Russia hacker
Why are so many ransomware developers working out of Russia? iStock

Last year ransomware was one of the biggest cybersecurity threats on the web, hitting targets including hospitals, schools and government departments. Once infected, usually by a phishing scam, the victims' data will be locked down until Bitcoin is paid to the hacker.

Now, in 2017, some interesting statistics have been released by Kaspersky Lab, a Moscow-based cybersecurity firm, which indicate the majority of new ransomware strains produced over the past 12 months emerged from the Russian-speaking criminal underground.

"Out of the 62 crypto-ransomware families discovered by [Kaspersky] researchers in the past year, 47 of them were developed by Russian-speaking cybercriminals, that's a whopping 75%," said Anton Ivanov, a senior malware analyst at the firm.

In a blog post released this week (14 February), he added: "What makes that figure even more staggering is that these ransomware families according to Kaspersky Lab telemetry attacked more than 1.4 million people around the globe in 2016."

It's clear the problem is widespread, and remains difficult to quantify with complete certainty. According to Ivanov, the company's conclusions were reached by researching underground forums, command and control servers, and other "artefacts" found on the web.

Why does so much ransomware come from Russia?

Kaspersky Lab, as explained in a more in-depth paper, titled A look into the Russian-speaking ransomware ecosystem, said this may be due to resources, patience and experience.

"There are a lot of well-educated and skilled code writers in Russia and its neighbouring countries," Ivanov noted. "Another possible reason is that the Russian cybercriminal underground has the richest background when it comes to ransomware schemes."

The researcher explained the spike last year was likely the natural evolution of a previous wave of ransomware strains that emerged between 2009 and 2011, when thousands of web users in Russia started to get infected with malware that locked down their browsers.

Ivanov explained that epidemic didn't last long due to a swift law enforcement crackdown and the cybersecurity industry investing a lot of resources into providing unlocking services and technology (much in the same way the No More Ransom campaign is now doing).

"But it seems that experienced ransomware criminals haven't disappeared, they've just been waiting for a new monetisation model," he warned. "This time though, the ransomware problem is not specifically Russian, but global."

Does crime pay?

According to Kaspersky Lab, there are three typical levels of involvement when it comes to the ransomware "business", which has become a profitable underground industry in recent years, often relying on the use of the so-called Dark Web to stay hidden.

There are those who create the ransomware, those who become a partner in a ransomware affiliate programme and those who actually own an affiliate programme. The first is the most difficult to get away with – and therefore less prevelant– due to the level of coding ability needed.

Affiliate programmes work by the owners of the scheme providing paying partners with all the necessary ransomware tools to operate, and then the partners work on distributing the malware. The more successful their efforts, the more money they receive, Ivanov said.

The main advice from Kaspersky is simple: Do not pay the ransom. "If you [pay up] money will be pumped into the malicious ecosystem, which is already flooded with funds," it stated. "The more money criminals get, the more sophisticated tools they get access to, giving them access to much broader attack opportunities."