Power Rankings: Ransomware Malicious Quartile Q4-2024

Ransomware has become one of the most disruptive cyber threats in recent years, impacting critical systems, endangering lives, and costing billions of dollars. However, framing ransomware attacks as solely financially motivated obscures the reality that some of these incidents serve broader geopolitical purposes.

Get the full report here - Power Rankings: Ransomware Malicious Quartile

Ransomware as a Geopolitical Tool: Russia

Specifically, evidence suggests that Russia directs ransomware operators to target sectors like healthcare, energy, and food supply chains, aligning these attacks with its strategic objectives. By undermining public confidence in Western institutions while maintaining plausible deniability, Russia uses ransomware as a tool to further its geopolitical ambitions.

The Stoli Group Incident: Evidence of Strategic Coordination?

The 2024 ransomware attack on the Stoli Group offers a clear example of how ransomware can be used as part of a coordinated strategy. The attack disrupted the company’s enterprise resource planning (ERP) systems, delayed financial reporting, and forced manual operations, contributing to a $78 million debt default. Recovery efforts are expected to extend into 2025.

This cyberattack followed a series of actions by the Russian government targeting Stoli, including the seizure of the company’s last remaining assets in Russia—two distilleries valued at $100 million—and the designation of Stoli and its founder, Yuri Shefler, as “extremists.” These events are part of a long-standing effort by Russia to reclaim vodka trademarks once sold to private entities.

The alignment between the ransomware attack and these state actions suggests more than coincidence. Rather, it appears to be a calculated effort to weaken a company deemed adversarial to Russian interests while advancing domestic objectives. This coordination illustrates how some ransomware attacks can be assessed to be influenced by state priorities.

Evidence of Russian Influence on Ransomware Operations

The Stoli case is just one example of a broader trend linking ransomware operations to Russian interests. A report from Chainalysis revealed that 74% of ransomware revenue went to attackers with ties to Russia in 2021. Such a concentration suggests an ecosystem deeply influenced, if not outright shaped, by Russian state objectives.

Further evidence emerged with the onset of Russia’s invasion of Ukraine in 2022. During this period, ransomware attacks against Western targets declined sharply, while attacks against Ukrainian entities increased. This shift indicates that ransomware operators, often seen as independent criminal groups, are responsive to geopolitical developments and may act under the guidance of the Russian government.

Groups like Conti and REvil, known for their connections to Russian intelligence, illustrate how closely intertwined some ransomware operators are with state interests. Ransomware attacks blur the distinction between criminal activity and state-sponsored operations, allowing Russia to pursue its objectives without risking direct attribution.

Ransomware’s Role in Targeting Critical Infrastructure

One of the most concerning aspects of this dynamic is the focus on critical infrastructure. Attacks on sectors such as healthcare, energy, and food supply chains go beyond financial extortion. They threaten societal stability, disrupt essential services, and create long-term vulnerabilities.

For instance, ransomware attacks on healthcare systems can delay treatments, compromise patient safety, and strain resources, particularly in already overburdened systems. Attacks on energy providers or food supply chains, meanwhile, can disrupt everyday life, drive up costs, and sow uncertainty. These outcomes align with broader objectives to weaken public confidence in government and institutions.

Despite these broader impacts, ransomware attacks have largely been treated as criminal acts rather than threats to national security. While efforts by the Department of Justice to indict operators and seize funds are important, they have had limited success in deterring future attacks. Operators shielded by state actors, particularly those in Russia, remain beyond the reach of traditional law enforcement.

A Call to Reclassify Ransomware Attacks

To address this evolving threat effectively, it is essential to reframe ransomware attacks targeting critical infrastructure as national security incidents rather than isolated criminal acts. This shift in perspective would enable a more robust response, including:

• Offensive Cyber Measures: Disrupting the infrastructure of ransomware operators and their enablers, particularly those operating within adversarial states.

• Economic Sanctions: Targeting nations that harbor or sponsor ransomware groups to increase the costs of enabling these activities.

• International Collaboration: Strengthening intelligence sharing and coordinated actions among allied nations to counter ransomware operations more effectively.

• Cyber Deterrence Strategies: Establishing clear consequences for state-linked ransomware operations, potentially including proportional responses in the cyber or kinetic domains.

The Strategic Implications of Ransomware

The volume of ransomware attacks in the US and UK targeting healthcare and food supply chains further shows that a subset of ransomware incidents is not solely financially motivated but are part of a coordinated strategy to advance geopolitical objectives. Recognizing this dual nature of ransomware is essential to developing effective responses.

Treating ransomware attacks targeting critical infrastructure as a purely cybercriminal action misses its broader implications. These attacks are not only about disrupting businesses for financial gain, they are also about eroding societal trust, creating instability, and advancing the strategic goals of states like Russia.

By reclassifying some ransomware attacks as national security threats, policymakers can unlock a wider range of tools to deter and respond to these incidents. Without this change, responses will remain limited in scope and effectiveness, leaving critical infrastructure vulnerable to ongoing exploitation.

Ransomware has evolved beyond being a tool for financial gain. For nations like Russia, it serves as a low-cost, high-impact mechanism to disrupt adversaries while avoiding direct confrontation. Recognizing and addressing this reality is a crucial step in protecting critical systems and ensuring national security in an era of increasingly complex threats.

The Halcyon team of ransomware experts has put together this extortion group power rankings guide as a quick reference for the extortion threat landscape based on data from throughout Q4-2024, which can be reviewed along with earlier reports here: Power Rankings: Ransomware Malicious Quartile.

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more and check out the Halcyon Attacks Lookout resource site.