New Paper: Assessing Political Motivations Behind Ransomware Attacks

New Paper: Assessing Political Motivations Behind Ransomware Attacks

Recent developments suggest possible links between some ransomware groups and the Russian government. We investigate this relationship by creating a dataset of ransomware victims and analyzing leaked communications from a major ransomware group.
image of abstract arms reaching into a computer like tentacles

Traditionally, ransomware attacks have been regarded as apolitical criminal activities. However, there is growing speculation about possible ties between Russia-based ransomware groups and the Kremlin. Our working paper aims to assess political motives behind ransomware attacks based on a newly gathered dataset of ransomware victims. Our findings challenge the notion that attack trends from Russia-based ransomware groups can be solely explained by financial motives.

To construct the dataset, we collected information from 55 dark web leak sites, focusing on victims targeted by "double extortion" attacks. These attacks involve threatening to publish stolen data even after the victim has paid the ransom. The dataset comprises 4,194 victims from 55 ransomware groups, spanning the period from May 1, 2019, to April 30, 2022.

Images show the “leak sites” of two dark web ransomware groups, Conti and Grief. Images show the “leak sites” of two dark web ransomware groups, Conti and Grief. Groups post about their victims on these sites as part of the extortion process. We have blurred victims' identifying information to protect their privacy.

Our analysis reveals several notable patterns. First, we observe an increase in the frequency of attacks by Russia-based ransomware groups leading up to elections in several major democracies, with no similar increase in attacks by groups based outside of Russia. Second, companies that withdrew from or suspended operations in Russia following the invasion of Ukraine were more likely to experience ransomware attacks in the months following the invasion, potentially indicating retaliatory motives. Third, we find a decline in the number of daily ransomware attacks after the invasion, which could be attributed to Russia enlisting ransomware operators to support its cyber offensive against Ukraine.

Plot presents coefficients and confidence intervals (with robust standard errors) for the effect of being in one of the three months before or after an election period (which we define as the two weeks around the election) on the expected number of daily ransomware attacks by Russia-based (black) and other (gray) groups. It shows a statistically significant increase in the expected number of daily attacks by Russia-based groups two and one month before an election period Plot presents coefficients & confidence intervals for the effect of being in one of the three months before or after election period (the two weeks around an election) on the number of daily ransomware attacks by Russia-based (black) & other groups (gray)

We also analyzed over 60,000 leaked messages from a prominent Russia-based ransomware group called Conti. These communications show that Conti generally operated independently from the Russian state. However, they also reveal connections between Conti leaders and Russian government contacts and show cooperation on at least one state-backed cyber operation. The chats also reveal that group members believe the Russian government provides them and other groups with safe harbor.

Our data are consistent with a model where the Russian government maintains decentralized yet cooperative relations with Russia-based ransomware groups. The government offers safe harbor from prosecution in exchange for plausible deniability for attacks and access to skilled cyber actors. The Kremlin also benefits indirectly as groups primarily target victims in Western countries. Our findings suggest ransomware presents an international security threat in addition to functioning as a form of crime.

Read More

stanford dish at sunset
Blogs

Addressing the distribution of illicit sexual content by minors online

A Stanford Internet Observatory investigation identified large networks of accounts, purportedly operated by minors, selling self-generated illicit sexual content. Platforms have updated safety measures based on the findings, but more work is needed.
cover link Addressing the distribution of illicit sexual content by minors online
Fake profiles real children internet observatory
Blogs

Fake Profiles, Real Children

A Look at the Use of Stolen Child Imagery in Social Media Role-Playing Games
cover link Fake Profiles, Real Children
pictures of attendees from the 2022 Trust and Safety Research Conference.
News

Registration Open for the 2023 Trust and Safety Research Conference

Tickets on sale for the Stanford Internet Observatory’s Trust and Safety Research to be held September 28-29, 2023. Lock in early bird prices by registering before August 1.
cover link Registration Open for the 2023 Trust and Safety Research Conference