Over the years, Russia and an ecosystem of Russian-language speakers have been at the heart of all types of cyberattacks, nation-state attacks, and cyber warfare. It is a criminal underground that is constantly evolving and shifting.
"Many associated actors were once heavily focused on campaigns targeting banking credentials and generating fraudulent financial transfers and transactions, eventually shifting toward payment card fraud and the use of PoS malware," says Jeremy Kennelly, senior manager and principal analyst at Mandiant.
More recently, ransomware campaigns have been the attack method of choice among Russian-speaking cybercrime rings. The reason is simple: Ransomware and data theft/extortion operations are successful across every industry vertical. In the past, the best financial opportunities for cybercriminals were found in point-of-sale (PoS) systems, which limited the target to those industries that rely on credit card transactions, according to Kennelly. Ransomware broadens the horizons, as it can be used in education, healthcare, and manufacturing, for example.
Russian Cybercrime Unity Wavers
Compared with the English-language cybercriminal scene, the Russian-language cybercriminal scene has been remarkably stable over the past decade or so. English-language cybercrime tends to be chaotic, with sites and crime rings appearing, then disappearing and returning. On the other hand, the Russian-speaking cybercrime groups established early in the 21st century continue to thrive, using the same popular forums and sites continuously.
Yet there could be a crack forming in the Russian cybercrime edifice. Last year saw some uncharacteristic friction between cybercrime organizations in the Russian-language scene, much of which can be attributed to increased law enforcement activity, particularly between Russian and U.S. officials. The cracks become apparent when looking at the Colonial Pipeline attacks, which was conducted by ransomware group DarkSide, believed to be created by former associates of the REvil group.
"Russia has long been perceived as a relative safe haven for cybercriminals to operate in, as long as they don't target Russian entities. The FSB's (Federal Security Service) activity challenges this notion. It is realistically possible that prolific ransomware groups may feel compelled to scale back their activities to avoid the ire of the FSB," the Photon Research Team at digital risk protection shop Digital Shadows reports. "The raids on REvil members demonstrate that any relationship between cybercriminals and the Russian state is more one-sided than some cybercriminals may have thought."
Another major development in 2021, according to the Photon Research Team, was changing attitudes toward ransomware partnership programs on certain high-profile Russian-language cybercriminal forums. Paranoia grew in the aftermath of the Colonial Pipeline attacks, which were coordinated by members of the REvil and DarkSide ransomware groups. The Photon Research Team claims law enforcement crackdowns pressured cybercrime forum leaders to limit ransomware-related activities.
Sino-Russian Relations Warm Up
With the changes in ransomware partner programs, a new Russian-language cybercriminal ransomware forum was created — Ransom Anon Market Place, known as RAMP (not to be confused with the drug marketplace of a similar name). Its role was to offer ransomware-as-a-service to its clients, but after the forum's original creator left, RAMP took on new life, turning it into a gathering space for Chinese-language cybercriminals to collaborate with Russian speakers.
"Cybercrime is often global, launched from across the world by groups that are less concerned with geographical barriers and more with monetary outcomes," explains Andrew Barratt, vice president of technology and enterprise at cybersecurity consultancy Coalfire. Russian crime operatives are more interested in their financial end goals, and that may mean working in partnerships with other cybercrime groups to reach the desired outcome. And other countries want to work with Russia because historically Russian-speaking crime rings have support and protection from the Kremlin.
Almost all cybercrime has one goal: financial rewards.
"Cybercrime emanating from Russia and Eastern Europe is no exception to the rule that successful business models see their owners double down on successes and reinvest earnings in continuing innovation and improved efficiency," says Casey Ellis, founder and CTO at IT security firm Bugcrowd.
With the rebranding of ransomware groups, Russian-language crime groups have shifted toward working more cooperatively with other regional or nation-sponsored groups. In the wake of the Russian government crackdown, Russian-language threat actors also may consider relocating to China, where there is less fear of government retribution. If Russian-language and Chinese-language cybercriminals join forces, it could create a new superpower, speculates Adam Segal of the nonprofit US think tank Council on Foreign Relations.
But that hasn't happened yet. Ransomware-based crime is still where the cybercrime ecosystem is most successful, and it likely will stay that way for at least the near future. However, because Russian-speaking cybercriminals are so sophisticated, they are always evolving. Organizations and governments worldwide must always be vigilant, prepared for the next move.