Ransom-War, Part 2b: Profits Versus Patriotism
Russian Cybercriminals face tension between making money, serving the motherland, and avoiding prison time
This is part 2b of the series “Ransom-War.”1 Part 1 introduced the concept of hybrid ransomware: how ransomware attacks serve both financial and political motives and may play a role in Russia's ongoing "hybrid warfare" against the West. In part 2a we looked at how Russian cybercriminals portray themselves as warriors for the Russian state against its enemies, particularly the United States. They are willing to work for the Russian government and make business decisions in Russian strategic interests. In this section, we look at how events surrounding the Russian invasion of Ukraine heightened the tension Russian ransomware hackers faced between profit-making and their duty to the Russian motherland.
Tension Between Duty and Profit
Previous postings have explored aspects of Russian cybercriminals’ patriotism and cooperation with state intelligence services, based on online forum discussions and interviews as well as leaked internal communications such as those of the infamous Conti group. But in the same sources the cybercriminals also acknowledge ongoing tension between doing their patriotic duty, making money, and avoiding prison time.
Putting on the Red Scarf:
A leaked chat thread from 2020 between Conti group leaders “Professor” and “Stern” discussed the tension between duty and profit. They had received requests from “one of those offices” – implying an intelligence agency – to help crack a target. (They had previously discussed working with an office of Russia’s Federal Security Service, the FSB). “Professor” asked whether the intelligence agency clients expected them to do the job for free: “Will they pay? Or are we playing Pioneer?” referring to the Soviet-era Young Pioneers, a Scout-like group. Professor probes further, “Do we have to turn [what we find] over exclusively to [the client]? Or can we also offer it to someone in the government who will pay for it? I have someone in foreign [intelligence] (внешка) who will pay, in addition to what they are asking us to do as Pioneers ))).” Stern responds, “Who cares about money?” He adds that – particularly at first – they should offer to provide it exclusively to that client, implying that they wanted to establish trust with the unnamed “office.” Professor responded, “OK, no prob. That means I’ll be putting on my red scarf,” referring to the Scout-like neckerchief that Soviet Young Pioneers used to wear.
A Prize of Humble Pie:
Conti member “Target” ironically told another member in September 2020 that if their operation against Credit One Bank was successful, “They will even give you a reward, a pirozhok with cabbage )))))))))).” A pirozhok [plural: pirozhki] is a Russian pasty. As the Natto Thoughts posting “Too Many Toads” explains, the image of a pasty with cabbage suggests the pitiful rustic goods these coders were being offered in return for their sophisticated cyber actions against Russia’s enemies.
Pirozhki. By Russian Wikipedia user Miha Ulanov, CC BY-SA 3.0 <http://creativecommons.org/licenses/by-sa/3.0/>, via Wikimedia Commons
Waning Enthusiasm:
In the weeks after Russia’s 2022 invasion of Ukraine, a hacker cited in Russian investigative periodical Daily Storm expressed Russian cybercriminals’ rapidly declining enthusiasm for helping the motherland.
In the first week of the cyberwar, participants in Russian-language chats respectfully listened to the siloviki [law enforcement, military or intelligence personnel] and rushed to fulfill the tasks they set down….
In the second week, you could already hear phrases like ‘well, the comrade majors set a task, but you can’t fully trust them. If we reveal information about our tools, they will later come after us’.
And in the third week, cyber criminals started to grumble, ‘We have been slaving away for you for two weeks already; we are spending money on proxies, DDoS, servers. At least pay us back for our expenses.
According to this source, the hackers felt they had “worked a few weeks for the Motherland and that’s good enough. It’s time for the guys to make some money.” However, the source noted that these people “fail to realize that the battles will end someday, whereas the statute of limitations on their crimes will not” (hxxps://dailystorm[.]ru/rassledovaniya/unikalnaya-myasorubka-hroniki-pervoy-mirovoy-kibervoyny).
