Russia’s pariah status could make life difficult for cybercriminals linked to the country, with US financial crime regulator FinCEN warning companies that they could end up supporting sanctioned individuals and entities if they pay ransom demands.

Since Russia’s decision to invade Ukraine, a raft of sanctions has been declared against high-net-worth individuals associated with the country, including Vladimir Putin himself and oligarchs such as Roman Abramovich.

Any US firm paying out a ransom to a sanctioned individual or other entity without government permission would face fines or other criminal penalties, under new regulations set out by the Treasury’s Office of Foreign Assets Control.

The fresh warnings come amid some observers saying hacked firms will be less likely to pay ransoms to Russian affiliates anyway, fearing a PR backlash if they are seen to support the decision to invade Ukraine.

“The sanctions will pose challenges in their extortion or payment scheme,” John Fokker, head of cyber investigations at Trellix, told Bank Info Security. “I can imagine that companies will refuse to negotiate when dealing with a Russia-based ransomware group.”

Brain drain

Other infosecurity professionals have pointed to a “brain drain” that could adversely affect ransomware groups previously reliant on Ukrainian expertise.

Brett Callow, threat analyst at EmsiSoft, implied this could be caused by cybercriminals from Ukraine refusing to cooperate any longer with ransomware groups such as Conti, which declared for Russia at the beginning of its invasion on February 24.

But Callow disagrees that bosses at hijacked companies will be swayed by the negative publicity ramifications of paying ransoms to Russian-affiliated groups.

“The decision about whether or not to pay a ransom demand is typically made on the basis of a cost-benefit analysis,” he said. “While the PR aspect of being seen to be funneling money to Russia-based gangs would likely be factored into the decision-making process, I’m not sure it would be likely to affect the outcome in too many cases.”

But he added that “insurance implications” might sway ransomware victims, suggesting that paying out money to threat actors known to be siding with Russia in its invasion of Ukraine might blow back on such companies further down the line.

Known bad actor

There is strong evidence linking Russia to the bulk of ransomware attacks. Chainalysis recently released a report that found three-quarters of the known global ransom haul for last year flowed to the now-isolated country – a staggering $400 million.

Threat actors based in Russia have traditionally benefited from the Kremlin turning a blind eye to their activities, so long as they do not target installations based in the Federation. The high-profile bust of ransomware group REvil by Russian authorities earlier this year appears to have been a blip, one that now appears inexplicable in light of subsequent developments in Ukraine and on the wider world stage.

More from Cybernews:

In most cases, paying the ransom is the obvious way out, say experts

Romanian gas giant hacked and held to ransom

Russian ransom gang’s data leaked

US seizes $6 million in ransom payments to REvil, to charge Ukrainian over cyberattack

Ransomware of 2020: cooperative adversaries and fatal damage

Subscribe to our newsletter