Defying expectations: Why did ransomware attacks dip in July-August 2022, despite aggressive Russian military doctrine?

By Paul Caron, Head of Cybersecurity, Americas at the intelligence and cyber consultancy S-RM

Russia has long been home to some of the most skilled hackers in the world. According to research conducted by Chainalysis, 74% of all money made through ransomware attacks in 2021 went to Russia-linked hackers. Their researchers revealed that more than $400 million worth of crypto-currency payments went to groups “highly likely to be affiliated with Russia.” 

However, following the outbreak of conflict in Ukraine, ransomware attacks across the globe decreased notably in July-August 2022, against what many commentators would expect. Russia’s cyberwarfare capabilities are a key aspect of the nation’s military doctrine and, although attacks on Ukrainian infrastructure did spike before the outbreak of conflict, the global decrease in ransomware attacks since seems at odds with expectations that Russian-affiliated groups would seize the opportunity to cause disruption to Western companies. 

Year on year, ransomware attacks in 2022 have increased, making this dip in the summer even more unusual. So what could be the cause?

Making life difficult for ransomware groups

There are a few factors at play in this scenario. Firstly, it’s worth noting that some established ransomware groups operating in the region were composed of both Russians and Ukrainians, so the conflict lead to rifts within these groups, slowing activity. Well known ransomware groups are even coming out to publicly announce their support for sides of the war, such as the Conti ransomware group who stated their “full support of the Russian government”.

The waves of sanctions levied on Russia have also had an effect on illicit financing transaction infrastructure relied upon by these criminal groups. Traditionally, ransomware payments would go from the affected party to a payments brokerage, to an exchange, and finally to a cryptocurrency tumbler, where it would then be received by the threat actor. However, international scrutiny of these transactions has eroded many of these support structures, making it far more difficult for criminal groups to receive funds. 

There are always ways around sanctions for enterprising criminals, but the secondary effect of this international scrutiny is greater difficulty in purchasing server space and the other critical infrastructure needed to amass the botnets that are essential to a large scale attack. Again, this operational difficulty could well be responsible for slowing these ransomware groups over the short term. 

In addition, and separate to the conflict itself, the volatility in Bitcoin seen this year has subsequently had a knock-on effect, as groups saw their funds and reserves suddenly plummet in value. 

Lastly, the efforts of the cybersecurity sector and greater awareness amongst businesses are likely to have played a key role. As threat actors are becoming more innovative with how they are able to corrupt organizations, companies are moving risk management up the agenda. We are seeing more companies adopting Endpoint detection and response approaches and investing in other managed services to protect their networks. This is also in conjunction with a decrease in major public vulnerabilities such as the Exchange Proxyshell or Log4shell incidents that we witnessed in 2021. 

What the future looks like

Variations in annual patterns and threat actors behaving against expectations are always vital to examine for our industry, as they provide the data through which we can predict, model and counteract future attacks. 

Looking ahead, it is predicted that traditional ransomware threat actor groups will resume operations and attacks towards the end of this year and return activity to the levels observed in 2021. 

The primary cause of this is simply that, as time passes, affiliates will become more and more disengaged from the conflict in Ukraine and Russia, as well as ideological anchors aligned with the conflict. As a result, they will ultimately return to previous behaviors and seek to gain ground across the attack landscape to further bolster their profitability and activity. 

However, given that the barrier of entry is so low for these affiliate groups, we would expect that international law enforcement can steal a march thanks to the dips in activity we saw in 2022. Any time these threat actors slow their development in the cyber arms race, it provides more time to predict their next steps and aggressively target and capture these actors in the wake of their greed. 

Whether attack rates are rising or falling, organizations need to be aware of their own vulnerabilities and utilize the best tools and practices to prevent becoming vulnerable. As geopolitical tensions heighten, it’s not beyond the realm of possibility that we do eventually see a rise in state-sponsored attacks on businesses as we initially expected in February this year.

Paul Caron is S-RM’s Head of Cyber Security, Americas. Paul has over 20 years of experience spanning both the private and government sectors in roles across leadership, military intelligence and counterterrorism, and cyber security leadership & engagement delivery. Before joining S-RM, he was the Managing Director of Incident Response for a global consulting firm. In this role, he used his experience to help clients who were experiencing complex ransomware attacks.  

After a career in the U.S. Army, where he was a subject matter specialist in various facets of the Intelligence and Special Operations fields, Paul joined PwC. At PwC, he was an engagement manager and focused on cybersecurity strategic transformation projects. He has significant experience advising Fortune 100 clients through proactive security transformation efforts and post-breach remediation activities. He has a strong track record of partnering with senior security leaders to mature their cybersecurity programs on their strategic journeys. 

Paul holds an MBA from Norwich University. He was in the first graduating class of the Norwich University Strategic Studies and Defence Analysis program. He is also the co-author of “Security Supervision and Management: Theory and Practice of Asset Protection.”

Follow Brilliance Security Magazine on Twitter and LinkedIn to ensure you receive alerts for the most up-to-date security and cybersecurity news and information.