RansomWar in Real Time, Case Study 2: Louisiana and Norsk Hydro, 2019
Two disruptive ransomware campaigns from 2019 show possible signs of Russian state involvement in choice of targets and timing -- and even in malware development
In the previous posting of the “Ransom-War” series1 we saw Conti and Evil Corp ransomware group members cooperating with government sponsors for espionage and even an apparent hack-and-leak operation. These are some activities consistent with Russia’s ongoing hybrid confrontation with its Western and Ukrainian adversaries.
But hybrid warfare also includes disruptive and destructive activity aimed at paralyzing essential services in a target society, potentially sowing social discord or discrediting an incumbent government. Even without a smoking gun in the form of leaked chats or indictments, in some disruptive ransomware operations we see circumstantial evidence consistent with Russian state inspiration or involvement. Signs that a ransomware operation might be “hybrid,” with political motivations in addition to financial ones, include timing and targeting that align with state priorities; political comments in ransom notes, forum postings, or even words inserted into malware code; and an unrealistically high or strangely low ransom demand, showing a non-financial motivation for that operation. Natto Thoughts found some of these elements in the activities of Mikhail Matveev, a.k.a. “Wazawaka,” and other threat actors. Other analyses -- including those from the Stanford Internet Project ; Blackberry; Accenture Cyber Threat Intelligence in 2019 and in 2022, and Microsoft in 2022 -- have also provided examples of disruptive ransomware operations whose targeting and timing align with Russian state interests.
In this posting we focus on two such operations and hypothesize plausible scenarios for how that likely state influence works: whether the criminals are “patriotic entrepreneurs” improvising based on the messaging they receive, or fielding explicit “wish lists” from government contacts, as we saw in the case of Conti group. That is, where do they fit on cybersecurity researcher Jason Healey’s “spectrum of state responsibility” for cyber operations?2
Writing in the widely read British paper inews about the ransomware attack that crippled the British National Health Service in June 2024, author Richard Holmes suggested that the Russian government sets limits for when criminals can attack major targets like the NHS. He cited analysts at Prodaft who have seen “communications between Russian hacking groups requiring higher authority from its leadership to attack NHS data, only to be denied on the basis of ‘not having another Colonial Pipeline’.”3 In that context, Holmes concludes, the Russian government likely had to give the criminals express authorization to unleash the NHS attack. While Holmes exaggerates the degree of restraint prior to the NHS incident,4 the general point seems sound. In certain other cases as well, it is plausible to surmise that Russian officials have signaled criminals to unleash attacks for political effect at sensitive moments. These might include a ransomware event that precedes a sensitive election, or comes after a country has made a decision hostile to Russia, or one that appears designed to disable supplies to Ukraine.
We briefly examine a 2019 case in Louisiana that shows circumstantial evidence of signaling to start operations, based on dwell time between data exfiltration and the unleashing of disruptive or disruptive malware at a sensitive time. Then we examine the 2019 attack on Norwegian industrial giant Norsk Hydro, in which intelligence agencies may have stimulated the development of disruptive malware itself.
Louisiana Elections 2019:
As we discussed in “Ransom-War” Part 1 , quantitative analysis by the Stanford Internet Project (SIP) covering the period 2019-2022 showed spikes in Russia-origin ransomware activity targeting politically sensitive entities at politically sensitive times. This included before elections.
The SIP report gave a case study of incidents surrounding a close-fought election in the US state of Louisiana in 2019. First, on November 10 2019, less than a week before the elections, threat actors unleashed REvil ransomware on “local courthouses, sheriffs’ offices and companies in finance, health care and manufacturing between Louisiana and Texas,” according to Bloomberg. Then, on November 18, two days after the election but before the results were certified, threat actors triggered Ryuk ransomware to paralyze numerous Louisiana state government computers, including briefly those of the Secretary of State. Just a month later, in mid-December 2019, Ryuk ransomware again hit the state, this time the city of New Orleans.
In the REvil incident, the threat actors had compromised the systems months earlier but waited until just six days before the election to brick up the systems and negotiate a ransom.5 This timing suggests a hybrid rather than purely financial motivation. As former AUSA Erez Lieberman said in a June 2023 conference panel, when a ransomware comes months after the original breach, “maybe that means it's a nation state.”
