Russia uses Ransomware-as-a-Service against Ukraine and partners. Weapons are groups like LockBit, BlackCat (ALPHVM), Karakurt, Hive and Black Basta

Russia is using Ransomware-as-a-Service (RaaS) to carry out cyber warfare against countries and their partners who have sided with Ukraine. The most striking examples are:

• LockBit 3.0, which is heavily targeting France;
• BlackCat (aka ALPHVM), which has just attacked the local administration of Riyadh in Saudi Arabia;
• Karakurt, who appears to be focusing his activities mainly against the United States;
• Hive, whose compromises are growing even if not specifically geo-localized;
• Black Basta, which mainly targets the Anglo-Saxon world.

Some ransomware groups, such as LockBit, have announced that they are apolitical and that they would never hit any nation’s critical infrastructure. Others, however, have not expressed themselves in this regard. In the first case, despite the proclamations, there have been several attacks against “forbidden” targets and – at least officially – none of the leaders of the formation has taken action against offenders.

Many ransomware groups used in Moscow’s cyber warfare originated from Conti and do not attack neutral countries. This is despite their lower cybersecurity

A further element of confirmation of this thesis is given by the common origin of Karakurt, BlackBasta, AlphVM / BlackCat and HIVE. According to cybersecurity experts, all of these ransomware groups come from the Conti group, siding with Russia and against Ukraine, which formally closed its operations in May 2022. Analysts believe that the core formation, over the previous two months at the stop, created sub-divisions with a horizontal and decentralized organizational structure. This is to make attacks more difficult for “cyber enemies” and still keep the operation alive if one or more “branches” were to be neutralized. Some formations are totally independent, while others presumably are only partially. The common element is the targets: institutions or industries, linked to nations that have sided with Kiev or support Ukraine’s partners. It is no coincidence that neutral states have not suffered these RaaS attacks, despite their lower cyber defenses. Ergo, profit is only a secondary goal.