Ransomware isn’t always about gangs making money. Sometimes it’s about nations manufacturing mayhem.

A cutout of an Israeli soldier is seen behind signs pointing out distances to different cities at an army post in Mount Bental in the Israeli-annexed Golan Heights, on November 28, 2020. (Photo by JALAA MAREY/AFP via Getty Images)


Written by

Ransomware is fundamentally about reaping massive profits from victims — payments were on pace to cross the billion-dollar threshold in 2021, according to the U.S. government — but there are signs foreign government-connected groups are increasingly moving into a territory dominated by criminal gangs, and for an entirely different motive: namely, causing chaos.

Research that Microsoft and cybersecurity company CrowdStrike recently publicized separately concluded that Iranian hackers tied to Tehran had been conducting ransomware attacks that weren’t about making money, but instead disrupting their enemies. It echoed research from last spring and summer by FlashPoint and SentinelOne, respectively.

When disruptive ransomware pays off, those who have studied the phenomenon say, it can embarrass victims. It can be used to steal data and leak sensitive information the public. It can lock up systems, disabling targets. And given the prominence of ransomware, it’s another method that foreign intelligence and military agencies can use to hide in the shadows, wreak havoc and make it look like the work of others.

If the tactic spreads, it could lead to even more companies and other targets fending off ransomware in the line of nation-state cyberwarfare and cyber-espionage. Like any other malware, ransomware is built to break things.

Who cares about the money?

Suspected Chinese hackers last March were behind a strain of ransomware that claimed victims in the U.S., Germany, Indonesia and elsewhere that some intelligence analysts say was possibly motivated less by money than havoc. Threat intelligence firm Recorded Future says the hackers behind it showed little sign that actually cared whether they got paid — suggesting another intent, possibly disruptive in nature.

“I think it’s a trend,” said Allan Liska, director of threat intel at Recorded Future. “If that continues to breed success, you’ll see more of that.”

What’s more, given that multiple Iranian groups appear to have adopted the tactic, it might not be long before disruptive Iranian ransomware claims U.S. victims, predicted Adam Meyers, senior vice president of intelligence for CrowdStrike.

“As we watch the ongoing dissolution of relations with Iran and the U.S. and the international community, I think this is a marker … of what they may look to do when the gloves come off,” Meyers said.

Over the weekend, Microsoft also said the attacks on Ukrainian government agencies were disruptive attacks disguised as ransomware, although it said it had not yet attributed the source of them. The U.S. have observed that the attacks were part of the “Russian playbook,” and Ukraine directly blamed Russia.

The idea of using ransomware for disruptive purposes rather than financial gain has other precedents. Most prominently, the widespread 2017 NotPetya infection caused billions of dollars in losses across several industries and dozens of countries. The U.S. and U.K. blamed Russia for NotPetya, so named because it looked like an actual ransomware variant named Petya — but after locking systems, NotPetya had no mechanism for paying to unlock them.

That was “probably one of the first cases in which something that appeared to be ransomware on the surface was actually a destructive malware,” said Israel Barak, chief information security officer for Cybereason. “So, the practice and the model has been there for quite some time.”

The era of ‘lock and leak’

CrowdStrike began noticing the unusual Iranian ransomware activity in November of 2020. Beyond the suspected Chinese-connected ransomware variant in March, Taiwan accused China of being behind a ColdLock ransomware attack on its state oil facility in the summer of 2020 that may also fit into the trend, Liska said.

In the case of the Iranian ransomware disruptions, CrowdStrike linked them to the groups it calls Nemesis Kitten and Spectral Kitten. They’ve targeted Israel, largely in an “opportunistic” way within that nation’s borders rather than going after specific victims, Meyers said.

They appear to have more than one goal in mind. One is “lock and leak,” as CrowdStrike calls it. Some financially-motivated ransomware gangs leak sensitive files from their targets, but largely as part of a second layer of blackmail designed to pressure targets into paying. For the Iranian hackers, the interest is purely putting internal documents of the victims into the public eye, Meyers said. Other analysts have observed Iranian groups using the “lock and leak” approach.

But there’s a second motive as well. The recent incidents cited by CrowdStrike aren’t just modeled on past disruptive ransomware attacks, but disruptive attacks in general, such as those Russia carried out in 2014 against Crimea.

“It was kind of a protracted campaign meant to demoralize and to psychologically impact the target country by making them feel that they were unsafe and that their systems weren’t working,” Meyers said, “and that they weren’t in control and make them question the ability that governments protect them.”

Microsoft declined to elaborate on its own research into the Iranian disruptive ransomware attacks.

Hiding among the noise

Liska said there’s reason to believe that DearCry, a ransomware strain that emerged last spring to capitalize on the sweeping Microsoft Exchange Server vulnerabilities, fits into the trend of disruptive ransomware attacks. Barak said the culprits behind DearCry not providing crypto wallet information makes it suspicious, but wasn’t ready to draw conclusions about its motive. An alternative explanation is that it was additional cover for the Chinese government’s cyber-espionage mission by making it look like part of a widespread cybercrime wave.

Said Liska: “With China, it does seem a little more sporadic, but we’ve now seen between ColdLock and then, DearCry, at least a couple of examples where impactful attacks have a ransomware component or what is what looks like a ransomware component, but it’s more likely meant to be disguised as ransomware.”

Liska said beyond nation-state groups, he could envision hactivist groups employing the tactic as well.

And Barak said it could be useful to anyone trying to misdirect.

“Ransomware is something where there are so many threat actors or threat groups that are using ransomware, it’s very easy to become part of that background noise,” he said.

Iran, and China have routinely denied carrying out cyberattacks.

Updated 1/18/22: Link to latest Microsoft research.

-In this Story-

adam meyers, Allan Liska, China, CrowdStrike, Cybereason, DearCry, Iran, Israel Barak, Microsoft, Microsoft Exchange, NotPetya, ransomware, Recorded Future, Russia