Sticks Over Carrots
Even when their patriotism waned, then, at least some Russian cybercriminals felt government pressure to keep doing their patriotic duty, with the threat of arrest hanging over them.
That threat of arrest had become noticeable already in spring and summer 2021. After the attack on US-based Colonial Pipeline May 6 2021 crippled the US gasoline distribution service and led to massive US alarm and warnings against Russia, several Russian cybercriminal groups and underground forum administrators went quiet or announced a moratorium on discussions of ransomware, citing pressure from Russian law enforcement and the United States. Russian President Vladimir Putin and US President Joe Biden held a summit in summer 2021, and media reported that the two countries were negotiating about sharing information on hackers. Trustwave, a cybersecurity subsidiary of Singapore Telecommunications at the time, analyzed underground forum postings and found that some Russian hackers had grow nervous.
After Russian law enforcement arrested REvil suspects in January 2022, their anxieties increased, Trustwave found. The hackers began to suspect each other of being police informants and shared tips about staying under law enforcement radar. Others criticized REvil group members for their highly publicized “targeting of multi-billion-dollar corporations located in countries that had the political firepower to pressure the Russian government to take action.”
A separate analysis by US-based cybersecurity company Reliaquest found “chatter on Russian cybercriminal forums suggested that REvil were ‘pawns in a big political game’.” On forum discussions, “Much of the debate centers around whether it is better to be incarcerated for cybercrime in Russia or the US,” according to Reliaquest. Forum users debated whether fellow inmates in Russian jails would treat them well or harshly, with one person opining that Russian mafia members might force cybercriminals to work for them after release. One user had written hopefully in 2015 that Russian prison staff would allow them to carry out their crime from the prison cell as long as they shared the proceeds with the staff. However, the criminals might find their sentences lengthened indefinitely, as “no one will release the hen that lays golden eggs.”
But some were not too scared
While most of the Russian cybercriminals quoted in the Trustwave article were afraid, Trustwave found some forum discussion participants in 2021 saying, “No one will put in jail the ransomware gang members in RU; at a maximum you will be asked to be quieter and to share,” implying the need to bribe or split proceeds with law enforcement. Even after the January 2022 REvil arrests, some of the people Trustwave cited thought the arrests were just a “show” to make it appear that Russian officials were working with their US counterparts.
One Conti member said a contact in the FSB had given him advance warning that the US FBI had shown interest in him. He was convinced that “the FSB does not cooperate with the U.S.” and would instead allow the arrested REvil suspects “to rest, regroup and [return] with renewed vigor,” according to Stanford Internet Project researchers’ analysis of ContiLeaks chats.
Other Conti group members were on edge, however. On November 3, 2021, “kagas” told Stern that Russian police had reopened an old case against them on request of US law enforcement. Kagas said a lawyer advised them to “lay low” until November 13, according to a report by cybersecurity firm Forescout.
In a chat from February 21, 2022, Conti coders “Basil” and “Elroy” agreed that Putin’s government likely arrested the REvil suspects to show a gesture of good will after Putin’s talks with US President Biden the previous summer, according to US-based cybersecurity firm Trellix. The two men agreed, however, that Russian law enforcement had arrested only low-level members of the group and that the “comrades across the ocean” would not get anything. Elroy replied mockingly, “They will get a new version of ransomware!”
But at least some Conti members appeared to think their leader, Stern, had enough clout to protect them from prosecution in Russia. According to the Trellix report, “Elroy” wrote in a February 2, 2022 chat, “If he was not almighty, we all would have ended up like the REvils.” Angelo agreed. Referring to Stern as “S,” he wrote, “Yes, I already figured out that S is in service to Pu [Putin]....and that we do contracts, and who our clients are sometimes.”
