Extortion gangs no longer avoid hitting Russian firms

Moscow’s military escapades in Ukraine have affected more than Europe’s geopolitical landscape. Russia’s invasion changed how threat actors conduct their day-to-day business.

A lot has changed since Russian troops poured into Ukraine on 24 February and the cyber realm is no exception. For one, threat actors have seemingly rethought how to access target computers. According to Ondrej Kubovič, security specialist at cybersecurity firm ESET, the most significant post-invasion change was the type of exploits that hackers use.

Over the last couple of years, one of the most common exploits was abusing the Remote Desktop Protocol (RDP) for unauthorized device access. Once inside, threat actors can deploy ransomware, spyware, or do reconnaissance.

The pandemic spurred the use of RDP, forcing many to access remote systems from home devices. ESET has seen that the use of RDP exploits took a significant nose-dive in January 2022, mere weeks before the invasion. The volume of RDP exploits dropped by over 40% in the first four months of this year, followed by 90% during the following four months.

"Russia was targeted by most ransomware attacks in the last three years. Russia was never among the most targeted, but right now it is and will stay like that,"

Ondrej Kubovič, ESET's security specialist, said.

The receding pandemic and fewer homeworkers can partly explain the dwindling use of RDP exploits. However, Kubovič thinks there might be other factors at play. Namely, Russia is focusing the attention of its cyber warriors on Ukraine.

“As you can see, the change was really dramatic. So, probably somebody had to prepare for something else and didn’t have time to do these types of attacks. But that’s just a guess,” Kubovič said during ESET Security Day in Vilnius, the capital of Lithuania.

Target on Russia’s back

Western intelligence agencies have repeatedly said that Russia-linked hackers were responsible for the most severe attacks on critical infrastructure. For example, according to the FBI, in 2021, Conti victimized 87 critical infrastructure organizations, while Lockbit and REvil/Sodinokibi attacked 58 and 51 victims.

Interestingly enough, Russia’s war in Ukraine affected the geography of ransomware victims. Since Russia was considered a safe haven from cyber criminals, threat actors long avoided targeting businesses inside the country. War in Ukraine has changed that.

According to Kubovič, the steepest growth of ransomware attacks this year is registered in Russia. Threat actors seemingly aren’t too picky, either. Small, medium, and large enterprises all get their share of ransomware attacks as Russia becomes a prime target.

“That was unheard of before. Russia was targeted by most ransomware attacks in the last three years. Russia was never among the most targeted, but right now it is and will stay like that,” Kubovič explained.

He also pointed out that numerous hacktivist groups such as Anonymous and NB65 flocked to help Ukraine in its defense against Russia. Kyiv succeeded in rallying an international IT army resulting in attacks against Russia’s private and state-owned enterprises.

“Something like that points to the fact that even high-profile organizations in Russia are targets now, which was not the case in pre-war times,” he said.

Another example of how Russia’s invasion of Ukraine affected the ransomware landscape is how attackers use the Windows LockScreen trojan, malware that locks a computer screen without file encryption. Kubovič said that Russians are often targeted with this malware to spread pro-Ukrainian messages.

More from Cybernews:

Crypto influencer runs Ponzi scheme in "awareness campaign"

Companies spending billions to have AI answer calls

Russian hackers hit Japan’s government websites

Nemesis Kitten: opportunistic Iran-linked gang with modest ransom demands

Albania “forced” to severe diplomatic ties with Iran following a massive cyberattack

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked