Cybersecurity experts have watched closely as two trends in cyber interference have steadily grown in popularity: ransomware and hacktivism. Up to this point, they have remained relatively separate. That is, hacktivists have used technology for encryption and illegal data extraction, but they have not yet deployed ransomware technology for political motivations. However, it is not unreasonable to expect a convergence of the two in the near future.   

Ransomware attacks have continually targeted vulnerable systems, including critical infrastructure, for the purpose of financial gain and—more recently—espionage. But it is increasingly likely that attacks will take place with ulterior motives, conducted by political activists, militants, or nation-states. In this way, ransomware and encryption technologies could have the potential to reach new levels of destruction and chaos, which may prove detrimental to critical infrastructure and democratic structures.  

The Evolution of Ransomware and Hacktivism  

Ransomware, while not a new tactic, has become the modus operandi for financial gain among hacking groups. This is fundamentally linked to the creation of digital, decentralized currencies such as Bitcoin in the early 2010s. Cryptocurrencies can facilitate anonymous, covert payment collection—the perfect system to manage a steady cash-flow of ransom payments. With little fear of detection or backlash, hacking gangs have had a field day. Headlines read, “The Booming Business of Ransomware” and “It’s Like Ebay,” as more and more hacking groups assemble to cash-in on the trend and convenience of ransomware encryption. Reports suggest that financially-motivated attacks have increased by 148 percent during the pandemic, and as the business of ransomware has grown, so have the tactics of extortion. Data leaks and sophisticated forms of encryption are now deployed to force victims to pay their ransoms out of fear of losing their data or networks. It is expected that the number of ransomware attacks will continue to grow as more malign actors join the market and develop new techniques to refine their tools of extortion.  

Simultaneously, activist groups have begun turning to forms of digital interference and hacking to promote their ideological agenda. Hacktivism, as it has come to be known, is a steadily growing tactic of civil disobedience. Hacktivism refers to cyber attacks that are not financially motivated, but are used for the purpose of making a political statement. This year, a group known as Adalat Ali targeted the Evin Prison in Tehran to expose the large-scale abuse and hardship endured by the political prisoners held there. The group breached the prison’s network and released numerous CCTV videos to the press. The results of this attack were substantial, and Iranian officials have begun conducting investigations into the abuses exposed by Adalat Ali. While Adalat Ali did not use ransomware or seek financial gain for their actions, the group did use a similar technology to extort Evin’s data and leak it to the public. This reveals the extent to which hacking groups can disrupt critical infrastructure when politically motivated, and this will only worsen when ransomware replaces simple hack-and-leak operations.   

Early Signs of Ulterior Motives and Tactics in Ransomware  

Since last year, Iranian-backed hacking groups have been infiltrating U.S. and Australian critical infrastructure for the purposes of “exfiltration or encryption, ransomware, and extortion,” according to an advisory from the Cybersecurity and Infrastructure Security Agency (CISA) issued earlier this month.  

These attacks highlight important developments in the world of ransomware. Until this year, ransomware was employed primarily by Russian-linked criminal groups. Now, as the technology has developed and become a mainstream tool for exploitation, hacking groups in Iran have begun to wield ransomware as a tool for malicious activity. These Iranian hacking groups did not deploy encryption technology for financial gain.  They sought instead to establish a covert base of operations in the network, which could be used for further espionage and extortion tactics.   

Additionally, these groups have been known to hack high-profile public figures and companies for the purposes of espionage and information extraction, so it is a reasonable jump to assume that ransomware can and will be similarly deployed to achieve these ends.   

Ransomware with Political Motives  

Financially-motivated malign actors tend to search for network vulnerabilities that garner the greatest profit, but recent attacks illustrate that their motivations are evolving. Ransomware technology has been deployed against hospitals, schools, police stations, and other sources of critical infrastructure, totaling at least 2,354 attacks in 2020; although, this number does not include attacks that were not reported. Attacks of this kind are conducted because the victims have sensitive data that they want to protect; therefore, they are likely to pay large ransoms in exchange for the retrieval of their data and access to their networks. However, some attacks on critical infrastructure, such as those on the Colonial Pipeline or the Sinclair Broadcast Group, appear to be motivated in part by an impetus for chaos and disarray, not simply the greatest financial profit—despite the hackers’ claims of the reverse. The effects of these attacks reached far beyond financial losses, as they disrupted society on a large scale by limiting access to gasoline and shutting down TV stations. State and local governments have also been targeted by ransomware. While these attacks are still financially motivated, they indicate that malign actors are increasingly shifting their focus toward political targets and away from those that elicit the greatest profit. So, when will the primary motivation become destruction, with profit secondary?     

What if, instead of demanding a financial ransom to decrypt a firm’s data, a criminal group demands a public statement, the firing of an executive, or the release of a prisoner? Ransomware, encryption, and exfiltration technology can become tools of political blackmail. Such attacks could be conducted at particularly vulnerable moments, such as right before an election or as a company plans to go public. Further, it is increasingly possible for nation-states to adopt such tactics as offensive strategies against their rivals, exploiting known vulnerabilities and points of contention.   

Until now, we have not seen specific sectors targeted by ransomware for the purpose of political upheaval, but the landscape is rapidly changing. In perhaps the most overt example of politically-motivated ransomware, an anti-Zionist hacking group known as MosesStaff encrypted the data of targeted Israeli companies, but sought no ransom. Check Point Research, who has been monitoring MosesStaff, wrote, “When we add the fact that MosesStaff didn’t negotiate for money, we can assume that this malware strain isn’t ransomware, but an attempt to cause irreversible damage for Israelis organizations.”  

MosesStaff, unlike other anti-Zionist hacking gangs like Pay2Key and Black Shadow, are upfront about their motivations and ideology. They make no point to hide their actions, and their encryption is less than sophisticated. They are purely interested in making a point and getting credit for the chaos. The ransomware encryption technology they deployed on Israeli companies was used “solely for destruction purposes,” according to the Check Point Research report 

The Future   

The technological capabilities already exist for politically-motivated ransomware to be successful, and many companies, governments, and entities are vulnerable to this type of attack. While the primary incentive for such attacks remains financial gain, it is possible that hacktivist groups and nation states will begin to target their opponents with the same infiltration and encryption software used by ransomware criminals, not unlike the subjects of science fiction and techno-paranoia media.   

While this technology is still new and developing, it is important to begin thinking about the implications for ransomware and encryption technologies on the future of state security and cyberwarfare. To what end can such attacks be taken? And how can these risks be mitigated? The most obvious answer is for firms to ensure that their systems are updated, that they are following CISA’s recommendations, and that they are transparent with the public and media when they become victims of an attack. While attacks of this nature are not entirely preventable, their potency can be severely minimized through appropriate anticipation and mitigation efforts.   

The views expressed in GMF publications and commentary are the views of the author alone.