However sanguine they were about Russian government protection, the Conti leaders nevertheless took themselves out of business on May 19, 2022. On May 6 the US State Department had announced a reward of up to $15 million for helping bring Conti co-conspirators to justice. Reporting the group’s May 19 breakup, the Advintel cybersecurity company assessed that Conti group members dispersed to other groups associated with the BlackByte, BlackBasta, and Karakurt ransomware and that some members became “collective affiliates” with Hive, AvosLocker, AlphV (a.k.a. BlackCat), and HelloKitty (a.k.a. FiveHands) ransomware groups. At least some group members likely were able to use their relationships with government agencies in their new settings.
Mixed Feelings
Mikhail Matveev, a.k.a. “Wazawaka,” the ransomware actor who famously posted a drunken January 2022 video in which he “declared war on the USA,” claimed in an August 2022 interview that he was initially terrified by the 2021 wave of arrests and the fear that Russian and US law enforcement might actually cooperate. Asked by Recorded Future whether he feared the FBI or the FSB more, he said,” What worries me the most? If these two structures start cooperating with each other — then I'll get fucked up, with at least three life sentences.” In 2021, he recalls, “Russia began to quietly come into cooperation with the USA regarding cybercrime. I crapped myself and then I was very afraid, I was drinking a lot. I re-read our Constitution and understood that they’ll leave me, damn well, in Russia, but it was scary ....”.
With that in mind, Wazawaka said he was actually happy when Russia’s February 2022 full-scale invasion of Ukraine took the heat off of cybercriminals. His statement might or might not reflect his full mindset, but it does give a hint at the complex feelings of impunity and vulnerability that Russian hackers might have experienced during this time of uncertainty. Strikingly, he expresses sympathy for Ukrainians – a sentiment that would be natural in the cybercriminal community, where Russians and Ukrainians had long been closely intertwined, but which was a prosecutable offense in Russia’s wartime atmosphere. Wazawaka recalls that when Russia’s euphemistically entitled “special military operation” began, “I was fucking happy. Although you know it’s dumb to talk about it because my interview will also be read by the citizens of Ukraine, and someone’s father could have died, or their child. I started to rejoice, you know, with impunity. But, if it weren’t for the special operation, I wouldn’t have behaved the way I’m behaving now — I’m even a little ashamed of it.”
Future Natto Thoughts postings will focus on the relationship from the Russian government’s point of view.
*Correction made June 24 2024: 2020 chat threat about acting like “young Pioneers” was between “Professor” and “Stern,” not “Professor” and “Mango.”
Part 1 introduces the concept of hybrid ransomware: how ransomware attacks serve both financial and political motives and may play a role in Russia's ongoing "hybrid warfare" against the West. In part 2a we look at how Russian cybercriminals are willing to act as warriors for the Russian state against its enemies, particularly the United States. Part 2b shows that Russian cybercriminals are still vulnerable to prosecution and face tension between profit-making and their duty to the Russian motherland. Part 3 argues that, since at least 2016, Russian strategists have explored the use of ransomware to pressure adversary countries. Part 4a makes the case that Russian ransomware actors are “hybrid” in another way: criminals but also valuable IT talent with a fearsome reputation, to be coopted with carrots and sticks comparable to the treatment of common criminals. Part 4b argues that sometimes-puzzling Russian law enforcement patterns in recent years resemble less a desire to crack down on cybercriminals than an effort to use the threat of ransomware as a bargaining chip in pursuit of Russian strategic goals. “Ransom-War in Real Time, Case Study 1” focuses on the Conti/Trickbot and Evil Corp ransomware groups — both of which are known to cooperate with intelligence services — focusing on their real-time mechanisms of interaction with state officials. “Ransom-War in Real Time, Case Study 2” examines two disruptive ransomware events from 2019 that show signs of possible state involvement in targeting and timing. “Ransom-War and Russian Political Culture: Trust, Corruption, and Putin's Zero-Sum Sovereignty,” draws on recent Western government revelations about EvilCorp to explore how Russian ransomware actors and the Russian government use each other against the background of Russia’s low-trust, zero-sum political context. “Ransom-War in Real Time, Final Case Study: Tumultuous 2021” puts major ransomware operations of 2021 in the context of this political culture and international tensions of that year.