Russian-speaking hackers dominate ransomware attacks, TRM research says

Russian-speaking groups accounted for almost 70% of all crypto proceeds from ransomware attacks in 2023, extorting more than $500 million, according to new research by TRM Labs.

Ransomware is a type of malicious software that encrypts a victim’s files or data, rendering them inaccessible. The attacker then demands a ransom, usually in cryptocurrency, in exchange for the decryption key.

“Many of these actors are known to operate from inside Russia or to hold links to the Kremlin,” according to TRM. “Some even actively use crypto to procure foreign equipment for the Russian war effort.”

North Korea is the world’s hacking superpower, responsible for stealing almost $1 billion in crypto in 2023, and Asia-based criminals appear to lead in scams and investment fraud, the report says. Still, Russian-speaking threat actors are unique in their malign ransomware activities.

Lockbit and ALPHV/Black Cat, the two biggest operators in 2023 and both Russian-speaking, together reaped at least $320 million.

Ransomware groups sometimes sell their malware to affiliates or other threat actors as part of a cybercrime business model called “ransomware as a service,” or RaaS.

This may involve a licensing agreement, subscription service, flat fee, or profit sharing, all of which allow for rapid distribution and increased attack frequency.

LockBit, an RaaS operator, was disrupted earlier this year by an international law enforcement operation, but it survived and its future remains unclear, according to TRM.