Ransom-War and Russian Political Culture: Trust, Corruption, and Putin's Zero-Sum Sovereignty
Recent Western government revelations about EvilCorp flesh out how Russian ransomware actors and the Russian government use each other to navigate a world they perceive as dangerous.
In this “Ransom-War” series,1 we have made the argument that at least some Russia-origin ransomware attacks are “hybrid.” They are hybrid in two senses: 1) they have some political, not just financial, motivation, and 2) they align with Russia’s undeclared “hybrid war” against the “collective West.”
The revelations on October 1 2024 by multiple Western law enforcement agencies provide a convenient endpoint for wrapping up our arguments. These revelations came in the form of new US, UK, and Australian sanctions against top figures in the EvilCorp ransomware group, a US indictment of a top EvilCorp operative and Lockbit affiliate, and a UK National Crime Agency (NCA) profile of EvilCorp, as well as announcements from several Western police forces of arrests of suspected participants in the Russia-based Lockbit ransomware enterprise. Details from the revelations appear in our updated posting “Ransom-War in Real Time: Conti, EvilCorp and CozyBear.”
These revelations confirm and flesh out Natto Thoughts’ arguments, not only about the ransomware actors themselves but about the social, political, cultural, and business context in which Russian ransomware criminals operate.
In Russian society, business, crime and politics overlap. Citizens cannot trust in impartial legal and judicial institutions to ensure their safety and well-being; they have to rely on informal mechanisms to protect themselves. As the EvilCorp revelations highlight, Russian cybercriminals sometimes find patrons among influential figures in Russian government or intelligence. In return for protection, the criminals may find themselves doing favors for intelligence services, an arrangement which aligns with Russian President Vladimir Putin’s vision of how the world works, which we sum up here as “zero-sum sovereignty.”
The October 1 2024 revelations crystallize these themes. We highlight below selections from the revelations (in italics) and what they show about Russian cybercriminals and their context.
Business, Crime and Politics
The October 1 2024 US and UK revelations highlight how Evil Corp chief Maksim Yakubets and his father-in-law, former FSB officer Eduard Bendersky mixed business, family, crime and politics. The two pursued multiple business opportunities with highly placed figures in Russia’s intelligence and legal communities. For example, Yakubets “used his employment at the Russian National Engineering Corporation (NIK) as cover for his ongoing criminal activities linked to Evil Corp,” according to the US Treasury Department. NIK was co-founded by Igor Chayka, the son of Russia’s former Justice Minister and Prosecutor General.
The UK NCA report pointed out that Evil Corp operates like a family-based organized crime gang, incorporating Yakubets’ father, two brothers, and two cousins, in addition to his FSB-linked father-in-law.2 The US Treasury sanctions document illustrates these relationships:
Patriotism and Duress
As we saw in the US sanctions document, EvilCorp chief Maxim Yakubets’ FSB-linked father-in-law protected members of EvilCorp, apparently against both physical threats and Russian law enforcement. “After the December 2019 sanctions and indictments against Evil Corp and Maksim, Benderskiy used his extensive influence to protect the group….both by providing senior members with security and by ensuring they were not pursued by Russian internal authorities.”
This shows the precarity and vulnerability Yakubets felt.
The need for patronage is especially strong in a low-trust society like Russia. In Russia, institutions such as the rule of law, the separation of powers, and property rights are weak, and citizens cannot rely on impartial norms and public servants to ensure their safety and well-being. Law enforcement actions often serve to silence critics of the government or are part of power struggles among competing “clans” of officials and powerful individuals, even among security services themselves. Stories abound of police planting evidence or beating suspects to elicit confessions, and almost anyone can be found to have committed some kind of infraction. Even law-abiding citizens run the risk of being put into prison for a chance word or for stepping on the toes of someone powerful.
Analysts have documented patterns of informal personalized power networks that corruption researcher Alena Ledeneva calls “sistema” (the system). In this political culture, “clans” or factions use all available tools, including the judicial system, to compete for power and access to resources at the expense of Russian taxpayers. As stated in our first report, “Putin: The Spy as Hero,” Putin has been able to retain his power through a “protection racket” that keeps these subordinate clans at each other’s throats and reliant on him. This “overtly medieval system of mutual denouncement and competition,” in the words of Russian security analysts Andrei Soldatov and Irina Borogan, fulfills the role that the separation of powers and the system of checks and balances fulfill in other countries, as Russian political analyst Yuliya Latynina pointed out in 2010.
