How the Russia-Ukraine war makes ransomware payments harder
Before the start of the Russia-Ukraine war, nearly 75 per cent of cryptocurrency payouts for ransomware went to Russia, according to a study conducted by Chainanalysis.
As Russia is now a sanctioned country, the legal ramifications of paying ransoms means that victims seeking response and negotiation services are being turned down.
Russian sanctions are wide and ambiguous, making them difficult to abide by says Kurtis Minder, CEO of digital risk protection firm GroupSense, who’s negotiated hundreds of ransomware payouts over the past two years.
Sanctions aim to combat ransomware by disrupting ransomware gangs, bolstering resilience, making laundering through cryptocurrency more difficult, and addressing safe harbors like those in Russia.
Below are some points to be aware of when considering ransomware in the current Russia-Ukraine war climate.
Politics have tightened sanctions on ransomware payments
Since Russia launched its war against Ukraine, paying ransoms to Russian entities have become a political hot button, with some officials considering ransomware payouts a threat to national security.
While no businesses have yet been charged for paying ransoms under these sanctions, those that violate them can be slapped with civil and criminal penalties even if the victim doesn’t know they’re in violation.
Some sanctions lists are out of date
An example is REvil, which supposedly shuttered operations in January. Now REvil seems to have reemerged under a Russian dark web marketplace called RuTOR. Another example is Conti, which has changed names and diversified into multiple spinoffs since its operators threatened to defend Russia with counterattacks.
Paying a ransom through any of these entities would be in violation of sanctions so it is important to keep up to date with cyber security news. Subscribe to Acurus State of Cyber Security Newsletter to stay informed of current industry updates here.
Be ready before a ransomware attack
Victims and law enforcement need to work together and share intelligence. Relationships with authorities will reduce liability in the case the victim unknowingly pays ransom to or through sanctioned entities and affiliates. If, under the weight of ransomware attack, the victim organisation has reached out to authorities, it demonstrates cooperation with law enforcement and may
Take care when preserving evidence that is highly volatile in nature or limited in retention to prevent loss or tampering (such as in system memory, Windows security logs, or data in firewall log buffers). Also check if the bureau has a decryption key, which may be available for a specific ransomware strain.
Focus on ransomware prevention
With legal liability tied to paying ransoms to Russian and other sanctioned entities, prevention becomes even more critical for enterprise CISOs. Start by mastering the basics: over-permissive/shared admin rights, lack of application whitelisting, and lack of visibility into systems and networks.
To learn more about how the ransomware landscape is being affected by Russian sanctions, contact one of our IT experts today.