Furthermore, as Russian news source BFM noted, sometimes the people attacking these Western government systems do not even demand ransom, “as if they are doing it for fun (будто просто развлекаются).”
Inspired by Patriotic Feelings or Russian Intelligence Wish-Lists?
Did the ransomware actors receive any encouragement, inspiration, or targeting from Russian intelligence agencies? One possibility is that the Ryuk and REvil operators were acting as “patriotic entrepreneurs,” voluntarily choosing the targets and timing under inspiration from Russian state media reports. Multiple REvil operators have made anti-American statements over the years, as the Natto Team discussed in “Ransom-War” Part 2a.
A search for джон бел эдвардс (John Bel Edwards) in Russian search engine Yandex shows that state-dominated Russian media had extensively reported on an Edwards statement guaranteed to raise Russians’ hackles: Edwards had declared in March 2019 that the 1932-1933 famine in Ukraine constituted Soviet genocide against Ukrainians This could plausibly have spurred patriotic hackers to want to “punish” Edwards.
Alternatively, the threat actors may have received some guidance from Russian intelligence services. The fact that two different crime groups chose to target one particular US state raises the possibility of a coordinated operation. We recall that two of the three attacks against Louisiana involved Ryuk ransomware. Ryuk was developed by the team we have been calling Conti/Trickbot. As we detailed in the previous posting, as of 2020 Conti/Trickbot group leadership was responding to “wish lists” from Russian intelligence services.{FOOTNOTE: 6 ) Although it is unclear whether Ryuk operators had any direct links with Russian intelligence services in 2019, throughout 2019 Ryuk operators did heavily target sensitive US victims such as local governments and healthcare facilities. A spinoff version of the Ryuk malware is adapted for stealing government and military secrets. These aspects of Ryuk align with Russian state strategic priorities.
Russian ransomware actors had targeted many state and local governments, but why such a focus on Louisiana? One reason might have to do with fossil fuel: located on the Gulf of Mexico, Louisiana is a major center for US oil refineries, and thus key to the US’ role as a major rival to Russia in global fossil fuels markets. But the attacks came around the 2019 elections. The Ryuk attack, coming just after Edwards’ narrow victory but before certification of the election, could also have been intended to call into question the vote count. As Bloomberg wrote, “Even if hackers time criminal attacks to elections because they believe the added pressure might get officials to pay faster, a wave of well-timed attacks could still create a cloud over results.” (The Louisiana Secretary of State said his office was “briefly offline” but the vote tally was unaffected, according to Reuters ).
Experimenting in Advance of 2020 US Elections?
Some analysts have seen a broader significance going beyond Louisiana and 2019. Fears ran high in US government and cybersecurity circles that Russia would attempt cyber-enabled information operations to influence the 2020 US presidential elections, as they had done in 2016. If the Louisiana operation was intended to cast doubt on local election officials’ tallying and reporting of the results, some local experts suggested it was a test in advance of the 2020 nationwide elections. Louisiana-based breach response specialist Jason Ingalls said of the two attacks, “If this was a test, it creates a very dangerous model for discrediting election results.” Ben Spear of the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC) “dubbed such attacks ‘stropportunistic’ -- an attack strategically focused on collecting ransom that also presents opportunities for additional malicious activity,” according to Bloomberg. “Stropportunistic” sounds like another term for hybrid.
In 2020, US officials worked hard to forestall cyberattacks that could undermine faith in the elections system. And, while Russian and Iranian governments attempted influence operations to undermine public confidence in the electoral process, the vote itself went off without major foreign-origin cyber manipulations, as a US Intelligence Community assessment would conclude. The US Cybersecurity and Information Security Agency Chris Krebs, in a November 12 2020 statement, called the 2020 election “the most secure in American history,” adding, “There is no evidence that any voting system deleted or lost votes, changed votes, or was in any way compromised.”
