Ransom-War in Real Time, Final Case Study: Tumultuous 2021
What do Russia's low-trust political culture and Putin's "zero-sum sovereignty" have to do with Colonial Pipeline?
In this Ransom-War series,1 we have made the argument that at least some Russia-origin ransomware attacks are “hybrid.” They are hybrid in two senses: 1) they have some political, not just financial, motivation, and 2) they align with Russia’s undeclared “hybrid war” against the “collective West.”
The previous posting in the series characterized the social and political context in which Russian cybercriminals operate. As we pointed out, in Russian society, business, crime and politics overlap. Citizens cannot trust in impartial legal and judicial institutions to ensure their safety and well-being; they have to rely on informal mechanisms to protect themselves, often by finding patrons among influential figures in Russian government or intelligence. In return for protection, the criminals may find themselves doing favors for intelligence services. Moved by patriotism and/or duress, some Russian ransomware groups align at least some of their activities with Russian state strategic priorities.
What are the state priorities to which cybercriminals can contribute? As previous Natto Thoughts reports have shown, these include raising Russia’s international prestige and great-power status; conducting espionage; dividing, discrediting and demoralizing the societies of Russia’s perceived adversaries; and reducing Ukraine’s military capabilities and global support. These goals align with Russian President Vladimir Putin’s vision of how the world works, which we summed up as “zero-sum sovereignty.”
Russian cyberattacks could also plausibly benefit Putin in another way. By driving home how dangerous cybercrime can be, they could pressure countries’ decisionmakers to agree to Russia’s vision of global Internet regulation. As the Natto Team pointed out, Putin’s government has persistently lobbied in the United Nations for Russia’s version of agreements on “international information security” and control over the global Internet. Critics have fought back against Russia’s proposals, which prioritize state “sovereignty” over international values of human rights and free speech.
This seemingly arcane topic is an existential question for Putin. He views Russia as being constantly under information attack by Western countries, who seek to instigate “color revolutions” in Russia and other authoritarian countries with rhetoric about freedom and human rights. And if a “color revolution” were to oust Putin himself, Putin reportedly fears he would face prison or an ignominious death like that of Muammar Qaddafi in Libya, as discussed in the Natto Thoughts posting Putin: Spy as Hero. As we saw in "Ransom-War" Part 4b,” even as Russian and US representatives talked about law enforcement cooperation against Russian ransomware actors in 2021-22, top Russian officials threatened that Russia would truly crack down on ransomware actors only if the West acquiesced to Russia’s “sovereignty” over Ukraine and accepted Russia’s view of “international information security.”
The present posting reviews disruptive Russia-origin ransomware attacks of 2021 in this geopolitical context.
What Does Putin’s “Zero-Sum Sovereignty” Have to Do with Colonial Pipeline?
Tension between Russia and Western countries was high in 2021, fueled by the Russian government’s pursuit of greater influence in Ukraine and in international Internet regulation, as well as its domestic crackdown on speech and dissent. All of these relate to Putin’s vision of Russia’s zero-sum sovereignty. Russian officials made confrontational statements, including a warning of cyberwar by Russian propaganda chief Margarita Simonyan and a threat by President Putin to use “asymmetrical, swift and harsh” measures against Western adversaries. The atmosphere of international confrontation and inflammatory rhetoric forms the backdrop for numerous Russia-origin cybercriminal attacks on Western critical infrastructure. We present them here with the intention of enriching analysis of those incidents.
Tensions High in 2021:
As US President Joe Biden came to power in early 2021, Russian-Western conflicts over cyber, Ukraine and international information security were all on the agenda. In a phone call with Putin less than a week after Biden’s inauguration, the US president brought up the Solar Winds espionage campaign of 2020, Russia’s interference in the 2020 US election, and the attempted poisoning and subsequent arrest of Russian opposition figure Alexey Navalny. Events in subsequent months helped ramp up tensions:
In January and February, Ukrainian President Zelensky froze assets of pro-Russian Ukrainian politician Viktor Medvedchuk, a close friend of Putin, including TV stations Medvedchuk controlled.
On March 17, the US announced new export controls on Russia in retribution for the Navalny poisoning; President Biden said Russian President Vladimir Putin would “pay a price” for ordering influence operations to support Donald Trump in the 2020 U.S. presidential election; and when an interviewer asked whether Biden thought of Putin as a killer, Biden said, “I do.”
Also on March 17, cybersecurity company Prodaft released a report tying ransomware groups EvilCorp and TrickBot/Conti with the Solar Winds cyber-espionage campaign, which the US government has attributed to Russia’s Foreign Intelligence Service. Natto Thoughts “Ransom-War In Real Time: Case Study 1” discusses this.
In April Russia put forward a candidate for that year’s elections to the leadership of the UN’s International Telecommunications Union. Russia’s candidate, who also had ties with China through work at the Huawei telecommunications company, was pitted against an American candidate. As the Natto Team has pointed out (“Ransom-War” part 4b) and discusses below, Russia’s attitude toward Internet regulation stresses countries’ sovereignty, while the Western countries stress keeping the Internet open.
