In recent years, ransomware (a type of cybercrime) has received growing attention as a source of risk to the private sector. Although ransomware attacks have traditionally been viewed as apolitical, recent developments suggest there may be a connection between some groups behind these attacks and the Russian government. In this paper, we test whether the behavior of Russia-based ransomware groups is consistent with Russian political goals by comparing the victims of Russia-based groups to those of groups based outside of Russia. To enable this research, we collected a dataset of over 4,000 victims of ransomware attacks located across 102 countries between May 2019 and May 2022 based on information posted to the dark web. Using this data, we find an increase in the average number of attacks by Russia-based groups in the months before an election across six democratic countries, with no similar increase in attacks by groups based outside of Russia. We also analyze leaked chat logs from a major Russia-based ransomware group; based on our analysis, we argue that the Russian government maintains loose ties with ransomware groups in Russia: groups operate as independent criminal organizations but will occasionally perform favors for the government. In exchange, the government provides these groups with safe harbor from prosecution and gains plausible deniability from groups' actions on the world stage. Thus, this paper provides the first evidence of macro-level connections between Russia-based ransomware groups and the Russian government and suggests the need for more analysis of international security threats emerging from cybercrime.
