Russian-speaking forums
The gang is linked to Evil Corp – an alleged cyber-crime group wanted by the US
According to the latest report of Chainalysis, the earnings of the hackers are dropping, since more and more victims refuse to pay.
2022 was an impactful year in the fight against ransomware. Ransomware attackers extorted at least $456.8 million from victims in 2022, down from $765.6 million the year before. As always, we have to caveat these findings by noting that the true totals are much higher, as there are cryptocurrency addresses controlled by ransomware attackers that have yet to be identified on the blockchain and incorporated into our data. When we published last year’s version of this report, for example, we had only identified $602 million in ransomware payments in 2021. Still, the trend is clear: Ransomware payments are significantly down, specifies the latest report of Chainalysis.
However, that doesn’t mean attacks are down, or at least not as much as the drastic dropoff in payments would suggest. Instead, we believe that much of the decline is due to victim organizations increasingly refusing to pay ransomware attackers, says the latest Chainalysis report.
Despite the decline of the sums collected by hackers in 2022, the research of the cybersecurity company Fortinet (p. 28), claims that more than 10 thousand unique strains were active in the first half of 2022. In 2022, the average ransomware strain remained active for 70 days, down from 153 in 2021, and 265 days in 2020.
At the end of 2022, Microsoft announced that hackers linked to Russia’s military were very likely behind the ransomware attacks of organizations in Ukraine and Poland. The revelation raised concerns in Washington and European capitals leaders that support Ukraine’s right to self-defense.
The Russian invasion of Ukraine could provoke greater threats from Moscow. The hacks did cause damage at the transportation and logistics companies in Poland and Ukraine, says Microsoft’s spokesperson for CNN, without specifying the extent of the damage.
Royal Mail, Britain’s largest parcel delivery service was hacked with ransomware, and behind the cyberattack – as quoted by the British newspaper Telegraph (reported by Reuters) – is Lockbit, a ransomware group with members in Russia. The cyber incident caused disruptions of the operations of Royal Mail and disabled international shipping.
Ransomware attacks work by encrypting victim’s data and the hackers offer companies and governmental organizations decryption key for a price that sometimes reaches millions of dollars.
That the ransomware machinery is usually Russian-powered was also confirmed by the fact that one such group claimed responsibility for some of the attacks. For example, 6 months ago Bloomberg reported that a hacker group linked to Russia attacked the Italian energy industry and claimed responsibility for the attack. This situation raised suspicions that the probable cause was the Russian invasion of Ukraine.
In this particular case, the Black Cat group announced on Dark Web that it stole 700 GB of data from networks controlled by the Italian Energy Agency and threatened to publish the data if the ransom demands were ignored. In addition, several photos were released as evidence that they have access to the internal documents.
The US Treasury announced that the Russian security service has also used its cyber capabilities to target Russian journalists and others who openly criticize the regime, as well as U.S. government personnel and millions of private citizens around the world..
To bolster its malicious cyber operations, the FSB cultivates and co-opts criminal hackers, including the previously designated Evil Corp, enabling them to engage in disruptive ransomware attacks and phishing campaigns, specifies the website of the American Treasury.
In which country the ransomware attack on the Macedonian Health Fund originated remains a mystery, and the specific case is still under investigation by the police.
This article was developed within the framework of the project Promoting Access to Reliable News to Counter Disinformation, implemented by the Metamorphosis Foundation. The article, that was previously published on the Macedonian-language version of Truthmeter, was enabled with the support of the American non-profit foundation NED (National Endowment for Democracy). The contents of the article is the responsibility of the author and do not always reflect the positions of Metamorphosis Foundation, NED or their partners.