Analyst1 > Resources > Blog > Double Trouble: Ransomware & Hacktivism Collaboration, Fact or Fiction?
Dark Mode
Double Trouble: Ransomware & Hacktivism Collaboration, Fact or Fiction?

Double Trouble: Ransomware & Hacktivism Collaboration, Fact or Fiction?


Written by Anastasia Sentsova

The Notable Shift: From Hacktivist to Hacktivist-like Groups

With the emergence of hacktivist groups, questions have arisen regarding their intentions and capabilities. Historically, hacktivist groups were often considered relatively harmless, typically engaging in low-level attacks such as defacing websites, with their activities generally rooted in a pursuit of social justice. However, the dynamics have shifted significantly since the invasion of Ukraine in February 2022, revealing the presence of a new type of hacktivist-like group, many of which are pro-Russia.

At Analyst1, we define this hacktivist-like threat as follows:

Hacktivist-like groups are characterized by their high level of coordination, large membership, and activities closely aligned with state interests. The probability of government influence (direct or indirect) or support is high, as these groups often pursue specific political or ideological agendas, reflecting a more strategic and state-oriented approach to cyber operations. Given the substantial resources and support these groups receive, including significant technical and informational backing, they should be considered a high-level threat.

One of the earliest and most notorious groups is KillNet, operating since approximately late 2021. Although the extent of government involvement is unclear, KillNet’s activities closely align with the Russian state’s geopolitical agenda. Like other groups that emerged around the same time, KillNet initially focused on supporting Russia across various fronts, primarily through Distributed Denial of Service (DDoS) attacks and large-scale influence operations aimed at spreading propaganda. In addition to these activities, and aligned with typical hacktivist behavior, KillNet has been soliciting donations. In our previous research on KillNet, we examined their use of Toncoin cryptocurrency, the native coin of the Telegram messenger, where the group conducts most of its activities.

KillNet / Toncoin Research: https://analyst1.com/toncoin-and-its-use-in-cybercrime-killnet/

Although KillNet as a brand is still present in the hacktivist scene, it no longer operates at the scale it once did. They have become more of a local Telegram forum-like and informational source, primarily engaging in influence operations and promoting illicit activities. For instance, on June 17, 2024, a message was forwarded from a known channel, Deanon ClubV7, known for its activities across DarkNet Markets (DNM) selling drugs and promoting the hiring of a person for a cryptocurrency exchanger position. Part of the message reads: “My team is looking for a person who will be responsible for the exchange of funds. The funds are not mine personally; there will be a special set of rules that must be followed in order to start working with us. At the moment, there are more than $4,000,000 in different cryptocurrencies, from ETH to meme coins. All funds are as black as possible; most of them are coming from ransomware.”

At first glance, the involvement of actors associated with various types of cybercrime – such as hacktivism, Darknet Marketplaces (DNMs), and ransomware – may seem confusing. However, this particular example illustrates the nature of Russian cybercrime, which is highly interconnected. The phenomenon can be attributed to several factors.

Firstly, the characteristics of the individuals involved and the communities they form play a crucial role. Over the years, these communities have had a cultural trait linked to a collectivist mindset, fostering close collaboration and strong relationships among their members. Additionally, the current political climate in Russia has reinforced these bonds. The pressure from the government and the ideological influence on the population have contributed to a more unified and resilient cybercrime network. As a result, the collaboration between various cybercriminal elements is not just a matter of opportunism but also a reflection of a broader, systemic alignment influenced by political and social factors.

Over the years, the intensity of hacktivist-like activities has increased, with attacks evolving to include breaches of entities and ransomware. This significant threat has been a topic of suspicion. While establishing a definitive link between these groups requires multiple corroborative points, several factors suggest the possibility of such an alliance. In the following sections, we will explore some examples and assess the likelihood of this collaboration.

The Saga Continues: Increasing Offensive Operations and Introduction of Ransomware

Over time, there has been a noticeable evolution in the tactics employed by these hacktivist-like groups. Many have advanced their offensive capabilities, moving beyond simple disruptions involving DDoS attacks to include more sophisticated operations. This evolution has introduced new types of attacks, such as breaching networks and encrypting systems. This shift indicates not only an increase in technical capabilities but also a potentially deeper integration with state-sponsored objectives, raising concerns about the broader implications of their activities in the context of international cyber warfare.

