How Conflict in Ukraine Could Revolutionize the Ransomware Threat

Share with your network!

As the situation in Ukraine develops, we face deep uncertainty. For perhaps the first time we are watching a modern war unfold in a highly connected society, where actions and reactions are played out for the world to watch via TikTok, Facebook, and Reddit.

The combat too is different. Tanks and troops continue to be the cutting edge, however cyber makes up an increasing part of a holistic offensive with reports of phishing emails flooding both Ukraine’s military personnel and citizens, and Distributed Denial of Service (DDoS) attacks overwhelming websites to damage the morale and responsive capability of the victims.

Russia has said it “has never conducted and does not conduct any ‘malicious’ operations in cyberspace,” however the content is plain to see, and local threat actors such as Conti group have stated their active support for the Russian mission, threatening repercussions for any cyber intervention. Similarly, Mykhailo Fedorov, the vice prime minister of Ukraine, announced the formation of an “IT army” and provided a list of priority targets, including Russian government and business websites.

Alongside this cyber conflict sit more visible financial sanctions, another weapon being used in front line conflict and being applied globally against the Russian aggressors. There is the distinct possibility that both confrontations, cyber and sanctions, will continue far past the resolution of any land war, and it provides a prospect for the threat landscape to be turned on its head.

A Threat Landscape Transformed in the Wake of Russian Aggression

To date, Western governments have tolerated cyber-attacks, worrying about the repercussions of ‘hacking back’, and seemingly unwilling to launch a major offensive in cyberspace. Now that battle lines are so clearly drawn, there is the potential for nation state cyber offensives to become more overt and a common part of daily life. 

We can hope that these attacks remain purely political, steering clear of normal life. However, the prevalence of Ransomware as a Service, and the recent track record for increasing numbers of attacks on hospitals, transport hubs, and water plants suggest that attacks on CNI are certainly within scope, potentially forcing Western countries to learn to live with power blackouts, transport delays, and financial system failures.

Perhaps most likely, however, is the policy change that must surely occur regarding ransomware. Governments have tolerated significant payments being made to Russian threat actors to enable businesses to recover and operate, such as JBS Foods, which paid $11 million to REvil, and Colonial Pipeline, paying $4.4 million to Darkside. When those funds are likely flowing into a clearly hostile jurisdiction—one incentivized to turn to illegal methods to bypass financial sanctions—the Western governments must draw a legislative line.

Organizations that have thus far paid lip service to cybersecurity have a very short period to change their attitude. This conflict has the very real potential to escalate the frequency and sophistication of digital attacks while also removing the possibility of simply using cash, or insurance, to buy one’s way out of a breach. Cyber resilience will become as imperative to an organization as their balance sheet—as they become increasingly interrelated—and we can expect to see government action reinforce this prioritization across businesses.

What then for the threat actors? If firms stop paying ransoms and enhance both their resilience and tolerance for disruption, where will they find their rewards? Perhaps in directly targeting the large pools of digital currency sitting in multiple online crypto platforms, or possibly turning their attention away from businesses and back to individual users, replacing one $10 million attack with ten thousand $1,000 attacks?

Time To Shore Up Cybersecurity Defenses

Right now, CISOs have their hands full contemplating how to deal with their existing Russian facilities and infrastructure, while nervously looking to the horizon to see whether any military cyberattack will spill over into the corporate domain. Many have created, or are frantically preparing, multi-level fallback plans to protect their core value proposition; identifying the different positions and controls they can adopt to increasingly isolate from any global threat while still operating core services.

Any attack, when it arrives, is unlikely to break entirely new ground. The commonsense controls we have applied for years are still relevant, however it’s now essential that they are applied with much greater efficacy than ever before. Patching, backups, awareness training, phishing prevention, threat hunting, and incident response rehearsals are all part of the core cyber hygiene that we should be implementing. As with COVID, we were all accustomed to washing our hands, but it was only when we did it with alarming regularity that it became truly effective.