Russian Propaganda Boss Warns of Cyberwar
On April 11 2021, speaking on “Sunday Evening with Vladimir Soloviev,” a Russian TV talk show that often airs inflammatory nationalist rhetoric, the editor of Russian propaganda company RT, Margarita Simonyan, warned of a potential cyberwar with the United States. As Daily Beast columnist Julia Davis summarized Simonyan’s words, she
explained that it was time for Russia to gear up for a showdown against the U.S., and prophesized a kind of war driven by hacking, the forced disruption of internet access, the shutting down of power supplies, and an all-out offensive on U.S. infrastructure....
She warned that—in this theoretical battle—the U.S. would plot to cut off the electricity of entire Russian cities. In turn, she speculated, Moscow would be able to force a blackout in Florida or New York’s Harlem at the flip of a switch.....
The top RT editor asserted that ‘[Russia] needs to be ready for this war, which is unavoidable, and of course it will start in Ukraine’....
Simonyan argued that once Russia minimizes its [Internet] vulnerabilities and renders Putin’s opposition powerless—which she argued could happen in a matter of months—the Kremlin will finally be ready to annex Ukraine’s eastern region....
‘We can never come to any agreements with [Americans]’, Simonyan said, arguing that instead, Russia can just as easily defeat the U.S. in a cyberspace war. She added, mockingly, ‘We don’t even need the nukes’.
Events in the Following Weeks Heighten the Tension
On April 13, US President Joe Biden called Russian President Vladimir Putin and declared Biden’s "unwavering commitment to Ukraine's sovereignty and territorial integrity” as Russia amassed troops on Ukraine border. Biden suggested that the two hold a summit meeting to discuss these disagreements, but also said he told Putin he would be retaliating for Russia’s interference in the 2020 US election and for the SolarWinds espionage campaign.2
Also on April 13, the NATO alliance issued a statement demanding Russia end its buildup on Ukraine’s border. Underlining this demand, the U.S. deployed two warships to the Black Sea.
On April 14-15, a naval confrontation took place between Ukrainian and Russian vessels in the Sea of Azov. Afterwards Russia announced it was closing parts of the Black Sea to other countries’ vessels until October, citing supposed military exercises
On April 15, President Biden authorized broad economic sanctions against Russia, including “anyone operating in technology or defense sectors; anyone complicit in cyber, election interference, transnational corruption, assassination; any leader of Russia; and their spouses or supporters; or any entities owned by RF government or any of the blocked entities.” Biden’s order explained this move as a response to Russia’s antidemocratic activities, “malicious cyber-enabled activities against the United States and its allies and partners,” fostering of “transnational corruption to influence foreign governments,” targeting of dissidents, and violations of the “territorial integrity of states.” At the same time, Biden also made conciliatory gestures, calling for a de-escalation of tensions with Russia and again mentioned holding a summit meeting with Putin that summer.
President Putin Threatens “Asymmetrical, Swift and Harsh” Measures Against Western Powers
Russian President Vladimir Putin also mentioned cyber confrontation and threatened “asymmetrical” measures in his April 21 yearly state-of-the-nation address (Послание) to the Russian legislature. He also put in a jab about disagreements over “international information security.”
Putin criticized the “collective West” for piling on with “politically motivated, illegal sanctions” against Russia. He also implied the US had condoned a “color revolution”-style coup attempt and cyberattack against Alexander Lukashenko, the president of Russian ally Belarus. (The term “color revolution” refers to a series of revolutions in the 2000s that had ousted Russia-friendly governments in countries neighboring Russia (see Putin: The Spy as Hero for more on Putin’s reaction to “color revolutions”).
Putin claimed the alleged Belarus coup conspirators had planned to disable the communications and energy infrastructure of that country’s capital city, Minsk: “in effect,” he continued, “they were preparing for a massive cyberattack.”3 By implication, the US also condoned this alleged cyberattack plot. Then Putin connected this alleged plot to ongoing UN discussions on cybersecurity. He said, “It is no coincidence that our Western colleagues are stubbornly refusing Russia’s multiple proposals for establishing an international dialogue on information and cyber security...” He seemed to be implying that the West was foot-dragging on the UN agreements so it could continue to foment or inspire cyberattacks against Russia and its allies.
After citing other examples of Western “harassment” of Russia, Putin concluded,
We are behaving with extreme restraint.... We really do not want to ‘burn bridges’. But if someone takes our good intentions as indifference or weakness and intends to definitively burn or even blow up these bridges, he must know that Russia’s response will be asymmetrical, swift and harsh. Those who organize any provocations threatening the core interests of our security will regret their actions more than anyone has regretted anything for a long time”.
One of the “provocations threatening the core interests of our security” he had in mind was likely the alleged coup attempt in Belarus. By extension, he was also warning against Western support for dissidents inside Russia, which he views as aimed at fomenting a “color revolution” in Russia itself. Russia’s proposals on international Internet regulation would tend to guard against such domestic threats by allowing Russia to institute broad censorship rules on the Russian internet, thereby limiting Russians’ access to destabilizing ideas.
