Let's Stop Pretending Russia Isn’t Influencing Ransomware Operations

Stoli Group's U.S. subsidiaries have filed for bankruptcy following a series of ransomware attacks that appear to be in coordination with official government actions that strongly suggest the Russian government is directing cybercriminals in at least some of their targeting choices.  

In August 2024, a crippling ransomware attack targeted the company’s IT systems, including its ERP platform, forcing manual operations and disrupting key processes like accounting.  

This attack, which has delayed full recovery until 2025, also prevented the company from submitting financial reports, prompting lenders to claim default on a $78 million debt, Bleeping Computer reports.

Just a month earlier, Russian authorities seized Stoli’s last remaining assets in the country—two distilleries valued at $100 million. These actions followed the designation of Stoli Group and its founder, Yuri Shefler, as "extremists," allegedly due to their support for Ukrainian refugees.  

However, this designation appears to be another step in a decades-long campaign by the Russian government to regain control of the Stolichnaya and Moskovskaya vodka trademarks.

This effort traces back to a 2000 executive order by Vladimir Putin aimed at reclaiming vodka trademarks sold to private entities in the 1990s. Shefler, a vocal Putin critic, fled Russia in 2002 after facing politically motivated charges.  

These recent moves suggest a calculated attempt to dismantle the company while advancing Russia's longstanding trademark agenda.  

Takeaway: It is dangerously naive to keep treating all ransomware attacks as mere cybercrime when it is glaringly obvious that Russia is influencing, if not outright directing, some ransomware operators to serve its geopolitical agenda.  

The evidence is overwhelming, as Russia tipped their hand (again) with the attacks on Stoli.

Chainalysis found that 74% of all ransomware revenue in 2021 went to Russia-linked attackers—a staggering figure that exposes how deeply entrenched Russia is in this ecosystem.  

And the abrupt decline in ransomware attacks at the start of Russia’s invasion of Ukraine—and their redirection toward Ukrainian targets—makes it painfully clear that these operators are acting under the Kremlin’s guidance.

We know that some of the most infamous ransomware gangs are closely aligned with, or even partially controlled by, Russian intelligence. Their activities blur the line between criminal enterprises and state-sponsored operations, giving Russia the plausible deniability it relies on to avoid international retaliation.  

This isn't just a convenient coincidence; it's a deliberate strategy. The coordinated attacks on Stoli by the Russian state and Russian ransomware operators makes this point clearly.

By continuing to treat all ransomware attacks as isolated criminal acts, we are willfully ignoring their dual-role as tools of Russian state aggression.  

Continued attacks on critical infrastructure providers – particularly the healthcare sector - are not just about extortion for financial gain, they are about destabilizing our society, about undermining confidence in our institutions and normal daily life activities, and they are about advancing Russia’s broader geopolitical aims.  

This is not cybercrime; this is subtle cyberwarfare, and our failure to designate some ransomware attacks as acts of state aggression is not just a policy gap, it’s a strategic blunder.

When ransomware attacks target critical systems like healthcare or energy, putting lives at risk and undermining national security, they must be treated as state-sponsored threats.  

If we fail to call these attacks what they are, we deny ourselves the ability to respond appropriately—whether through offensive cyber actions, sanctions, or even military deterrence.

Ransomware attacks are a multifaceted threat that extends far beyond simple financial motives. Their dual purpose—enriching cybercriminals while advancing the geopolitical agendas of adversarial nations—calls for a comprehensive and unified response.

‍

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more and check out the Halcyon Attacks Lookout resource site. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.