Election-linked foreign cyber-enabled information operations remain an issue in 2024. In September 2024 US officials reported on several Russian information operations aimed at dividing US society and influencing US policy, including covert payments to like-minded US social media outlets and false reports on web pages simulating those of major media outlets. US Secretary of State Antony Blinken said Russian propaganda company RT and its operations “are no longer merely fire hoses of Russian propaganda and disinformation. They are engaged in covert influence activities aimed at undermining American elections and democracies, functioning like a de facto arm of Russia’s intelligence apparatus.”
At the same time, the FBI and CISA assured citizens in August 2024 that, even if a ransomware attack against local governments or election infrastructure occurred, “they will not compromise the security or accuracy of vote casting or tabulation processes.” They cited “a variety of technological, physical, and procedural controls to mitigate the likelihood of ransomware affecting election infrastructure systems or data” and said, “FBI and CISA have no reporting to suggest cyber activity has ever prevented a registered voter from casting a ballot, compromised the integrity of any ballots cast, or affected the accuracy of vote tabulation or voter registration information.”
NorskHydro, 2019
On March 18 2019, Norwegian politician and NATO Secretary General Jens Stoltenberg gave a speech at the German Marshall fund to celebrate NATO's 70th anniversary. He hailed the expansion of NATO in Eastern Europe and promised to continue working toward the eventual admission of Ukraine, Georgia and Bosnia-Herzegovina. That same day, Norwegian Defense MInister Frank Bakke-Jensen presented Russian officials with electronic proof that Russia had jammed global positioning system (GPS) signals in the previous year’s NATO war games and demanded an explanation. "Russia asked (us) to give proof. We gave them the proof,...Russia said ‘thank you, we will come back when our experts review that’," Bakke-Jensen told Reuters.7
Hours later, in the wee hours of March 19, computer screens at Norwegian renewable energy and aluminum company NorskHydro went dark. “When we discovered we were attacked, we pulled out cables everywhere and shut down all the systems to avoid further damage. It was about 22,000 PCs and thousands of servers,” the company’s IT manager recalled. The damage required months to repair and eventually cost the company some $75 million.
Responders found malware called LockerGoga [elsewhere known as Gogalocker or simply Goga] on the company’s systems. Since its first discovery in January 2019, this malware had affected dozens of victims, including IT services company Altran in France and two US chemical companies. However, a LockerGoga variant found in NorskHydro’s systems appears intended for disruption rather than to extort money. It logs all the users off so they do not see the ransom note, changes account passwords, and disables the system network card. This suggests that extorting money was not the attackers’ main motive.
The attackers may have been acting on various possible non-financial motives. One goal could have been to sink NorskHydro’s share price or raise the price of aluminum – both of which did happen, briefly -- in order to manipulate markets. However, it is also reasonable to consider Russian state involvement. US-based cybersecurity analyst Joe Slowik published a ground-breaking March 2020 analysis outlining the evidence for such an interpretation, including technical aspects of the malware itself.
While the immediate trigger for the unleashing of disruptive LockerGoga malware might have been the Norwegian denunciation of Russia’s GPS jamming, the NorskHydro operation may have been simply one part of a planned broader operation against Norwegian critical infrastructure as a means of punishing and/or pressuring the Norwegian government. Slowik points out that the threat actors who crippled Norsk Hydro also targeted multiple other Norwegian entities, according to Norwegian media (here and here). If threat actors were undertaking the labor-intensive operation of gaining control over multiple Norwegian networks, reasons Slowik, “This indicates a well-resourced team able to execute multiple compromises simultaneously.” And if they were using the disruptive version of LockerGoga, they could cause a “cascading economic shock” to the Norwegian economy as a whole.” That is, according to Slowik, “The Norsk Hydro-associated LockerGoga variant, if also targeting additional entities in the Norwegian economy, evolves from a critical concern for a single company to an item of near-existential risk for an entire country.”
Russia had broad geopolitical motives for using disruptive cyber activity to strike a demonstrative blow against Norway as a whole. By early 2019, military tensions between Russia and Norway, a NATO member, over the melting Arctic were intensifying. The two countries participated in competing military exercises, beefed up their military presence, competed in oil exploration, and accused each other of espionage.8 Russia also undertook information operations to undermine Norwegian citizens’ allegiance to the NATO alliance, as a September 2024 New Yorker article detailed.