Unable to trust in institutions, Russian citizens have to rely on informal mechanisms such as patron-client relations. Having a powerful protector (крыша, pronounced krysha, literally “roof”) is essential to avoid being undermined by powerful rivals, extorted by criminals, or arrested on trumped-up charges.
As for Russian cybercriminals, they have a strange mixture of vulnerability and impunity in their relationship with the state. As we saw in “Ransom-War” Parts 2a, 2b, 4a, and Case Study 1, Russian cybercriminals constantly face the risk of arrest and possible mistreatment or imprisonment. It is not surprising that, whatever their true feelings, they express patriotic sentiments and agree to do their “Pioneer” (scout) duty when called on, even if it harms their bottom line. Russian law enforcement activity can plausibly be understood as a way to frighten criminals into cooperating with the Russian government, as researchers at the Federal Institute of Technology in Zurich have pointed out.
Russian cybercriminals, like other Russians, also seek protection through business or family ties with influential people, as we saw in “Ransom-War” Part 4a and Case Study 1. It is not always clear who initiates these protective relationships – whether the criminals sought them out or whether the powerful patrons took on the criminals as proteges.
We have seen cybercriminals speculating on which Russian intelligence agencies would protect them and which required bribes. Trustwave, for example, found some forum discussion participants in 2021 saying, “No one will put in jail the ransomware gang members in RU; at a maximum you will be asked to be quieter and to share,” implying the need to bribe or split proceeds with law enforcement.3
Indeed, cybercriminals’ bonds with officials also create obligations.
With Protection Come Obligations
A US Treasury document from 2022 regarding Evil Corp’s Yakubets says, “As part of his activity at NIK, Yakubets continued his work on behalf of the Russian intelligence services.” After he was first sanctioned by the US in 2019, “Yakubets has since developed a relationship with all three major Russian intelligence services, including personally meeting with SVR [Foreign Intelligence Service] Director Sergey Naryshkin.”
When global governments or researchers expose Russian criminals, this only strengthens the leverage that Russia’s own law enforcement and intelligence agencies have over them. The message is, in effect, “Work with us, or you will land a US prison and be tortured...”
At the same time, the Russian criminals seem to take pride in being exposed by global law enforcement , even as they vow to redouble their efforts to breach Western targets. Being targeted by foreign law enforcement helps criminals themselves. The publicity bolsters their reputation and opportunities for receiving state contracts for anti-Western work, as security scholar Thomas Rid has argued in the context of Russian active measures and disinformation. Russian hackers also bolster Russia’s own reputation as a global superpower to be feared, as we saw in “Ransom-War” Part 4a. Hackers’ prowess also potentially gives Russia leverage in international negotiations, as we saw in Part 4b.
Criminals and state officials are using each other.
Falling In Line with Putin’s Pursuit of Zero-Sum Sovereignty
Moved by an apparent mix of patriotism and duress, some Russian ransomware groups align at least some of their activities with Russian state strategic priorities; the recent international law enforcement revelations bolster our arguments on this point.
And the state does not hesitate to use criminals. As the US Senate Intelligence Committee said in its report on Russia’s 2016 election interference, the Russian state does not distinguish between businessmen, criminals, and intelligence.
The Russian government treats oligarchs, organized crime, and associated businesses as tools of the state, rather than independent, private entities. The Kremlin uses these entities to pursue Kremlin priorities, including money laundering, sanctions evasion, and influence operations. This is a fundamentally different model than in the United States.
That is, the Russian state can exploit all these entities, with their own personal financial motivations and fears, to pursue state goals. The Russian state can use the talents and perverse prestige of Russian cybercriminals as a deniable “hybrid war” tactic to pressure adversary countries, as discussed in “Ransom-War” Part 3, Part 4a, and Part 4b.
A December 2021 report by the Institute for Critical Infrastructure Technology about “disruptionware” — ransomware whose main goal is to disrupt rather than to earn ransom — notes that a government can even simply release ransomware in the wild and benefit from the ensuing chaos:
Nation-states can initiate many attacks just by releasing a variant of ransomware without the need to pay individual attackers... A culture of allowing small attackers to launch disruptionware attacks unimpeded by law enforcement both "chums" the waters of the threat landscape and iteratively depletes the resources of and inflicts harm on the victim.
What are the state priorities to which cybercriminals can contribute? As previous Natto Thoughts reports have shown, these include raising Russia’s international prestige and great-power status; conducting espionage; dividing, discrediting and demoralizing the societies of Russia’s perceived adversaries; and reducing Ukraine’s military capabilities and global support.
