Russia's War Further Complicates Cybercrime Ransom PaymentsFeds Issue a Reminder That Ransomware Victims May Violate Sanctions If They Pay
What are the ethics of paying a ransom to a cybercrime syndicate that might be working as a proxy cyber force in support of the Russian government's war with Ukraine?
See Also: 2022 Unit 42 Incident Response Report
Ethically, paying a ransom has never been the right move, since it directly funds criminals, perpetuates their business model, funds future research and development efforts, and drives new criminals to join the fray.
Realistically, however, whether to pay often comes down to a business decision. If restoring from backups, finding a workaround or some other measure fails, and the choice is between negotiating a ransom and going out of business, for many CEOs that leaves them no choice at all except perhaps who they might hire to conduct negotiations.
Legally speaking, many governments - including the U.S. and U.K. - do not prohibit the paying of ransoms, except to sanctioned organizations or individuals. But financial services firms, digital forensics and incident response companies, as well as cyber insurance firms, must also comply with "know your customer" and anti-money laundering regulations. These rules require them to file suspicious activity reports if they think they may have handled any proceeds from a ransomware attack.
Russia's invasion of Ukraine, however, further complicates the optics of paying money to ransomware-wielding criminals, who by and large are based in Russia or have ties to Russia-based crime operations. Blockchain analysis firm Chainalysis says $400 million in known ransom payments flowed to Russia last year, comprising 74% of all known ransomware revenue.
One long-standing rule of the Russian cybercrime scene is that criminals who want to stay out of jail will do favors for domestic law enforcement and intelligence services. Hence it's possible that current and future ransomware attacks, especially against critical infrastructure, may have been ordered by the state, using ransomware gangs as cutouts. Arguably, the impetus to not pay a ransom has never been greater.
In addition, the U.S. Treasury Department's Office of Foreign Assets Control, or OFAC, has issued further sanctions on Russian individuals and organizations, including President Vladimir Putin, following Russia's invasion of Ukraine. Anyone who pays or facilitates a payment to a sanctioned individual or organization - without first seeking U.S. government approval, which would not necessarily be granted - may face financial or criminal penalties.
Will the War Help or Hurt Payments?
Putin continues to be pilloried by the leaders of Western governments for ordering the invasion of Ukraine and for his military hitting numerous civilian targets, including schools and hospitals. On March 2, the UN General Assembly passed a resolution demanding that Russia "immediately, completely and unconditionally withdraw all of its military forces from the territory of Ukraine within its internationally recognized borders."
For anyone who falls victim to attackers wielding ransomware - most of which, again, traces to cybercrime gangs based in Russia - one open question is whether they might be more or less likely to pay up, given the war.
"The sanctions will pose challenges in their extortion or payment scheme," says John Fokker, head of cyber investigations and principal engineer at cybersecurity firm Trellix. "I can imagine that negotiation companies will refuse to negotiate when dealing with a Russia-based ransomware group."
Brett Callow, a threat analyst at Emsisoft, a security firm headquartered in New Zealand that helps organizations recover from ransomware, says that "it's possible we'll actually see less ransomware as a result of the war," in part because Ukrainians were key members of many ransomware groups. But he doesn't think the conflict itself will have much impact on victims' propensity to pay or not to pay a ransom.
"The decision about whether or not to pay a ransom demand is typically made on the basis of a cost-benefit analysis," he says. "While the PR aspect of being seen to be funneling money to Russia-based gangs would likely be factored into the decision-making process, I'm not sure it would be likely to affect the outcome in too many cases. I suspect the potential insurance implications - if there are any, that is - of paying a group that has publicly sided with Russia would be likely to influence the decision more."
Leak Means Karma for Conti
Complicating the ransomware-payment picture: At least one ransomware operation has been clear in its support of Putin. In a now-deleted post published shortly after the invasion began on Feb. 24, Conti said it was "announcing a full support of Russian government" and promised reprisals against "critical infrastructures" of anyone who attempted to target Russia online.
In response, an anonymous Ukrainian security researcher who gained access to Conti's Jabber logs and source code began leaking both. "Ukraine will rise!" read a tweet with a link to some of the leaks posted by @contileaks.
