Kiril Avramov, Ryan Williams
It’s easy to imagine yourself as a ransomware victim. You open your laptop one morning and see a note explaining that your files are now encrypted. Only the attackers hold the key. They are willing to let you back into your system if you pass them some bitcoin.
Perhaps what’s harder to imagine is how these attacks shape and are shaped by our businesses, governments and personal lives. But it is crucial more policymakers appreciate these dynamics because ransomware is not only a criminal enterprise. Just like disinformation, private military contractors and state-directed corporate espionage, ransomware is a powerful weapon in political warfare.
A wave of recent ransomware attacks has attracted the attention of many leaders by targeting what the U.S. government has deemed “critical infrastructure.” The scale, volume and disruptiveness of recent ransomware attacks have led to an effort by the Biden administration to reclassify ransomware as a national security threat.
The ongoing surge of ransomware targeting Western networks has been attributed to Russian groups operating ransomware-as-a-service enterprises. In Russia, ransomware actors are seldom pursued or prosecuted. They operate with relative ease in a context where public and private spheres overlap. External observers are left wondering where the state ends and private, or rather illicit, the enterprise begins.
In most cases, attackers are effectively immune from legal consequences at home and often refrain from targeting Russian businesses or governmental entities. Additionally, they are protected from extradition abroad, regardless of the evidence against them. Russian dark market platforms serve as uninterrupted mechanisms for ransom-to-cash conversion, and attackers benefit from a strong constraining wall keeping away victims seeking transparency and accountability.
Strategic inaction on the Kremlin’s part is an inducement to experiment with malicious software aimed at Western targets. There are documented instances of individuals and groups being co-opted by Russian security and intelligence services. The state provides them legal protection and occasional targeting guidance in exchange for information and corrupt material gains.
In this way, ransomware has entered the Gray Zone. This is a realm where plausible deniability is achieved because of the cooptation and weaponization of private proxies. When these private entities act, the outcomes align suspiciously well with the Kremlin’s objectives. The result is a proliferation of confusion and chaos, erosion of social trust and diminishing the economic potential of Russia’s competitors.
Despite the patterns of interactions between the Russian security services and cybergangs, the exact details of this arrangement remain opaque. The global trend of amalgamation between private actors and state initiatives complicates efforts to discern purely criminal activities from state-sponsored political warfare. These difficulties introduce dangers of misattribution or miscalculation that could lead to other confrontations and further strain the already difficult relations between the U.S. and Russia.
When you consider the explosion of new ransomware business models and the favorable conditions Russia creates for attackers, it is reasonable to anticipate the market for ransomware capabilities will continue to get better. And increasing demand for malicious code may incentivize cybergangs to develop artificial intelligence features that could further erode the Russian state’s ability to place limits on attackers. These trends spell an uncertain future for norms against ransomware attacks. In terms of Gray Zone confrontation, we need to diffuse capable operators armed with highly sophisticated software. Ransomware risks becoming just another “conventional” weapon in conflicts classified as “below the threshold of war.”
To make informed decisions, lawmakers need to continue to solicit an intelligence community assessment on the nature of Russian state involvement in the ransomware industry. And, although it may seem counterintuitive, policymakers should attempt to secure limited Russian cooperation on developing norms against AI-enabled ransomware attacks.