One of the reasons cyber hasn’t played a bigger role in the war, according to Carhart, is because “throughout the conflict, we saw that Russia wasn’t prepared for things and didn’t have a good game plan . So it’s not surprising that we see it in the cyber domain as well.”
In addition, Ukraine, under the leadership of Zhora and its cyber security agency, has been working on its cyber defenses for years and has received support from the international community since the war began, experts say. Finally, an interesting twist in the Internet conflict between Russia and Ukraine was the rise of the decentralized international cyber coalition known as the IT Army, which obtained some significant hacks, proving that war in the future can also be fought by hacktivists.
Ransomware is running rampant again
This year, aside from the usual corporations, hospitals and schools, government agencies in Costa Rica, Montenegro and Albania have also suffered damaging ransomware attacks. In Costa Rica, the government declared a national emergency, the first after a ransomware attack. And in Albania, the government expelled Iranian diplomats from the country, a first in cybersecurity history, after a devastating cyber attack.
Such attacks peaked in 2022, a trend that will likely continue next year, according to Allan Liska, a researcher who focuses on ransomware at cybersecurity firm Recorded Future.
“[Ransomware is] not just a technical issue like data theft or other commodity malware. There are real-world geopolitical implications,” he says. In the past, for example, a North Korean ransomware called WannaCry caused severe disruption to the UK’s National Health System, affecting around 230,000 computers worldwide.
Fortunately, it’s not all bad news when it comes to ransomware. According to Liska, there are some early signs that point to “the death of the ransomware-as-a-service model,” in which ransomware gangs rent out hacking tools. The main reason, he said, is that whenever a gang gets too big, “something bad happens to them.”
For example, the REvil and DarkSide/BlackMatter ransomware groups were targeted by governments; Conti, a Russian ransomware ring, fell apart internally when a Ukrainian investigator horrified by Conti’s public support for the war leaked internal chats; and the LockBit crew also suffered from their code being leaked.
“We’re seeing a lot of affiliates decide that maybe I don’t want to be part of a big ransomware group, because they all have targets on their backs, which means I could have a target on my back, and I just want to carry out my cybercrime,” says Liska.