Coveware: Ransomware Recovery First Responders

View Original

How the Russian/Ukraine war may lead to an explosion in Ransomware attacks

Before the start of the Russian / Ukraine war, there had been steady, yet fragile improvements to contract the scope of ransomware attacks. Law enforcement operations had been ramping up, with multiple arrests, disruptions and seizures. Even Russia had shown a glimmer of cooperation by arresting several high profile members of a notorious ransomware group. 

Since the invasion of Ukraine, these trends have been overwhelmed by new warnings of direct cyber attacks from Russian State actors or targeted wiper attacks spilling out of the conflict. While these risks are very real, the socio-economic shock to the Russian economy as a result of sanctions, presents a far larger long term risk, and has us at Coveware much more worried. The severity of the sanctions that continue to pile up have created an environment that could lead to an explosion in the volume of people that turn to ransomware as a means to support themselves. The isolation that Russia now faces has the potential to create a perfect safe haven for cyber criminals. We have always viewed the drivers of ransomware to be socio-economic in nature, and with the war, the socio-economic variables are deteriorating rapidly. Let’s explore this by looking at the numbers.

How many people actually carry out ransomware attacks?

To understand how bad this problem may get, let's first try to understand how many actual cybercriminals carry out today’s ransomware attacks against enterprises. The recent Conti leaks can help us estimate the number of people globally involved in enterprise level ransomware attacks. By mapping out all the individual people identified in the Conti leaks, researchers identified roughly 62 individuals associated with the Conti group. For the sake of simplicity, let’s round this up to 100. Based on our Q4 market share estimates, the Conti group accounted for roughly 20% of attacks in Q4. This would imply that there are only ~500 or so individuals involved in enterprise level ransomware attacks across the entire ransomware industry. If we look at the FBI’s IC3 report, we see that Conti accounted for roughly 13% of attacks. This would imply there are about 770 individuals responsible for all enterprise attacks. For the sake of being conservative, let’s round this up to 1,000.

Underemployment and the Socio-Economic Drivers of Ransomware

In 2019, Jonathan Lusthaus (author of the must read “Industry of Anonymity”) penned a New York Time Op-ed and was quoted stating, Unfortunately, many of the economies in former Soviet countries cannot legitimately support the glut of technical talent produced by this high-quality education system…With limited opportunities, many highly capable Eastern Europeans are carving out careers in cybercrime.” This was written in 2019, well before the explosion in ransomware attacks that have plagued enterprises globally. Since then the problem has become substantially worse, which leads us to where we are now. The war and resulting sanctions on Russia have the potential to dramatically change the socio-economic position of millions of Russian citizens.

The Effect of Sanctions on the Russian Economy and Unemployment

The severe sanctions that have been imposed on Russia are forecast to have a dramatic impact on the economy and employment. Russian unemployment before the conflict was quite low, at roughly 4.4%. Preliminary estimates forecast that the impact of the sanctions may lift Russian unemployment to 7% (+2.6%). So how might that affect the number of people that may turn to cyber crime in order to put food on the table? To estimate that, let's look at the ratio of cybersecurity workers / total population. In the below table, we chart the 5 largest cybersecurity work forces by nation versus the country’s total population.

See this content in the original post

The average ratio of cybersecurity workers / total population across the top 5 nations is 0.41%. If we apply this ratio to Russia’s population of 144.1 million people, we can estimate that pre-war, there were probably 590,000 cybersecurity workers, legitimately employed in the Russian economy. If 2.6% of this population loses their jobs, that implies that roughly 15,000 STEM educated, cybersecurity trained professionals will be without a paycheck and be at risk of joining the ransomware labor pool. The key question is: ‘how many newly unemployed, cybersecurity trained people will actually become cyber criminals?” Well, that is difficult to forecast, but we can create a benchmark and assess its reasonableness.

To demonstrate the impact of this, let’s go back to our original estimate of the current ransomware labor pool being just 1,000 individuals. Let’s label the current state of ransomware attacks as ‘bad.’ For things to be TWICE as bad, that would imply that the ransomware labor force doubles to 2,000, or 1,000 more people join. 1,000 new entrants out of an available pool of 15,000 is about 7%. So the question we can pose is, “Is it reasonable to assume that 7% of newly unemployed, cybersecurity trained Russian workers resort to ransomware?” Just a 7% conversion rate is all it would take to make the current problem twice as bad. It is also reasonable to assume that this conversion rate might climb if unemployment in Russia really gets out of control, and consumer staples truly become scarce (desperate people do desperate things). This would mean that both the size of the available labor pool would grow AND the proportion of the labor pool that tips into cybercrime expands. This would create non-linear growth in ransomware participants and the corresponding volume of attacks carried out. 

It is worth noting, however, that the above scenario may not necessarily translate to an increase in targeted attacks against US critical infrastructure. Big game hunting gained popularity between 2019 and 2021 based on the notion that slightly more time, effort and technical expertise would yield higher ransom payments from large enterprises, versus than the traditional static model of extorting a nominal fee across the board from small and mid-sized organizations. If a large influx in net new ransomware participants occurred, they may not adopt the big game economic model. While more individuals will be tempted to turn to cybercrime for a desperately needed source of income, the ransomware model that may prevail will rely on consistency and certainty of payments and far less on a few sporadic, inflated rewards. The enterprises most vulnerable to these efforts will likely fall within the small to midsize professional and financial services sectors, and we will likely see a decline in initial ransom demands as actors hope more palatable demands will lure victims into paying faster and without much pushback. The question looms large of what tactics and traits will mark this new cohort of extortionists.

This is what we worry about.