A common question about the lacklustre Russian cyberwar so far is, why hasn’t Putin unleashed the ransomware gangs? Why isn’t there a massive wave of ransomware across Europe and America? There are two related issues here that need to be addressed on Putin and ransomware: (1) why would he? (2) why hasn’t he? This post will address the second “why he hasn’t” topic, leaving “why ransomware” for a more substantive write up.
So, why hasn’t Putin sent his ransomware hounds swarming over European and American networks in an unbridled orgy of encryption, chaos and crypto? An important first step to answering this question is to understand where ransomware fits within the Russian state’s cyber arsenal. And here is where I think we have collectively misjudged the dynamics of ransomware and the state. I am guilty of this myself. We have overestimated the control, underestimated the greed/financial motivation for the hackers, and we have misconstrued Putin’s understanding of his strategic cyber assets.
How short the leash?
Ransomware gangs are loosely formed affinity groups united by a desire for money and a self identity as a cyber vory (thief-in-law, a sort of fraternity with rules and regulations). The language spoken by the Russian underground is heavy with Fenya, basically Russian thieves cant. The Russian cyber criminal underground style themselves as cyber-Vory. Quietly, of course, they wouldn’t want the real vory to hear them say that.
They aren’t really vory, but many do like to imagine they are. One of the core rules of the vory is to never do anything for the authorities. Now, I’m not suggesting these guys would actually follow the thieves code religiously. But they have no reason to meekly or voluntarily act as Russian government assets. Indeed, they have every reason to make performative shows of rejecting requests from the authorities.
How keen the dogs?
The groups will not do this spontaneously. There are several reasons, starting with—they want to make money. They are actually quite conservative about making money. They find something that works and do as much of it as they can. They don’t want to deviate and possible lose money (particularly to other ransomware groups!) And they do not want to give up their revenue flows for nationalism. So it is probably unreasonable to expect a significant spontaneous ransomware volunteer cyber militia anytime soon.
How aware the master?
Putin, and the Russian government in general, understand offensive cyber as a function of the security forces, particularly the intelligence services. Ransomware, they understand as (1) a means of getting kompromat on political rivals (in the style of “hack my girlfriend’s Facebook”), (2) a source of income, in particular for the FSB (which is very important in its own way but a topic for another time), and (3) something the West hates and is therefore a bargaining chip to be used in future diplomatic negotiations. Critically, they do not perceive the ransomware gangs as a strategic cyber asset that can be used within a larger grand strategy.
Their blind spot is by no means unusual, as far as I know there are no political leaders who perceive ransomware as a strategic capability. There is maybe a vague sense of “they could do more Colonial Pipeline attacks!” but no real concern that ransomware could be used to disable choke points in the global supply chain, introduce considerable friction into standard of living, or disrupt critical systems necessary for civil society to function.
Ransomware is not understood as the potential power it is. Consequently, there is a conceptual brake on them being unleashed on the world to raid and cause damage as part of Putin’s strategy.
Which way to bet
The cyber war is rapidly evolving, of course, and it is unclear what role ransomware gangs will play. But for now at least, it seems that maybe we have misunderstood the situation.
Of course, Russia’s use of ransomware gangs could change in an instant, for example if someone drafts a proposal and gets it approved. But it is important to avoid mirror imaging. We know that ransomware is an important strategic capability. That doesn’t mean the Russians do.
Why is it that the FSB/GRU ‘needs’ ransomware gangs in the first place? Shouldn’t they have this capability themselves? More tendrils in more networks, I suppose. Strategic use of ransomware is still to be seen but strategic use of wipers (ransomware minus the ransom), we know to be a powerful nation-state tool. Leaves me wondering, where’s the wiper campaigns?