A notable case was revealed on July 19, 2024, when two members of the Cyber Army of Russia (CAR), a hacktivist-like group based in Russia, were sanctioned. Yuliya Vladimirovna Pankratova was identified as the spokesperson responsible for commanding and controlling the group’s operations. At the same time, Denis Olegovich Degtyarenko was recognized as the primary hacker responsible for multiple compromises, including the SCADA system of a U.S. energy company.

Our observation of their activities, beginning around March 2022, revealed characteristics typical of hacktivist-like operations. These include a high level of coordination and a quick response to ongoing political and military events. The group has formed alliances involving the so-called Holy League and announced joint operations with other entities to create the impression of a more significant threat and to apply more pressure on their targets. As confirmed by law enforcement during the sanction’s announcement, the presence of distinct roles among the actors and the separation of responsibilities fit the profile of a hacktivist-like group.

The intensity of their attacks has increased over time, supported by strong informational campaigns. Initially focused on DDoS attacks, their arsenal has quickly expanded to include breaching entities, stealing data, and causing physical damage. For example, in January 2024, the Cyber Army of Russia claimed responsibility for overflowing water storage tanks in Abernathy and Muleshoe, Texas. They posted videos of manipulating human-machine interfaces at each facility on a public forum, resulting in the loss of tens of thousands of gallons of water and other physical damage.

On April 23, 2024, the group commented on the attack by sharing a YouTube video of an interview with a speaker discussing the attack. In their response, to maintain their carefully crafted image of a powerful Russian hacktivist group, actors stated: “This is another way to poke in the face of those who consider our team weak, while they themselves are selling gold and giving useless interviews.”

Another example of their attack involved the recent Olympic Games. The Cyber Army of Russia continued its destructive activities by combining informational campaigns with cyberattacks. One such attack targeted a sponsor of the Olympic Games. Given the current international stance towards Russia and the ban on its athletes, there was increased attention to the Olympics from Russia. This focus aimed to rehabilitate the country’s image among its citizens, a strategy reflected in the media. Hacktivist-like groups that align with this broader agenda serve as additional tools in this effort, supporting the overall strategy with their activities.

In response to the sanction’s announcement against its two members, the group reacted in a typical manner, using satire and humor, and reshared a message from another pro-Russia Telegram channel. The message wished law enforcement good luck in their search. It included a banner that read “WANTED: Especially Dangerous Patriots of the Russian Federation,” Ironically, the poster contained a grammatical mistake, with “Russian” misspelled as “Росийсской” instead of “Российской.” Perhaps the group should have invested more resources into proofreading to better align with their supposed responsibility as Russian patriots. Indeed, it was a memorable and ironic mistake.

The involvement of ransomware in the activities of hacktivist-like groups has long been suspected. It remains unclear whether Degtyarenko, responsible for hacking, has ever participated in ransomware activities or been part of any known ransomware groups. However, there are claims of ransomware attacks associated with groups involved in the Holy League, of which the Cyber Army of Russia is a part. These claims should be approached with a high degree of skepticism until the attacks are officially confirmed.

For example, on July 29, 2024, the group announced an attack against Israel entity. According to the message, “The hacking operation took place a few weeks ago and the hacking was recorded at that time, and today we leak the entire databases of the Israeli company, noting that we distorted the home page of the site and leaked their systems and databases and then Delete backups and encrypt the entire system.”

Interestingly, we have also observed the opposite trend, with some ransomware groups evolving into hacktivist-like entities. For example, two groups, Snatch and Stormous, which we recently analyzed, have continued to operate under their established ransomware brands while incorporating more hacktivist-like operations into their activities. Our research into potential collaboration between RansomHouse and/or Dark Angels with Snatch and Stormous based on the analysis of crossclaims suggests that they are engaging in hybrid ransomware/hacktivist-like activities.

*Crossclaims occur when the same victim is claimed multiple times by different ransomware groups on their Data Leak Sites (DLS).