Russian cyberattacks could also plausibly benefit Putin in another way. By driving home how dangerous cybercrime can be, they could pressure countries’ decisionmakers to agree to Russia’s proposals on international Internet regulation. The Natto Team has shown how Putin’s government has persistently lobbied in the United Nations for Russia’s version of agreements on “international information security” and control over the global Internet. Critics have fought back against Russia’s proposals, which prioritize state “sovereignty” over international values of human rights and free speech.
Putin is arguably obsessed with Russian “sovereignty;” he liberally peppers his speeches with the term. The concept includes restoring for Russia the great power status, including its own sphere of influence, which Russia lost after the Soviet Union fell; the right to pursue its own “independent path of development” and not be demonized for violating universal norms of human rights and democracy; and the right to control content on its own Internet. In his view, lectures about global values such as human rights and free speech are merely an attempt by an imperialistic West to subjugate Russia.
Summing up Putin’s vision of sovereignty, one can describe it as zero-sum. More sovereignty for the Russian state means less for Russia’s neighbors and even its own citizens. In Putin’s view, Russia’s sovereignty outweighs those of the former subject peoples of the Russian and Soviet empires or anyone within his expansively defined “Russian world (русский мир).” Hence the desire to dominate Ukraine. In a December 2023 national press conference, for example, Putin cited Russian sovereignty – such as the right to protect supposedly persecuted Russian-speakers abroad -- as supposed justification for his attempt to subjugate Ukraine.
Nor do Russia’s own citizens enjoy sovereignty over their own speech, actions and even bodies. State interests, as loosely defined and imposed by anyone with a modicum of state power, take precedence. Putin’s political system in the 2000s has been called “sovereign democracy” (суверенная демократия) or “managed democracy,” which one Russian critic in 2006 described as “the glorification of populism, the steady destruction of private and public institutions and the departure from the principles of the law, democracy, and the free market." (https://www.kommersant[.]ru/doc/700710). Or as the distinguished Russian-exile analyst Tatyana Stanovaya phrased it in 2023, “sovereignty comprises an economy that is immune to external financial tools, a society that is protected from external ideological influences, and a stable political system consolidated around a particular geopolitical consensus, as well as a strong army, security services and so on.” Furthermore, in wartime Russia of 2024, state policies are treating even citizens’ bodies not as their own but as “a public good,” one analyst told the New York Times: “A woman’s body is a producer of children, and a man’s body is the ability to pull the trigger and, in the end, to kill.”
Finally, Putin’s ideas about sovereignty help explain his regime’s attitudes toward crime and corruption. As Mark Galeotti, in an excellent analysis of the Russian criminal world in wartime, cites Elena Panfilova, chair of the Russian chapter of anti-corruption organization Transparency International, commenting on Russia’s recent withdrawal from international anticorruption initiatives. She said, “....this is a signal that the authorities treat corruption with sovereignty: If I want to catch you, I’ll catch you; if I don’t want, I won’t”[emphasis added].
Putin’s Zero-Sum Sovereignty in Cyberspace
This urge for state “sovereignty” extends to the cyber and information sphere as well. To protect its own systems from outside attack, the Russian government has been trying to develop a “sovereign Internet” in Russia that can be closed off from the outside world. That is a huge topic in itself.4
When it comes to fighting transnational cybercrime and regulating the Internet, Russia also prioritizes “sovereignty” over bringing criminals to justice. As Putin said at a March 26 2021 meeting of his Security Council, discussing a draft Russian doctrine on international information security, Putin said, “we stand for the unshakeable digital sovereignty of states. That means that each state can independently decide the parameters of regulation of its own information space and...infrastructure.”(http://kremlin[.]ru/events/president/news/65231). Russia did not sign the multilateral Budapest Convention on Cybercrime of 2001, reportedly because Russia viewed Article 32 — “Trans-border access to stored computer data with consent or where publicly available” — as a violation of Russian sovereignty.5
Instead, for decades Russia has advocated for the UN to accept their version of an agreement on “International information security.” In this view, countries should have final say over how to define Internet crimes. Authoritarian countries should be allowed to censor political speech by classifying it as “extremism” or crime and should not have to submit to international norms on human rights.