Washington Post columnist David Ignatius noted that Putin’s April 21 speech showed the importance to Putin of Russia’s version of UN agreements on international information security. (We have already seen here and here how other Russian officials would cite the same arguments in the “ransomware diplomacy” later in 2021 and 2022). Ignatius noted that on the same day Putin gave his speech, Russian cyber negotiator Ernst Chernukhin urged strengthening the ITU’s power, electing the Russian candidate to head the body, and letting Russia host a major UN Internet governance forum in 2025.4
These seemingly arcane arguments in UN committees hid enormous stakes for both Russia and the Western world in the decades to come. As we discussed above, Putin sees them as an issue of sovereignty and personal survival, while the Western countries see Russia’s proposals as a threat to free speech. On May 4 2021, US Secretary of State Antony Blinken stressed, “There are relatively few items that are ultimately going to have a greater impact on the lives of people around the world than the ITU post...we’re very, very actively engaged on this front.”
The information sovereignty issue was clearly front of mind for Putin. On April 12, the day after Simonyan’s warning of cyberwar, Putin had signed a “Foundations of state policy in the field of international information security” document (https://tass[.]ru/politika/11127443). On May 10-12 the Russian-initiated UN “open-ended ad hoc intergovernmental committee” was to hold an organizational meeting on drafting a cybercrime treaty, in what turned out to be an acrimonious debate. The official UN Governmental Group of Experts (GGE) on the subject was working on its final report, which it would eventually release in late May. At the same time, a rival UN body, the Open-Ended Working Group (OEWG), which Russia had proposed in 2018, was developing an alternative resolution, which the UN General Assembly eventually approved on May 26 2021.
What did Putin mean by “asymmetric”?
The term asymmetric can refer to any type of irregular warfare, including measures that a weaker power can take against a stronger one. They can include sabotage, proxy wars, or information or cyber operations. “Asymmetric” strategies “transform an adversary’s perceived strength into a vulnerability, often by revealing one’s own perceived vulnerability as a strength,” according to one definition.
The idea of taking “asymmetric” measures against the United States had already been broached publicly just weeks earlier. On March 18, responding to reports that Biden had called Putin a “killer,” Russian military commentator Ilya Polonskiy mused on what Russia’s reaction should be. He suggested “asymmetric political or military-political methods....not aggression against the US or NATO, but a more active assertion and defense of our interest in problem spots—the Near and Middle East,5 Southeast Asia, the Balkan Peninsula. Or the Donbas,” he said, using a term referring to the area of Eastern Ukraine that Russian-installed separatists dominated. This looks like a reference to the military buildup that was happening on Ukraine’s borders that spring.
Other officials repeated the idea of asymmetric measures. On May 31 2021 Russian Security Council Secretary Nikolai Patrushev told Russian government news source Rossiyskaya Gazeta that Russia’s National Security Strategy, which was being updated at the time, “foresees that Moscow could take “symmetric and asymmetric measures to thwart or avert unfriendly actions that threaten the sovereignty and territorial integrity of the Russian Federation.” He added that those “primarily will be special economic measures, but also coercive forceful methods if necessary." The draft National Security Strategy – eventually signed into law on July 3 -- also prioritized Russia’s information security, portraying Russia as engaged in a constant confrontation with the West over minds, hearts and computer systems.
Putin’s April 21 speech sounds like a threat. It came at the end of a menacing Russian military buildup on Ukraine’s borders. The very day after the speech, however, Russian troops began a partial withdrawal of troops. Putin was apparently not willing to undertake direct military action at that time, but asymmetric measures might be a different story.
Did Russian Officials’ Hostile Rhetoric and Actions Inspire Patriotic Cybercriminals?
The actions of ransomware criminals in 2021 took place against this backdrop of high tension and aggressive rhetoric about cyberwar and asymmetric measures. Cybercriminals may have interpreted such rhetoric as an opportunity to burnish their patriotic credentials through attacks on the country’s adversaries. This context can help us understand the criminals’ possible motivations. Further research would be required to assess the degree of state involvement, if any, in each incident.6
It is theoretically possible for a ransomware operator to act quickly on a significant target in response to triggering events or speeches, because they have or can easily obtain access to numerous previously breached entities and can choose among them.
Ransomware actors were already busy in the first months of 2021:
On February 25 2021, REvil ransomware group boss “UNKN” posted on an underground discussion forum that, “In connection with the expansion of production capacity,” the group needed “support with spoken English” and a Tier 1 network provider. The announcement said, “Lots of work. The targets are serious, including the government sector and defense systems” [emphasis added].
On March 1, Revil actors began exfiltrating data from the JBS meatpacking company, which is based in Brazil but has extensive operations in North America. They would eventually unleash ransomware on the eve of the US Memorial Day holiday.
On March 15, in an interview with REvil’s UNKN, Recorded Future’s Dmitry Smilianets asked him, “Do you believe that ransomware is a perfect weapon for cyberwar? Are you afraid that one day it could start a real war?” UNKN responded, “Yes, as a weapon it can be very destructive. Well, I know at the very least that several affiliates have access to a ballistic missile launch system, one to a U.S. Navy cruiser, a third to a nuclear power plant, and a fourth to a weapons factory. It is quite feasible to start a war. But it's not worth it—the consequences are not profitable.” In light of UNKN’s earlier recruitment of criminals to target specifically government and military entities, this statement sounds more like a threat than reassurance.