Geopolitical alignment analysis indicates that RansomHouse, Snatch, and Stormous are likely aligned with Russia. This conclusion is supported by infrastructure analysis revealing connections to servers based in Russia, among other indicators. Additionally, major pro-Russian media channels exhibit strong support for these groups, reinforcing their narratives in a way that aligns with the broader agenda of the Russian state.

The cooperation between these groups represents a blend of ransomware and influence operations disguised as hacktivism. This includes extensive data sharing among the groups, where Dark Angels and RansomHouse primarily function as ransomware operators, while Snatch and Stormous adopt hacktivist tactics. Previously stolen data is reused in extortion attempts, creating misleading impressions of new attacks. Influence operations also target personal levels with pro-Palestine and pro-Russia sentiments, focusing on attacks against U.S. and European entities and involving associated individuals, particularly government officials.

Read the complete analysis here: https://analyst1.com/ransomhouse-stolen-data-market-influence-operations-amp-other-tricks-up-the-sleeve/

Ransomware & Hacktivism Collaboration: Yes or No?

When evaluating the potential involvement of ransomware in hacktivist activities, it is important to assess the reality of those engaging in these activities, along with the broader political landscape both within Russia and in its geopolitical context. This assessment must recognize that ransomware and hacktivism are not isolated phenomena but are part of a larger, interconnected framework shaped by political and social influences.

In the current era of modern warfare, which blends physical and digital fronts and has evolved significantly since Russia invaded Ukraine in February 2022, understanding the relationship between cybercriminals and the state is crucial. Amid ongoing militia conflicts and efforts to strengthen its physical and digital position, Russia has integrated cyber activities into its strategic approach. The growing overlap between ransomware and hacktivist-like activities with a visible influence by the state (direct or indirect) is a clear indicator that underscores this strategic shift.

From the cybercriminals’ perspective, there is a strong inclination to support their country, contributing to a digital army of “invisible soldiers.” This aligns with extensive propaganda promoting national defense, a narrative deeply rooted in Russian history since World War II. The portrayal of every citizen as responsible for defending the nation aids in mobilizing digital operatives, with some joining willingly and others likely coerced under significant pressure.

We observe a clear trend of increased prosecution of cybercriminals within Russia who conduct attacks against Russian entities, while those defending national interests are rewarded with favorable positions. A notable example is the historic international prisoner exchange on August 1, 2024. In this exchange, Russia secured the release of 16 individuals, including two prominent cybercriminals, Roman Seleznev and Vladislav Klyushin, who were released from Western custody. This exchange, which primarily involved spies convicted of espionage, highlights a new reality where cybercriminals with demonstrated offensive capabilities are elevated alongside traditional spies within Russia. Their return publicly endorses and validates their actions, signaling a broader acceptance of cybercriminals as crucial players in national security.

This mobilization of digital soldiers is a strategic move and a natural extension of Russia’s current geopolitical agenda. As physical battles escalate, there is a corresponding increase in offensive cyber operations designed to apply pressure on perceived adversaries. The rise in cyberattacks mirrors the intensification of physical confrontations, with digital warfare becoming one of the key components of Russia’s overall strategy.

Although the relationship between the state and cybercriminals, including those involved in ransomware and hacktivism, remains unclear, the high level of government control over citizens’ lives, limited democratic freedoms, and increased prosecution within Russia suggest that significant areas like ransomware and hacktivism would not be overlooked. The strategic use of ransomware and hacktivism-like groups becomes crucial for the state to exert influence, gather intelligence, and pressure adversaries. The government’s involvement in these areas is likely not just a passive observation but an active influence on cyber operations to align with broader geopolitical objectives.

Moreover, controlling and directing these cyber activities is logical and tactical to prevent rogue actions that could inadvertently escalate into more significant conflicts. In an environment where state control is paramount, ransomware and hacktivism-like actors are meticulously managed to align with national interests and avoid unintended consequences. Regarding whether ransomware and hacktivism are merging, the answer is likely yes, given the current political and social landscape. Analyst1 continues to monitor ransomware and hacktivist-like actors’ activity.

Request a Demo Today
Request a Demo
Blog