This is because Russian doctrine views cybersecurity and cyber operations not as an isolated technical topic but as part of the broader category of information security and information operations. Furthermore, Russian doctrines portray the country as being constantly under information attack by Western countries, who seek to instigate “color revolutions” in Russia and other authoritarian countries with rhetoric about freedom and human rights. (discussed in Natto Thoughts posting Putin: The Spy as Hero). Analysts have spoken of how Putin’s hold on power is “brittle,” and that an authoritarian regime can seem eternal until it isn’t. Putin lives in constant fear of domestic instability. If he were ever to lose power, Putin reportedly fears he would face prison or an ignominious death like that of Muammar Qaddafi in Libya, as discussed in the Natto Thoughts posting Putin Spy as Hero.
Putin’s vision of zero-sum sovereignty also applies to Russia’s pursuit of ransomware actors who live in Russia and target people in other countries. As we saw in “Ransom-War Part 4: Ransomware Diplomacy,” even as Russian and US representatives talked about law enforcement cooperation against Russian ransomware actors, top Russian officials threatened that Russia would truly crack down on ransomware actors only if the West acquiesced to Russia’s “sovereignty” over Ukraine and accepted Russia’s view of “international information security.”
Conclusion
To repeat key lines from the US Senate Intelligence Committee’s report cited above,
The Russian government treats oligarchs, organized crime, and associated businesses as tools of the state, rather than independent, private entities….This is a fundamentally different model than in the United States.
The SSCI stressed how different the Russian model — based on Putin’s vision, which we have dubbed “zero-sum sovereignty” — is from that of the United States. As of October 2024, American institutions still hold: the separation of powers, free speech, the right to private property, an independent judiciary. So far these institutions have resisted foreign and domestic adversaries’ attempts to undermine them.
At the same time, Western pundits have raised the alarm about global trends such as “zero-sum thinking,” “democratic backsliding,” and distrust in democratic institutions and governments. Most people living in the West have no experience of the lived reality of truly authoritarian regimes – where “might is right” trumps the rule of law, and almost every daily transaction includes a demand for a bribe. Despite their real shortcomings, public and private institutions in Western countries work basically as designed. Rules and norms, upon which so much of daily life depends, have real meaning. It is to be hoped that the citizens of Western countries will not have to experience true authoritarianism firsthand.
Part 1 introduces the concept of hybrid ransomware: how ransomware attacks serve both financial and political motives and may play a role in Russia's ongoing "hybrid warfare" against the West. In part 2a we look at how Russian cybercriminals are willing to act as warriors for the Russian state against its enemies, particularly the United States. Part 2b shows that Russian cybercriminals are still vulnerable to prosecution and face tension between profit-making and their duty to the Russian motherland. Part 3 argues that, since at least 2016, Russian strategists have explored the use of ransomware to pressure adversary countries. Part 4a makes the case that Russian ransomware actors are “hybrid” in another way: criminals but also valuable IT talent with a fearsome reputation, to be coopted with carrots and sticks comparable to the treatment of common criminals. Part 4b argues that sometimes-puzzling Russian law enforcement patterns in recent years resemble less a desire to crack down on cybercriminals than an effort to use the threat of ransomware as a bargaining chip in pursuit of Russian strategic goals. “Ransom-War in Real Time, Case Study 1” focuses on the Conti/Trickbot and Evil Corp ransomware groups — both of which are known to cooperate with intelligence services — focusing on their real-time mechanisms of interaction with state officials. “Ransom-War in Real Time, Case Study 2” examines two disruptive ransomware events from 2019 that show signs of possible state involvement in targeting and timing. “Ransom-War and Russian Political Culture: Trust, Corruption, and Putin's Zero-Sum Sovereignty,” draws on recent Western government revelations about EvilCorp to explore how Russian ransomware actors and the Russian government use each other against the background of Russia’s low-trust, zero-sum political context. “Ransom-War in Real Time, Final Case Study: Tumultuous 2021” puts major ransomware operations of 2021 in the context of this political culture and international tensions of that year.
The NCA report says, “Multiple other members of the Evil Corp group have their own ties with the Russian state. In particular, Yakubets’ father-in-law, Eduard Benderskiy, was a key enabler of Evil Corp’s state relationships.”
Hackers’ bribing of Russian law enforcement officers in return for protection is not new, but a recent case shows how ingrained such relationships are. In September 2023 hackers reported on an FSB officer in Omsk whom they had bribed to quash their case but who had failed to do so. The hacker suspects had been arrested in early 2022 with help from information from the US FBI. In April 2024 the (now former) FSB officer received a 9-year sentence, while the hackers received only light sentences or credit for time served. The hackers and courts both seemed to find that the FSB officer had wronged the hackers by failing at his end of the corrupt deal.