After a temporary decline in ransomware attacks following Russia’s invasion of Ukraine, hacking groups are reforming and returning to their usual tactics.

The Russian invasion of Ukraine has had far-reaching consequences for western society. However, predictions that the outbreak of conflict would lead to a dramatic increase in cyber-attacks against NATO members’ economies have not come to pass. To understand why this did not happen and why the current lull is not indicative of a new normal, we need to understand the makeup of the cybercrime industry and how it is evolving.  

The Ransomware pandemic years

During the ransomware pandemic of 2020-21, Russian cyber criminals, based in Russia or in nearby Russian speaking territories, including Ukraine, were extremely successful in hacking organisations. This includes headline-grabbing cyber-attacks such as when hackers obtained 250GB of files from the Washington DC Metropolitan Police in May 2021 and demanded US$4 million in return.1

The circumstances brought about by COVID-19, with organisations globally having to readjust their entire networks created the conditions for a perfect storm, which had been building for years. Security was reduced and hackers found easy targets.

Cybercrime gangs became highly professionalised as this “industry” benefited from lucrative returns and few risks for prosecution at home. Russian and Ukrainian hackers attacked Western businesses with impunity. They could expand in headcount and capability, successfully recruiting hackers to develop their trade and ultimately carry out larger ransomware thefts.

These groups evolved into successful businesses employing a consultancy style model, training new recruits on easier targets to hone their craft. Larger hacking groups have been found to run physical offices, maintain scheduled working hours, managers at various tiers and separate departments for HR, coding, training, testing, intelligence gathering, and other functions.2

When the bubble burst

Putin’s invasion of Ukraine burst the cybercrime industry bubble as international hacking groups followed national allegiances and disbanded. Leading groups such as Conti splintered as members joined the war, relocated to flee the conflict, and disbanded over their loyalty to their nations.3

Conti, in particular, had previously attracted attention from the FBI and US State Department which offered a US$10mn reward for information leading to the identification of key individuals in the group. Elsewhere, some groups responded to the call from the Ukrainian government as it looked to recruit volunteer hackers to help protect critical infrastructure.4 This led to a decline in the threat of ransomware post-invasion as these groups became less organised and some tilted their focus to the war effort.

For businesses, there was a temporary reprieve as the frequency and severity of cybercrime and attacks dropped. This is reflected in our Risk & Resilience research data which shows that the perceived threat of cyber risk to global business leaders peaked in 2021 (34%) and over the past two years, the risk perception has dropped significantly (27%).

The ransomware threat returns

While ransomware activity dipped post-invasion, we are now seeing that the threat for businesses from ransomware groups is intensifying. Russian and Ukrainian hackers are regrouping as the war in Ukraine enters a stalemate. Nationalism is being trumped by the need for money as these hackers from both sides of the conflict put aside their differences and reform their networks.

These groups are now trying to make up for lost time by demanding heavier ransoms when they successfully hack into firms' data and systems. Previously, hacked firms had settled for ransoms as low as US$200,000 as these groups were less organised and willing to accept smaller fees.5 This compares to ransomware gang BlackCat demanding US$4.5mn after gaining access to Reddit internal data in February.6

Furthermore, the threat is intensifying as many industries are now facing a cash crunch in the current tougher market conditions, leading them to invest less in their protection against the cyber threat. This is leaving some firms increasingly vulnerable to cybercrime and the resulting damages of a successful attack.

The early signs of a rebound in ransomware activity are visible but the stakes are now higher than ever before. The frequency of larger, more sophisticated attacks that target corporates of all sizes is on the rise.7The recent MOVEit hack carried out by Russian ransomware gang Clop has stolen personal data including the national insurance numbers of staff at organizations around the globe, including the U.S. Department of Health and Human Services US Health Department and law firms,8 the BBC and British Airways to name just a few.9 It is a timely reminder that businesses remain on the frontline against third party – supplier cyber-attacks, and need to be vigilant to the threats and risks associated with the knock on damage that an attack on software vulnerability of this kind can have.

Layered defence can stem the tide

There are many ‘in depth’ steps that companies can take to help prevent them from becoming a victim of this uptick in ransomware incidents, and as we have seen through our underwriting and claims stats this can help to stem the rising tide of incidents. These steps include actions such as:

  • Utilising endpoint detection and response (EDR)
  • Installing security patches rapidly
  • Reducing the number and usage scope of domain admin accounts
  • Limiting users’ permissions and access to role-based need
  • Hardening security configurations of systems, applications and cloud resources
  • Segmenting your network using strict filtering rules
  • Implementing secure backup solutions that prevent users from altering or deleting backups
  • Having a documented and properly tested incident response and disaster recovery plans

After a period where large hacking groups have been split, it is easy for firms to be lulled into a false sense of security that the decline in ransomware attacks is here to stay. Sadly, the reality is that we are seeing signs that things could start to get ugly once more, so I urge businesses of all sizes to take the necessary steps and remain vigilant to the risk of ransomware.

The information set forth in this document is intended as general risk management information. It is made available with the understanding that Beazley does not render legal services or advice. It should not be construed or relied upon as legal advice and is not intended as a substitute for consultation with counsel. Beazley has not examined and/ or had access to any particular circumstances, needs, contracts and/or operations of any party having access to this document. There may be specific issues under applicable law, or related to the particular circumstances of your contracts or operations, for which you may wish the assistance of counsel. Although reasonable care has been taken in preparing the information set forth in this document, Beazley accepts no responsibility for any errors it may contain or for any losses allegedly attributable to this information.

1- https://www.forbes.com/sites/thomasbrewster/2021/05/13/ransomware-hackers-claim-to-leak-250gb-of-washington-dc-police-data-after-cops-dont-pay-4-million-ransom/ 

2 https://www.trellix.com/en-au/about/newsroom/stories/research/conti-leaks-examining-the-panama-papers-of-ransomware.html 

3- https://www.darkreading.com/attacks-breaches/breakup-conti-ransomware-members-dangerous 

4-https://www.reuters.com/world/exclusive-ukraine-calls-hacker-underground-defend-against-russia-2022-02-24/ 

5- https://tech.co/news/ransomware-groups-earned-less-last-year  

6-https://www.theverge.com/2023/6/19/23765895/reddit-hack-phishing-leak-api-pricing-steve-huffman 

7-https://www.beazley.com/en-us/cyber-services-snapshot/defence-depth-cyber-security/latest-trends 

8-US health department, law firms reportedly latest hit in wide-ranging hack (msn.com)

9- https://www.bbc.co.uk/news/technology-65814104