Malware Itself Contains Clues as to Possible State Involvement
As Slowik has argued, evidence within the malware itself suggests the possibility of months of planning for such an operation. It was as if the disruptive version of LockerGoga were deliberately developed to “essentially crippl[e] a country through perceived criminal tools,” but to avoid the dangerous collateral damage that WannaCry and Petya.A/NotPetya had caused in 2017.
Slowik notes that LockerGoga underwent extremely rapid development between January and March 2019. He identifies nine versions of LockerGoga, compiled between January 5 and March 10 2019, which were designed to encrypt only and appear consistent with financially motivated ransomware activity. The tenth version of LockerGoga, compiled on March 18, was designed to “encrypt, change passwords, disable network adapters, logoff users,” i.e. designed for disruption and not extortion.
After the NorskHydro incident, says Slowik, LockerGoga seemed to disappear. Its short lifespan seems uncharacteristic of a financially motivated ransomware:
LockerGoga would appear to have a poor success rate in generating funds, and since it disappeared so suddenly appears inefficient from a monetization perspective. Given all this information, and the sudden shift from versions performing fairly nondescript network encryption operations to the more disruptive malware involved at Hydro, the evolution of available LockerGoga samples indicates a tool that was potentially modified for one-time, spectacular disruptive purposes before being retired.
Slowik acknowledged that another ransomware strain called MegaCortex, which emerged in May 2019, shares some features with LockerGoga, but he found that connection purely tangential. He suggested that Megacortex may have been a spinoff of the older, nondisruptive version of LockerGoga. He also dismissed reports that viewed a Megacortex spinoff called Ekans as state-linked.
All Roads Lead to the Conti/Trickbot Group
Who would develop malware this quickly and abandon it? As early as 2019, analysts pointed to Fin6, a Russian-speaking cybercrime group that formerly focused on payment card theft, as carrying out most of the LockerGoga operations that preceded the NorskHydro event. However, aspects of the NorskHydro operation differed from the Altran event and other early Locker-Goga operations, as Slowik pointed out. These new features “indicate a separate entity was almost certainly involved in the more disruptive event” at NorskHydro. This may imply that someone purchased or simply took over the LockerGoga malware that Fin6 developers had so assiduously perfected and used it for the disruptive attack on Norway. The logical suspect for such a reuse of this malware would be a Russian state entity.
Slowik did not make explicit who he thinks developed and deployed the final, more-disruptive version. One plausible scenario is that a Russian state-linked entity paid or pressured Fin6 to develop the more-disruptive version and turn it over to them.9 Alternatively, state hackers may have bought or appropriated code from the earlier version from Fin6 and themselves developed the more-disruptive version for the Norway operation. In this scenario, Fin6 could have proceeded to modify the earlier, non-disruptive LockerGoga version into Megacortex and later EKANS and continue to make money for themselves.10
Russian state actors might have an indirect relationship with Fin6 through the Conti/Trickbot group. Fin6 is known to have deployed Conti-associated Ryuk and Trickbot malware. Indeed, some researchers assert that members of the Conti/Trickbot group themselves developed LockerGoga and MegaCortex. Others dispute that assertion.11
Whether or not they are the direct authors, Conti/Trickbot group members have some relationship with the threat actors who developed and used LockerGoga, just as we saw above a Conti/Trickbot connection in the ransomware attacks tied to the 2019 Louisiana elections. We previously saw Conti/Trickbot group members receive taskings from the Russian FSB and SVR. Possibly through their mediation or via other personal ties, Fin6 members may have received tasking to depart from their former credit card-focused activity and develop LockerGoga malware or turn it over to state hackers for their use.
The Hunt for the LockerGoga Perpetrators
The story of the NorskHydro attack may eventually become clearer in connection with ongoing criminal investigations. Spurred by the LockerGoga attack on French company Altran, in September 2019 French authorities initiated a Joint Investigation Team (JIT), involving officials from Norway, France, the United Kingdom and Ukraine, as well as Europol, to pursue the criminals behind the malware. Information from French investigators also fed into a criminal case that Ukrainian investigators opened in August 2019: case No. 42019000000001779, investigating crimes under articles 361 part 2 (unsanctioned computer access) and 189 part 4 (extortion) of the Ukrainian criminal code. One target of that investigation was the suspected developer/distributor of UAdmin, a set of tools for spammers. That person goes by the nickname “kaktys,” so we will call that the kaktys case. The progress of the JIT and kaktys investigations can be glimpsed through tidbits of court filings and news reports, as follows:
In November 2019 Ukrainian investigators, saying they were acting on information received from French authorities on the LockerGoga attack on Altran, requested a Kyiv court’s permission to search telecommunications provider records on four unnamed individuals. The court document describes one of those suspects as the developer and distributor of the UAdmin phishing kit (also known as uPanel or U-Admin, short for “Universal Admin”).