On March 18 threat actors initially breached Irish health service HSE’s servers, followed by a full breach on May 7 and the unleashing of Conti ransomware on May 14.
On March 23 the Babuk gang threatened to leak data of PDI Group, a US military supplier, writing, “given the state of international politics, the information may be of interest to countries such as Russia and China...”
On March 24 the DarkSide administrator DarksUpp announced “big structural innovations” to make ransomware encrypt victim systems even faster. Around this time, DarkSide also announced it was “removing layers of ‘bureaucracy’ and allowing its affiliates to ‘make calls’ without asking the ransomware operators.” UK-based Searchlight Cyber interpreted this as a “warning sign that attacks were going to escalate.”
Did Simonyan’s talk of cyber-war and Putin’s threats of asymmetric measures in April 2021 inspire the multiple ransomware attacks in subsequent months?
Russian patriotic cybercriminals might interpret Simonyan’s talk of cyberwar and Putin’s April 21 speech as encouragement to attack Western targets. While cybercriminals may not have delved into the fine points of UN negotiations on “international information security”, they would likely have seen headlines about Simonyan’s and Putin’s speeches. They might have seen social media, such as a YouTube video headlined “Urgent! Putin warned the USA about SEVERE consequences of war with Russia (Срочно! Путин предупредил США о ТЯЖЕЛЫХ последствиях войны с Россией).”
With EvilCorp and Conti, who are known to have worked with Russian intelligence services, the likelihood is greater that a given operation involved some communication or possibly even coordination with government officials. In turn, researchers have found ties between the Conti spinoff group Ryuk and FIN7, a crime group that Mandiant identifies as the managers of the DarkSide malware. Researchers have also found likely links between Babuk group head Mikhail Matveev (“Wazawaka”) and the EvilCorp, REvil, Conti, Hive, Lockbit and other groups, as well as with DarkSide, suggesting that Russian officials likely have some visibility into those groups as well. Russian special services could summon known cybercriminals to the police station for a “prophylactic chat,” pressure them to identify their associates, and propose cooperation against Russia’s adversaries.
A series of attacks on Western critical infrastructure took place in the weeks after Simonyan’s and Putin’s speeches. These are presented as bullet points below. To what extent these activities were a direct response to these speeches or other government messaging, or even more direct involvement, would require further evidence. We also list other international events that may have served as triggers for threat activity.
April 19 2021 was the start date of the Washington DC Metropolitan Police (MPD) breach by a Babuk affiliate, according to the US indictment of Matveev/ Wazawaka A screenshot of stolen data bears 4/19/2021 timestamps for all the folders.
On April 27 Babuk actors published a sample of the stolen MPD information. Babuk’s message said, “We will continue to attack the state sector of the USA, FBI CSA [sic, likely referring to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency]....even larger attacks await you soon.”. In addition, at least one of the files the gang featured in their sample appeared to relate to the January 6 assault on the US Capitol.
Babuk/MPD Ransom negotiations lasted through May 10, according to purported screenshots that Babuk provided and transparency organization DDoSecrets posted. Babuk administrator “Wazawaka” claimed in interviews in August 2022 and May 2023 that the Babuk affiliates who actually carried out the MPD attack had refused to accept the MPD’s $100,000 ransom counteroffer; however, Wazawaka claimed, the affiliates were afraid to leak the stolen MPD data publicly. Wazawaka said, “I just uploaded the data... to prove that it really had been stolen, and it wasn’t a hoax...” Babuk posted 20 files of MPD officers’ “personal information including psychological evaluations, credit history and Social Security numbers....polygraph tests, social media posts, employment history, financial liabilities and scanned copies of officers’ driver’s licenses” on May 10.
April 29: Threat actors covertly gained access to computer systems of Colonial Pipeline, the United States’ largest pipeline system for gasoline and other refined oil products. The hackers exploited a stolen password to access an unused virtual private network (VPN) account. The password was available in multiple data leaks posted online. The hacker would subsequently exfiltrate Colonial Pipeline data on May 6 and unleash DarkSide ransomware on May 7 2021.7
On May 1, threat actors unleashed Conti ransomware on San Diego-based nonprofit Scripps Health, forcing personnel to divert ambulances and take the patient portal, website, and systems offline. Scripps Health later estimated its expenses and revenue loss from the incident as about $112.7 million through June 30 2021.
On May 6, the threat actors residing in Colonial Pipeline’s systems exfiltrated data and on May 7 unleashed DarkSide ransomware. Citing fears of a dangerous malfunction of physical production systems, Colonial Pipeline suspended deliveries throughout the Eastern Seaboard. The resultant long lines and panic-buying at US gas stations briefly resembled the gas shortages of 1973 and 1979 that helped undermine the reputation of then-US President Jimmy Carter. The company paid the ransom within hours, but the decryption tool the hackers provided worked painfully slowly. US President Biden refrained from attributing the Colonial Pipeline operation to the Russian government but said Putin’s administration nevertheless bore responsibility for allowing such attacks from Russian soil.
