View All News Posts

Does All Ransomware Come From Russian Cybercriminal Groups?

July 13, 2021

Russia flag, ransomware skullAt, we frequently work with businesses, healthcare organizations, and other enterprises that have fallen victim to ransomware. Many of these cases are recoverable — while many of the most well-known ransomware variants are well designed, some have design vulnerabilities that can be exploited to restore data to its original condition without paying a ransom.

However, the recent wave of headline-capturing ransomware variants are exceptionally robust. In many instances, victims have no alternative but to pay the ransom. Cracking the encryption can take months — or hundreds of years, in some instances — and by definition, mission-critical systems cannot stay offline for extended lengths of time.

Newspapers often cite the Russian origins of major ransomware attacks, which has led to a misconception that all ransomware comes from Russia-based cybercriminal groups. This isn’t the case; ransomware can (and does) come from everywhere, but the most successful attackers often come from Russian-speaking countries.

Evidence for Russian-Speaking Origins in Recent Cyberattacks

In February 2017, security firm Kaspersky estimated that 75 percent of ransomware comes from Russian-speaking sources. That doesn’t necessarily mean that all of the attackers are Russian-speaking, however: The bad actors who create the ransomware are often separate from the people who carry out the attack. This second group acts as “affiliates,” distributing ransomware and collecting the ransom. There’s not enough hard data to conclude that the actual programmers are more likely to be Russian-speaking than, say, Chinese-speaking.

With that said, many of the most significant ransomware attacks have been traced to Russian speakers (we’ll note here that we’re using the phrase “Russian speaker” rather than “Russia” because determining language is much easier than confirming nationality — and there’s no current evidence to suggest that any nation’s government is actively involved in ransomware distribution, with the notable exception of North Korea’s military hacker groups).

Some newsworthy examples of ransomware attacks with Russian-speaking origins:

  • On July 7, 2021, a report from Trustwave SpiderLabs identified a ransomware attack from Russian-speaking hackers REvil that was written to actively avoid systems that have default language settings from the former USSR region.
  • DarkSide, the Russian-speaking group that attacked the Colonial Pipeline in May, used ransomware written to avoid computers in Russia and former Soviet satellite countries.
  • On May 14, 2021, Ireland’s health service suffered a significant ransomware attack attributed to Wizard Spider, a cybercriminal group believed to be based in St. Petersburg, Russia.

Most cyberattacks don’t make the news — each of the ransomware attacks listed above falls into the “big game hunter” category. These attacks can be remarkably sophisticated. In some cases, the malware sits on a server for months in order to prevent the target from recovering from usable backups. Smaller ransomware attacks use more of a brute force method, targeting hundreds of potential victims. These types of attacks are more likely to be recoverable.

Preventing Ransomware Infection (And Recovering from Ransomware)

We can’t speculate as to why many major attacks come from Russian-speaking countries, but some news outlets believe that Russia’s lax enforcement of cybercrime laws has made the practice quasi-legal. It’s also possible that some malware groups mimic well-known Russian groups to hide their identities more effectively.

Regardless of origin, a ransomware attack can be crippling for a business. While every enterprise should enact a robust program to prevent infection, here are some quick tips for limiting vulnerabilities:

  • Limit peripheral access to all backup systems. This includes optical media (CDs/DVDs), external hard drives, and flash drives. Consider installing USB locks to prevent unauthorized peripheral access.
  • Keep an air-gapped backup of important data. All mission-critical data should be duplicated and stored off-network. Wherever possible, keep mission-critical backups offsite.
  • Educate employees. Many ransomware attacks occur through email. Establish strong protocols to prevent personnel from opening compromised emails (and attachments).
  • Isolate systems wherever possible. Limiting access to important IT infrastructure is one of the most effective ways to prevent a successful attack.
  • Check backups regularly. Have a disaster recovery plan — run simulation scenarios and determine whether your current practices are robust enough for a real infection.

Finally, if a cyberattack occurs, don’t panic. Shut off all affected systems immediately. Do not attempt to restore from backups if there is any possibility that the backups could be infected in the process.

The safest course of action is to contact an experienced ransomware recovery firm. For a free consultation, call at 1-800-237-4200 and ask to speak with a malware expert.