On January 11 2021 the investigating judge in the above-mentioned case froze cash assets and a computer system unit belonging to one of the suspects
On February 1-8 2021 Ukrainian police, together with the FBI and Australian authorities, carried out arrests and searches associated with the UAdmin developer, whom they described as a 39-year-old resident of the Western Ukrainian region of Ternopil. The UAdmin distributor used the hacker handle “Kaktys” on cybercrime forums.
On October 26, 2021 over 50 foreign investigators, together with Ukrainian National Police, carried out raids in Ukraine and Switzerland, arresting or interrogating 12 individuals suspected of using LockerGoga, Megacortex, Dharma, and other ransomware strains. The officers seized cash, luxury vehicles and electronic devices. According to Ukrainian police, searches took place in the city of Kyiv and in the Kyiv, Volyn, Ternopil, Kharkiv, Zaporizhzhia, and Donetsk regions of Ukraine. Swiss investigators arrested a resident of the Basel region on suspicion of membership in the Fin6 gang and retrieved decryption keys from that person’s devices.
On November 1 2021, the Kyiv judge in the “kaktys” case froze certain real estate assets belonging to one of the suspects, according to an appeal filed in 2024. The judge also froze cash assets and a computer belonging to a suspect, according to an appeal filed in 2023. It is unclear whether these appeals refer to the same suspect.
On January 11 2023, a Kyiv judge made a ruling. A lawyer representing Ukrainian company “Money Republic LLC” (ТОВ «ФК «Мані Репаблік») had appealed for the return of cash assets and a computer that the investigating judge had frozen in November 2021. The judge declined the appeal, saying “Money Republic” is not the owner of the assets. It is unclear who “Money Republic” is and what relationship it has to the case. Additional rulings and appeals would follow.
On January 26, 2023, US prosecutors reported on a seven-month-long multinational law enforcement operation that infiltrated and shut down the infrastructure of the Hive ransomware group. This law enforcement operation, along with the investigations that led to indictments of multiple Conti/Trickbot group members in February and September 2023, likely all yielded information about the ransomware ecosystem relevant to the LockerGoga attack on Norsk-Hydro.
On November 21, 2023, international law enforcement officers raided 30 locations in Kyiv, Cherkasy, Rivne, and Vinnytsia” regions of Ukraine, arresting the 32-year-old alleged ringleader and four of his accomplices on suspicion of ransomware activity using LockerGoga, MegaCortex, HIVE, and Dharma. This takedown built on information seized during the 2021 raids, according to Ukrainian police. Judging from the information in a Europol press release, the suspects’ tactics align with those of the Fin6 group, according to Mandiant’s Kim Goody. A Ukrainian police-provided video of the raids showed a person who was captured on video climbing up to the roof and giving the middle finger to the drone that was filming overhead.
On November 29, 2023 an XSS underground forum user nicknamed “Cobalt_bomb” claimed to be the person who had given the middle finger during the November 2021 raid. He added, “these assholes have been searching my apartment for the third year since 2021.” He claimed that the raid had failed to nab the perpetrators of the Norsk Hydro attack. He indicated that he himself remained under house arrest.
On December 1, 2023, “Cobalt_bomb” added the claim that he lives in the apartment of pro-Russian former Ukrainian president Viktor Yanukovych, who had fled to Russia in 2014. “Cobalt_bomb” claimed that even though the Ukrainian law enforcement officers let him remain under house arrest, they had searched his apartment multiple times and seized nine of his computers.