At least one Ukrainian analyst saw the Colonial Pipeline attack as a direct response to Putin’s April 21 speech. On May 13 2021, a week after the Colonial Pipeline attack, political analyst Mikhail Honchar published an essay called “The ‘They are Not Theres’ Carried Out a Cyberattack on the USA.” Ukrainians used the term “They-are-not-theres” (Ихтамнеты) to describe soldiers without insignia whom Russia sent to take over Crimea and parts of Eastern Ukraine in 2014. By choosing this title, Honchar implies that the Colonial Pipeline hack represented a covert operation by the Russian state. He said that in the April 21 speech, Putin “threatened the US with a quick and harsh response to ‘harassment’ of Russia...saying [in effect], ‘you sent the frigate Hamilton to the Black Sea [referring to an April 27 2021 US mission “in support of NATO Allies and partners”], and we will send you hackers’.”
A Russian journalist, Vasily Golovnin, reporting from Japan for Russian state news agency ITAR-TASS, also speculated on May 9 2021 that the Colonial Pipeline attack could be state-sponsored sabotage. “Is it just brazen extortionists, or are we talking about a massive test sabotage (пробной диверсии) backed by one of the states who consider the US their enemy or rival? In the States, as you recall, both Russia, China, and Iran have been loudly named in that context...”
Despite apparent pullback after Colonial Pipeline, international confrontations and ransomware incidents continued
On May 13, a week after the Colonial Pipeline attack, some underground forum administrators announced a moratorium on discussions of ransomware, and some ransomware actors went quiet, citing pressure from Russian law enforcement and the United States (part 4b).
However, even after this apparent pullback among cybercriminals, international confrontations continued. On May 13, for example, a Ukrainian court put pro-Russian politician Viktor Medvedchuk under house arrest. The following day, Putin in a videoconference with his Security Council, complained about the arrests, saying, “Ukraine is slowly but surely being turned into some kind of antipode of Russia, some kind of anti-Russia.... Currently there is going on a clear purging of the political arena. National media are being closed, and our western partners are not reacting or are even supporting such decisions.”
Ransomware operations also continued.
On May 14 threat actors unleashed Conti ransomware on servers of the Irish Health Service Executive (HSE).
On May 15, Babuk group administrators announced “something really cool, a huge platform for independent leaks.... of successful no-name teams that do not have their own blogs and names.”
On May 30, threat actors using the REvil (a.k.a. Sodinokibi) malware crippled the Brazil-based JBS meat processor, affecting facilities in the United States, Canada, and Australia and creating fears of empty barbecue grills on the US Memorial Day holiday.
On June 4 Putin scorned as “ridiculous” and “simply laughable” the idea that Russia’s government could be involved in attacks on “some kind of meat factory....and a pipeline too,” adding, “we do not have dealings in (не занимаемся) some kind of beef or chicken.”
Also on June 4, a REvil ransomware group spokesperson, saying the US had overreacted to the JBS incident, declared open season on US targets. “Since there’s no point in avoiding the US targets anymore, we have lifted all the restrictions....From now on, every entity in that country can be targeted...access to US companies will be sold for a song, and we’ll offer preferential terms to our affiliates.”
After the June 2021 Biden-Putin Summit, Ransomware Groups Down But Not Out
Several shifts occurred in the ransomware ecosystem after Presidents Putin and Biden met in mid-June and ushered in a supposed era of US-Russian law enforcement cooperation, as described in “Ransom-War” Part 4b. REvil leader UNKN disappeared and the REvil group’s infrastructure went offline in July 2021, before briefly coming back up in September with a new self-proclaimed leader. Russian security officials appear to have taken some cybercriminals in for questioning. Databreaches reports, for example, that one “person involved with REvil” told them the FSB had questioned him for about two hours, sometime that summer, and then released him. In October 2021 a Conti/Trickbot member told the group boss “our old case was resumed” after US queries, but that the investigator assured him they were witnesses rather than suspects. The word “resumed” implies that there had been a case against Conti sometime in the past.8
As we have seen, some Russian cybercriminals responded by speculating on which Russian security personnel would protect them and which ones needed bribes, and whether they needed to lie low for awhile. Other groups rebranded.
In July 2021, DarkSide rebranded as BlackMatter and posted on the underground forum Exploit, saying “Looking for corporate networks in the following companies: USA, CA, AU, GB. All sectors except: Medical, State Institutions.”
Also in July, Babuk group administrator Mikhail Matveev (“Wazawaka”) created the RAMP forum to cater to ransomware actors ousted from other underground forums in May,
That month, too, Clop (Cl0p) ransomware actors were testing vulnerable servers associated with the MOVEit file sharing tool, according to Kroll investigators. Cl0p‘s operation would result in a massive data leak and ransomware attack in June 2023.
