Hand taking dollar from pile illuminated by red light showing ransomware attacks down due to ransom payments

NSA: Sanctions on Russia Having a Positive Effect on Ransomware Attacks, Attempts Down Due to Difficulty Collecting Ransom Payments

National Security Agency (NSA) director of cybersecurity Rob Joyce told attendees of a recent UK security conference that ransomware attacks are down in roughly the last two months, and that trend can be traced directly to sanctions placed on Russia. Criminals that operate out of the country are struggling to find ways to cash out ransom payments and set up infrastructure, due in large part to sanctions attached to the invasion of Ukraine.

NSA director sees downward trend in ransomware attacks due to recent sanctions

The NSA cyber security director told the National Cyber Security Centre’s (NCSC) Cyber UK event in Wales that criminal attempts on government agencies and critical infrastructure had made ransomware attacks a national security priority, and that most of the serious players in this particular segment of the criminal underworld are based in Russia. New sanctions against entities in Russia are thus having a dampening effect on ransomware attacks, as the criminals lose options for doing business with the outside world.

Joyce said that this was likely not the only factor for the reduction in ransomware attacks, but was a significant contributor. Ransom payments are more difficult to process due to lack of access to assorted banking options, and inability to purchase necessary technology to set up the infrastructure for new ransomware campaigns.

Whether or not to formally ban ransomware payments has been a hot topic across the world for several years now, ever since ransomware attacks made a major resurgence. After a lull in the mid-2010s, ransomware roared back in 2017-2018 roughly concurrent with the massive rise in value of cryptocurrencies. Even larger spikes have occurred since the beginning of the Covid-19 pandemic, as both home and work internet traffic greatly increased. While there is some case to be made for cutting these attacks off at the source by banning ransom payments, an argument supported by this recent NSA announcement, many organizations feel that they have no option but to make a payment when they are unexpectedly caught by a breach. This is particularly true for companies that cannot afford even a small amount of downtime, such as health care facilities and critical infrastructure companies, and most governments have continued to err on the side of allowing payments to be made so long as the proper authorities are also notified of the situation.

Sanctions make ransomware payments more difficult to facilitate

One of the sanctions that is impacting ransom payments is the removal of Russian banks from the international SWIFT banking system. Payments for ransomware attacks are generally made in cryptocurrency, but most attackers look to convert this to fiat currency at some point due to more limited outlets for directly spending crypto funds; attackers in Russia now have far fewer options in this area. Major credit card companies such as Visa and Mastercard have also exited the Russian market and blocked Russian banks.

Russia has faced some level of international sanctions since it began its armed conflict with Ukraine in 2014, but more countries than ever have joined in since the 2022 invasion began. Some notable countries that are now participating include South Korea, Taiwan and Singapore.

Sanctions also prevent victims from making ransom payments without being subject to additional large fines, and in some cases potential criminal charges. US Office of Foreign Asset Control (OFAC) sanctions not only apply to cryptocurrency payments, but can be levied in some scenarios where the attacker has only a suspected or possible connection with a sanctioned party. Penalties for “willful” violations are harsh, at a maximum $1 million fine and up to 20 years in prison per violation.

While the NSA says that it sees a reduction in ransomware attacks and ransom payments, the picture is far from clear based on other sources of data. The Conti ransomware gang has been extremely active during the months of the Ukraine invasion, racking up at least 50 attacks in April alone. Other groups that have been active with multiple attacks during the war include LockBit, Pysa, Maze and CLOP. Some new groups have also emerged during this time (Onyx, Mindware, and Black Basta) and the previously routed REvil seems to have regrouped and gone active again. And though ransomware attacks on certain industries have dipped since February, a trend of targeting school systems and government agencies in the US also appears to have picked back up.

Ransom payments are more difficult to process due to lack of access to assorted banking options, and inability to purchase necessary technology to set up the infrastructure for new #ransomware campaigns. #cybersecurity #respectdataClick to Tweet

The average global ransomware payment amount rose to over half a million dollars in 2021, and in the US the average climbed as high as $6 million according to some research. Both the amount of attacks and the size of the average ransom payment was broadly expected to rise by analysts, but the average in Q1 2022 has actually decreased according to some research.


Senior Correspondent at CPO Magazine