The voluminous Russian-language logs, over which security firms continue to pore, have revealed details of the group's operations, concerns and other minutia. Some security experts hoped the leak might scuttle Conti's brand, forcing it to take time to rebrand and regroup - for example, as DarkSide did after its disastrous May 2021 attack on Colonial Pipeline. The group rebooted as BlackMatter, and latterly as Alphv/BlackCat.
So far, however, Conti's leadership - codenamed Wizard Spider by cybersecurity firm CrowdStrike - appears to be sticking with its brand.
Potential Russian Sanctions Evasion
U.S. authorities, meanwhile, have warned that sanctioned Russian and Belarusian entities may be actively attempting to bypass sanctions.
Specifically, the U.S. Treasury's Financial Crimes Enforcement Network, aka FinCEN, has issued a new alert warning of the need for "increased vigilance for potential Russian sanctions evasion attempts."
The alert details multiple tactics, or red flags, that customers of what it calls money services businesses might use to try and evade sanctions, including via convertible virtual currency, aka CVC, by which it means Bitcoin, Monero and other virtual and cryptocurrency.
"FinCEN reminds financial institutions about the dangers posed by Russian-related ransomware campaigns," the latest alert states, noting that regulated organizations should be tracking "Russian and other ransomware and cybercrime activities for a range of indicators to help detect, prevent, and report potential suspicious activity."
"Several of those red flags apply to cryptocurrency businesses specifically, which is important considering Russia's high degree of cryptocurrency adoption and concerns about the potential for designated individuals and entities to use cryptocurrency to evade sanctions," Chainalysis says.
The latest red flags for ransomware contained in the FinCEN alert are:
- Obfuscation: "A customer receives CVC from an external wallet, and immediately initiates multiple, rapid trades among multiple CVCs with no apparent related purpose, followed by a transaction off the platform. This may be indicative of attempts to break the chain of custody on the respective blockchains or further obfuscate the transaction."
- Mixing: "A customer initiates a transfer of funds involving a CVC mixing service."
- Ransomware: "A customer has either direct or indirect receiving transaction exposure identified by blockchain tracing software as related to ransomware."
Ransomware-wielding sanctioned Russian cybercriminals such as Evil Corp appear to have previously tried to evade sanctions. Evil Corp, for example, previously disguised its WastedLocker ransomware as rival ransomware PayloadBin, likely to try and trick victims into violating OFAC sanctions (see: Evil by a Different Name: Crime Gang Rebrands Ransomware).
Despite such sanctions, Chainalysis reports that 7% of all known ransom payments last year still flowed to Evil Corp.
Ransom Payments in General: Not Banned
Provided that they do not violate sanctions, OFAC does not ban ransom payments, says Ari Redbord, head of legal and government affairs at blockchain analysis firm TRM Labs. "What I think that OFAC would say today around sanctions is: Hey, look, we don't want you to pay a ransom, but it is a critical business decision that you need to make. You need to work closely with law enforcement. You need to advise law enforcement at the earliest possible time. And then you need to ensure that you are not opening yourself up to sanctions exposure," he says.
He also says FinCEN continues to emphasize that private-sector organizations "are the victims in these ransomware attacks," as it seeks to work with them to get better information and intelligence to help it track ransomware operations (see: Ransomware: Would Banning Ransom Payments Mitigate Threat?).
When Secrets Escape
Many such groups now practice double extortion, meaning that if a victim doesn't quickly pay a ransom demand - which remains attackers' preference, because it makes their attacks more difficult to track - then the gang will escalate. Typically, this involves the gang first listing a victim on its site, then posting extracts of stolen data, if it has any, to increase the pressure to pay.
But funneling money to Russian criminals looks especially bad as Ukraine publicizes Moscow-ordered airstrikes against maternity wards, civilian causalities, and the mining and shelling of civilian escape routes.
"I can imagine that negotiation companies will refuse to negotiate when dealing with a Russia-based ransomware group," Trellix's Fokker says.
Some victims will pay quickly precisely to try and avoid criminals listing them on a data leak site. By paying quickly, they hope to keep the ransomware attack and potential data breach secret.
But secrets have a way of escaping, as demonstrated by the aforementioned chat logs from Conti's ransomware operation that leaked.
"Victims that have paid the ransom but didn't report the breach have now been exposed via the chat leaks," Fokker says. "I guess even your ransomware skeletons come out of the closet sooner or later."