More details of the interrogation of “Cobalt_bomb” appear in a posting that the Russian-language Telegram channel “Meme Scam” excerpted on February 7 2024. According to the excerpts, “Cobalt_bomb” said the Ukrainian law enforcement officers treated him politely. The Strategic Investigations Department of the Ukrainian National Police did hold him in a basement for eight hours, handcuffed to a radiator, and did “steal” $15,000 from his computers, he said, but “they didn’t kick or hit me or starve me.” However, he says they did ask him to “gift” them one of his computers worth $35,000.
“Cobalt_bomb also boasted that, ten years previously, he had helped the famed Ukrainian cybercriminal Oleksandr Ieremenko – who appears on the US Secret Service’s Most-Wanted list – get started in the cybercrime business. If “Cobalt_bomb” is indeed the figure in the bathrobe in the screenshots below, he looks old enough to have been a well-established cybercriminal by the mid-2010s.
It is unclear which, if any, of “Cobalt_bomb”s boasts are true. It is also unclear whether these well-publicized Joint Investigation Team raids of 2021 and 2023 are integrated with the “kaktys” case mentioned above. In the most recent development in that case, on February 21 2024 a Kyiv judge denied the latest appeal for return of the real estate assets frozen in November 2021. The judge said the assets were still needed for the investigation, whose deadline had been extended to May 21, 2024.
The international investigators are likely studying these postings and others for further clues on the LockerGoga criminals who attacked NorskHydro in 2019. Any future indictments or trials that ensue will provide the public with a better understanding of the ecosystem of “hybrid ransomware.”
Part 1 introduces the concept of hybrid ransomware: how ransomware attacks serve both financial and political motives and may play a role in Russia's ongoing "hybrid warfare" against the West. In part 2a we look at how Russian cybercriminals are willing to act as warriors for the Russian state against its enemies, particularly the United States. Part 2b shows that Russian cybercriminals are still vulnerable to prosecution and face tension between profit-making and their duty to the Russian motherland. Part 3 argues that, since at least 2016, Russian strategists have explored the use of ransomware to pressure adversary countries. Part 4a makes the case that Russian ransomware actors are “hybrid” in another way: criminals but also valuable IT talent with a fearsome reputation, to be coopted with carrots and sticks comparable to the treatment of common criminals. Part 4b argues that sometimes-puzzling Russian law enforcement patterns in recent years resemble less a desire to crack down on cybercriminals than an effort to use the threat of ransomware as a bargaining chip in pursuit of Russian strategic goals. “Ransom-War in Real Time, Case Study 1” focuses on the Conti/Trickbot and Evil Corp ransomware groups — both of which are known to cooperate with intelligence services — focusing on their real-time mechanisms of interaction with state officials. “Ransom-War in Real Time, Case Study 2” examines two disruptive ransomware events from 2019 that show signs of possible state involvement in targeting and timing. “Ransom-War and Russian Political Culture: Trust, Corruption, and Putin's Zero-Sum Sovereignty,” draws on recent Western government revelations about EvilCorp to explore how Russian ransomware actors and the Russian government use each other against the background of Russia’s low-trust, zero-sum political context. “Ransom-War in Real Time, Final Case Study: Tumultuous 2021” puts major ransomware operations of 2021 in the context of this political culture and international tensions of that year.
As a reminder, the latest version of Healey’s spectrum reads as follows:
State-prohibited: The national government will help stop the third-party attack
State-prohibited-but-inadequate: The national government is cooperative but unable to stop the third-party attack
State-ignored: The national government knows about the third-party attacks but is unwilling to take any official action
State-encouraged: Third parties control and conduct the attack, but the national government encourages them as a matter of policy
State-shaped: Third parties control and conduct the attack, but the state provides some support
State-coordinated: The national government coordinates third-party attackers such as by “suggesting” operational details
State-ordered: The national government directs third-party proxies to conduct the attack on its behalf
State-rogue-conducted: Out-of-control elements of cyber forces of the national government conduct the attack
State-executed: The national government conducts the attack using cyber forces under its direct control
State-integrated: The national government attacks using integrated third-party proxies and government cyber forces
One publicly available quote from Prodaft along these lines comes from a hacking “manual” by the Russian cybercriminal Bassterlord. In it, Bassterlord warned other criminals to be careful of messing with Western military targets: “do not enter there, since no one needs a Colonial Pipeline #2!” This implies that cybercriminals know they can get in trouble for risky, potentially escalatory activities. Similarly, in a March 2021 interview, then-REvil group leader UNKN said some REvil affiliates “have access to a ballistic missile launch system, one to a U.S. Navy cruiser, a third to a nuclear power plant, and a fourth to a weapons factory. It is quite feasible to start a war. But it's not worth it—the consequences are not profitable.” US officials subsequently revealed Bassterlord’s identity to be Ivan Gennadievich Kondratiev. He reportedly has ties to LockBit, REvil, RansomEXX and Avaddon ransomware groups.