Several leaks of ransomware groups’ tools, code, and other materials took place in summer and fall 2021. Some of these developments caused consternation in the cybercrime community, but the events might also have benefited Russian intelligence. These developments increased Russian special services’ visibility into and leverage over cybercriminals.
On August 23 2021, Bassterlord – an affiliate of REvil and Lockbit and other groups -- published a Ransomware Manual online. He acknowledged help from Wazawaka, head of the Babuk ransomware group. The release of the guide caused consternation in the underground community, according to Prodaft.
On August 5, User M1Geelka posted Conti group internal documents, guides, training materials, and information about the group’s leader (nickname “Tokyo,” Jabber messaging system account cicada3301@strong[.]pm) on the Russian-language underground forum xss[.]is. M1Geelka wrote “I already sent the data where they need to go…” implying that M1Geelka had provided data to Russian or other law enforcement authorities.
On September 3, User “dyadka0220” posted on the XSS underground forum the source code for the Babuk ransomware on September 3 2021. Dyadka0220 claimed he was doing so because he was dying with cancer. Babuk members said the leaker was Babuk ransomware developer Dudka. According to US-based analyst Azim Khodzhibaev, Babuk members leaked the code in order to “muddy the waters” and reduce pressure on Babuk after the blowback from the Washington DC police department hack.
How could these leaks benefit Russian intelligence? At a time when Western analysts were increasingly publicizing the relationship between Russian intelligence and ransomware actors (see “Ransom-War” Part 1 for some of these), Russian special services needed new, deniable means to disrupt target societies. Leaking how-to manuals and ransomware source code could draw on cybercriminals’ own incentives and achieve the same goal. A December 2021 report by the Institute for Critical Infrastructure Technology about “disruptionware” — ransomware whose main goal is to disrupt rather than to earn ransom — notes that a government can simply release ransomware in the wild and benefit from the ensuing chaos:
Nation-states can initiate many attacks just by releasing a variant of ransomware without the need to pay individual attackers... A culture of allowing small attackers to launch disruptionware attacks unimpeded by law enforcement both "chums" the waters of the threat landscape and iteratively depletes the resources of and inflicts harm on the victim.
Some winners of late-2021 turmoil
Even as many Russian cybercriminals expressed fear of being identified by Russian or Western law enforcement, Babuk actor Mikhail Matveev (aka “Wazawaka”) remained unrepentant and untouched. In a previous posting we discussed inflammatory statements he would make in early 2022. In October 2021, Babuk group spinoff “Groove,” likely controlled by Wazawaka, issued an appeal to other Russian ransomware groups. It said that, given “our difficult Time of Troubles (смутное время)”9 and the US government’s battle against the groups, it was time to stop competing and to unite and “start to f**k the state sector of the USA, to show that demented old man [i.e. Biden] who is the boss here, who is the boss on Internet territory.”
The Groove posting also hailed the recent arrest of Ilya Sachkov, head of Russian cybersecurity company Group-IB, for having supposedly “sold” himself to the US (discussed in “Ransom-War Part 4b”). The Groove posting continued, “So now let’s help our state battle these vampires,” such as cybersecurity firms and US government agencies.
“I call on you not to attack Chinese companies; after all where will we be able to run to if our motherland suddenly turns against us – only to our good neighbors, the Chinese! I BELIEVE THAT ALL ZONES IN THE USA WILL BE OPENED, ALL NEGROES WILL COME OUT AND xxCK THIS xxCKING BIDEN IN ALL THE CRACKS, I myself will personally make efforts to do this."
Matveev’s words imply that he hopes racial conflict in the US will be the downfall of Biden, whom he and Russian state media both portray as an old man with dementia. As for his friendliness to China, in November 2021 Matveev’s RAMP forum opened up Chinese-language interfaces, in an apparent attempt to increase cooperation with Chinese cybercriminals.
Other beneficiaries of the turmoil in the ransomware world in late 2021 appear to have been the LockBit group and AlphV (a.k.a. BlackCat). The LockBit enterprise attracted affiliates including a top lieutenant of the Russian intelligence-linked Evil Corp group, according to a US indictment, as well as affiliates who were left hanging when the DarkSide successor operation, BlackMatter, closed down in November 2021. LockBit even recruited the person who had developed the DarkSide and BlackMatter malware, according to Analyst1.
DarkSide succesor group BlackMatter appears to have rebranded as AlphV in November and announced recruitment of affiliates in December 2021. Subsequently AlphV/BlackCat actors attacked numerous Western critical infrastructure targets, including Central European fuel handling depots and ports critical to NATO, before and during Russia’s war on Ukraine.
Both AlphV and Lockbit would later fall to massive Western law enforcement takedowns in 2023-2024.
Some ransomware suspects are in custody in the West and may have spoken to investigators about their motivations, confirming or refuting our hypotheses here. Such information might come out in eventual trials, if the suspects agree to provide testimony to prosecutors in return for lighter sentences.10 The Colonial Pipeline perpetrator is either in a Russian prison or at large, likely in Russia, and unlikely to reveal his real motivations.
To learn more about Russian ransomware actors’ motives and whether they were linked to signaling from above, we may have to await more revelations from Western law enforcement like the October 1 2024 revelations about EvilCorp.
