War in Ukraine causes a flood of amateurish ransomware

The Kremlin's aggression in Ukraine put Russia on a ransomware map. Typically excluded from ransomware target lists, the country now finds itself in the eye of the storm, facing the highest proportion of ransomware detections, ESET claims.

January through April, ESET researchers noticed an increase in screen-locking ransomware incidents. Almost 40% were aimed at Russia, and 11% at Ukraine.

"The Win/LockScreen.AWI variant targeting Russia even displayed the title ‘Slava Ukraini’ (in uppercase Ukrainian Cyrillic) or "Glory to Ukraine" – a national salute used by the Ukrainians," ESET said in its latest threat report.

"Since the Russian invasion of Ukraine, we have observed an increased number of amateurish ransomware and wipers. Their authors often pledge support for one side or the other and make the attacks an act of personal vendetta," Igor Kabina, ESET Senior Detection Engineer, said.

Before the invasion, Russia and some other Commonwealth of Independent States (CIS) were excluded from many ransomware target lists, probably because many criminals reside in those countries or fear Russian retribution, the report states.

"T1 [January through April] 2022 hints at a possible change, as Russia faced the highest proportion of detections (12%) in the Ransomware category. Although not unheard of, Russia has never had to eat so much of its own dog food," ESET said.

Conti leaks ruffled some feathers at the beginning of the war in Ukraine. In March, after Conti had announced its allegiance with Vladimir Putin, a pro-Ukrainian insider has set up a Twitter account named Conti leaks to expose the ransomware gang, which proved to be a nightmare for many of its victims, including Ireland's HSE, Volkswagen Group, several US cities, counties, and school districts.

In May, the group was proclaimed dead. Before disappearing, Conti went on a spree. Reports show that the gang attacked around two companies per day, with its victim list exceeding 1,000 organizations. Other actors, for example, LockBit, tried to avoid similar fallout by publicly stating they were impartial.

"What's interesting is that the pro-Ukrainian [amateurish ransomware and wipers] variants outnumber the pro-Russian ones by a small margin. We expect attacks supporting a particular side to continue in the upcoming months and even escalate as ideology and war propaganda are becoming the central driving forces for their spread," Kabina added.

During the review period, ESET researchers saw many decryptors released, including some of the most notorious names, such as Maze, Egregor, Sekhmet, and Diavol. Regarding the war in Ukraine, a free decryptor has been published for victims of HermeticRansom.

Although some threat actors were arrested this year, there are still enough criminals wanting to join the ransomware scene.

"NightSky was one of the first and most visible ones that popped up in T1 2022, targeting corporate networks and exploiting Log4J. On top of eCh0raix, NAS devices are under attack from new ransomware called DeadBolt. Another newcomer, White Rabbit, seems to be a side-project of the FIN8 hacking group," ESET said.