Media have cited political statements by members of Qilin, the Russian-speaking ransomware actors who caused the NHS meltdown. Qilin actors reportedly said, “All our attacks are not accidental. We choose only those companies whose management is directly or indirectly affiliated with the political elites of a particular country.” The QIlin actors added, “The politicians of these countries do not keep their word, they promise a lot, but are in no hurry to fulfil their promises”; it is unclear to what promises they are referring, but elsewhere Qilin has criticized the UK government’s support for Ukraine.
The inews author made this problematic claim: “Until this month, attacks on other nation’s healthcare services which could potentially lead to casualties were seen as ‘off limits by the Kremlin,” and the NHS incident “represents a loosening of the reins.” However, he neglects to mention a massive Conti ransomware attack on the Irish Health Service (HSE) in May 2021; even though Conti actors did eventually provide a decryptor for the bricked-up HSE systems, they still threatened to release or sell the data if HSE did not pay nearly $20 million in ransom. In this and many other examples , Russia-origin ransomware actors showed little restraint in attacking nationally significant health services.
In the Ryuk incident, state officials said they did not even look at the ransom note, much less pay. .
The US Treasury phrases it this way in a February 9, 2023 sanctions document: “Current members of the Trickbot Group are associated with Russian Intelligence Services. The Trickbot Group’s preparations in 2020 aligned them to Russian state objectives and targeting previously conducted by Russian Intelligence Services. This included targeting the U.S. government and U.S. companies.”
Norway had begun accusing Russia of GPS jamming already in November 2018 (https://tvzvezda[.]ru/news/forces/content/201903141936-6dan.htm).
The NorskHydro incident occurred amid negotiations over the fate of Norwegian citizen Frode Berg, imprisoned in Russia since December 2017 on charges of spying for Norway about Russian military operations in the Arctic. Weeks after the NorskHydro attack, Norwegian Prime Minister Erna Solberg went through with a previously planned visit to St. Petersburg and meeting with Putin as part of the International Arctic forum on April 9 2019. Russian state media stressed that Solberg had expressed the desire to continue dialogue (https://arctic[.]ru/news/20190401/833156.html) and predicted that they were likely to discuss the Frode Berg case. A week after their meeting, Berg received a 14-year sentence in a closed-door trial, but his lawyers expressed hope he would be free sooner. They likely knew that negotiations over a prisoner exchange were ongoing, but that Russia pardons prisoners only after sentencing them. After some court delays, In November 2019 Frode Berg had been pardoned and freed as part of a three-country spy swap. For Frode Berg’s role in Russian information operations in Norway, see the recent New Yorker report.
An example of Russian state appropriation of criminal infrastructure appeared in a January 15 2023 US Justice Department announcement that said hackers from Russia’s GRU military intelligence service relied on the Moobot criminal group to install malware, and “GRU hackers then used the Moobot malware to install their own bespoke scripts and files that repurposed the botnet, turning it into a global cyber espionage platform.”
EKANS appeared to go beyond ordinary malware by encrypting parts of victim systems associated with the industrial control software itself. However, as mentioned above, Slowik dismissed reports that viewed Ekans as state-linked.
Crowdstrike pointed to the similarities between LockerGoga and Ryuk However, TrendMicro wrote, “LockerGoga doesn’t appear to have direct links to the Ryuk ransomware. For example, LockerGoga lacks certain routines that Ryuk has, such as network propagation and information theft.” TrendMicro provides a side-by-side comparison between LockerGoga and Ryuk.