Implications for 2024
The ransomware ecosystem keeps changing, as groups splinter and rebrand and members shift affiliations. Distrust among cybercriminals remains high. Cyber threat intelligence company Prodaft, in its report on Mikhail Matveev (“Wazawaka”), urged cyber defenders to exploit this distrust in their battle against the cybercrime community. Operation Cronos, a multinational operation to take down the Lockbit group in 2024, used the group’s seized server to post messages mocking cybercriminals and urging them to give up and turn each other in. The US State Department has also offered rewards in the millions of dollars for people — including fellow criminals — who help catch and prosecute cybercriminals.
As for the international information security topic that so moves Russian President Putin, Russia failed to get the Russian candidate into the ITU presidency in the 2022 election, but they kept trying to win over UN member countries to their views on Internet regulation. The UN General Assembly is likely to approve the Russian version of the international information security treaty that a committee approved in August 2024. Western commentators have said this is a disaster for human rights. As of October 7 2024, The Record reported that “The treaty could and likely will sail through the U.N.,” a vote that could take place as soon as December 2024. However, it remained uncertain whether member countries would ratify it. As we saw above, Putin’s speech of April 21 2021 appeared calculated to scare Western countries into agreeing to Russia’s version of these documents. Efforts could potentially continue to include encouraging disruptive ransomware attacks as part of an overall push to weaken and divide Western countries, as described in “Ransom-War Part 3: Inflict Maximum Damage.”11
As for domestic political opposition in Russia, Putin has largely squelched it, especially after the death of top activist Alexey Navalny . Nevertheless, Putin remains a pariah in many countries, and his domestic hold on power remains “brittle.”
As for cybercriminals, this series has argued that in at least some cases, ransomware can function as an information operation, a Russian hybrid warfare tool to weaken, divide and discredit adversary countries.12 The Stanford Internet Project cited in Part 1 of this series pointed out spikes of ransomware around elections and assessed that one likely motive is to “create a perception hack, in which news of a cyber intrusion leads the public to question the reliability of election results regardless of the attack’s actual impact.” In 2024 US Secretary of State Antony Blinken referred to Russian propaganda company RT, whose boss Margarita Simonyan warned about cyberwar early in 2021, as seen above. Blinken said RT and its operations “are .... engaged in covert influence activities aimed at undermining American elections and democracies.”
On October 28 the Cybersecurity and Infrastructure Security Agency (CISA) launched a new “one-stop shop website for election threat updates from CISA and our federal government partners.” However, the FBI and CISA assured citizens in August 2024 that, even if ransomware attacks against local governments or election infrastructure occurred, “they will not compromise the security or accuracy of vote casting or tabulation processes,” due to “a variety of technological, physical, and procedural controls.” They said, “FBI and CISA have no reporting to suggest cyber activity has ever prevented a registered voter from casting a ballot, compromised the integrity of any ballots cast, or affected the accuracy of vote tabulation or voter registration information.”
Part 1 introduces the concept of hybrid ransomware: how ransomware attacks serve both financial and political motives and may play a role in Russia's ongoing "hybrid warfare" against the West. In part 2a we look at how Russian cybercriminals are willing to act as warriors for the Russian state against its enemies, particularly the United States. Part 2b shows that Russian cybercriminals are still vulnerable to prosecution and face tension between profit-making and their duty to the Russian motherland. Part 3 argues that, since at least 2016, Russian strategists have explored the use of ransomware to pressure adversary countries. Part 4a makes the case that Russian ransomware actors are “hybrid” in another way: criminals but also valuable IT talent with a fearsome reputation, to be coopted with carrots and sticks comparable to the treatment of common criminals. Part 4b argues that sometimes-puzzling Russian law enforcement patterns in recent years resemble less a desire to crack down on cybercriminals than an effort to use the threat of ransomware as a bargaining chip in pursuit of Russian strategic goals. “Ransom-War in Real Time, Case Study 1” focuses on the Conti/Trickbot and Evil Corp ransomware groups — both of which are known to cooperate with intelligence services — focusing on their real-time mechanisms of interaction with state officials. “Ransom-War in Real Time, Case Study 2” examines two disruptive ransomware events from 2019 that show signs of possible state involvement in targeting and timing. “Ransom-War and Russian Political Culture: Trust, Corruption, and Putin's Zero-Sum Sovereignty,” draws on recent Western government revelations about EvilCorp to explore how Russian ransomware actors and the Russian government use each other against the background of Russia’s low-trust, zero-sum political context. “Ransom-War in Real Time, Final Case Study: Tumultuous 2021” puts major ransomware attacks of 2021 in the context of this political culture and international tensions of that year.
According to the Kremlin, the two presidents also discussed Iran, Afghanistan, arms control, climate change, and what it called the “internal Ukrainian crisis.”
Putin was referring to an April 17 2021 statement by Russia’s FSB. The FSB statement said the oppositionists were plotting a coup “following the scenario of a ‘color revolution’” – a term referring to a series of revolutions in the 2000s that had ousted Russia-friendly governments in countries neighboring Russia (see Putin: The Spy as Hero for more on Putin’s reaction to “color revolutions”). In Belarus, surrounding an August 2020 presidential election widely seen as fraudulent, amid demonstrations and brutal crackdowns, the EU and US imposed sanctions on Lukashenka’s government. Belarusian oppositionists created a “Coordinating Council for the Transfer of Power,” which the European Parliament recognized as the "interim representation of the people" of Belarus and called for new, free and fair elections. On April 17 2021 the Russian FSB and Belarusian KGB issued a statement claiming that a dual US-Belarusian citizen, in conjunction with Ukrainian nationalists and after holding “consultations” in the US and Poland, had spearheaded an attempted assassination and coup attempt against Belarus’ pro-Russian president, Aleksandr Lukashenka. Independent Belarusian analysts assessed this “coup plot” was likely a form of entrapment and that the KGB had lured Belarusian opposition members into discussing such an idea. They pointed out that, by blaming the alleged coup and assassination attempts on US president Joe Biden, the Kremlin could hit back at Biden for saying in March 2021 that he thought Putin was a killer.
The picture is muddled by memories of a strange incident involving Ukraine and Belarus in 2020. Soldiers of the Russia-based Wagner mercenary militia landed in Belarus shortly before Belarus’ 2020 election, supposedly to participate in “igniting mass anti-governmental provocations,” in what appears to have been a failed Ukrainian plot to lure the Wagner fighters to Belarus and spirit them to Ukraine for prosecution. The memory of that strange case may have mixed in people’s minds with the alleged plot of 2021. In any case, it is unclear whether Putin’s 2021 claim that Belarusian oppositionists planned cyberattacks has any basis in fact. Putin’s implication of Ukrainian and/or US help for a supposed coup plot could be based on Western statements of support for the Belarusian opposition transition council. By the beginning of 2022, Belarusian hacktivists would use cyber means to sabotage their country’s railroad system to prevent Russian soldiers from traversing Belarusian territory to attack Ukraine.
In the 2022 elections for ITU head, Russia’s candidate lost. As of October 2024 it appears not to have been decided whether the 2025 Internet Governance Forum would take place in Russia or Norway.
Mideast tensions, too, would provide some benefits for Russia, along with new complications, as the Natto Team argued here.
That is, where an incident falls on cybersecurity analyst Jason Healey’s Jason Healey’s “spectrum of state responsibility” for cyber operations. As a reminder, the latest version of Healey’s spectrum reads as follows:
State-prohibited: The national government will help stop the third-party attack
State-prohibited-but-inadequate: The national government is cooperative but unable to stop the third-party attack
State-ignored: The national government knows about the third-party attacks but is unwilling to take any official action
State-encouraged: Third parties control and conduct the attack, but the national government encourages them as a matter of policy
State-shaped: Third parties control and conduct the attack, but the state provides some support
State-coordinated: The national government coordinates third-party attackers such as by “suggesting” operational details
State-ordered: The national government directs third-party proxies to conduct the attack on its behalf
State-rogue-conducted: Out-of-control elements of cyber forces of the national government conduct the attack
State-executed: The national government conducts the attack using cyber forces under its direct control
State-integrated: The national government attacks using integrated third-party proxies and government cyber forces
Ironically, on April 30 2021, US Pentagon chief Lloyd Austin gave a speech about US readiness to use “integrated deterrence,” including offensive cyber activity. “Integrated deterrence,” he said, “could .... mean employing cyber effects in one location to respond to a maritime security incident hundreds of miles away....” Austin boasted that “we are still the best in this business” of deterrence. Russian news agency TASS picked up on the story on May 1. Russian citizens who followed the news might have been aware of this speech and interpreted it as a challenge.
The old case that was reopened could refer to a number of things, even as far back as the takedown of the Dyre group, a predecessor to Trickbot, in 2015.
He was borrowing a term for Russia’s 17th-century “Time of Troubles,” characterized by dynastic chaos and foreign intervention. See Natto Thoughts postings “Vocabulary of Mutiny, Mafia and Misery” and “Russia After Putin: Dictatorship, Democracy, or Chaos?”
However, suspects can request that information about their cooperation be kept sealed. REvil actor Yaroslav Vasinskyi made such asrequest.
Western countries fight back with their own versions of international cybercrime agreements. For example, around the time that the UN General Assembly was meeting in New York, President Biden’s International Counter Ransomware Initiative meeting was meeting in Washington DC. The 68 Participating countries at Biden’s meeting agreed on a statement to act responsibly in cyberspace.
Other analysts have also portrayed ransomware as information operations. The Natto Team recently became aware of a codastory.com series entitled “Ransomware: The New Disinformation,” which points out, “Ransomware increasingly shares the aims of disinformation campaigns: to spread popular doubt in governments and institutions, to undermine expertise, and to foster political and social instability.” The series includes a December 2021 interview with Jenny Jun of the Cyber Statecraft Initiative at the Atlantic Council, a US think tank. Jun predicted that “for the next five to 10 years....ransomware will be used coercively — as a bargaining tool.”