Unmasking the Geopolitical Underpinnings of Ransomware Attacks: A Review


While financial gain is often a primary driver, recent research suggests that geopolitical factors may also play a significant role, particularly in the case of ransomware attacks. This review summarizes the key findings of a study conducted by Karen Nershi and Shelby Grossman, titled “Assessing the Political Motivations Behind Ransomware Attacks,” which provides valuable insights into the potential political motivations behind ransomware attacks, with a particular focus on those originating from Russia.


In their study published on July 14, 2023, Nershi and Grossman delve into the potential political motivations behind ransomware attacks. They argue that there may be connections between some ransomware groups and the Russian government, suggesting that ransomware attacks may serve as an international security threat in addition to being a form of crime.

The authors created a dataset of 4,194 ransomware victims posted to the dark web between May 2019 and May 2022. They found that Russia-based ransomware groups increased attacks before elections in several major democracies, suggesting potential political motivations behind these attacks. Companies that curtailed operations in Russia after the invasion of Ukraine were more likely to be targeted, further indicating potential political motivations.

The authors also analyzed leaked internal communications from a major ransomware group, Conti, which showed ties to the Kremlin. They argue that the Russian government maintains an informal cooperative relationship with groups by providing safe harbor from prosecution and receiving plausible deniability for attacks and access to skilled cyber actors.

From a CTI perspective, this study provides valuable insights into the potential political motivations behind ransomware attacks. It suggests that some ransomware groups may be acting in alignment with the interests of the Russian government, potentially as part of a broader strategy of political disruption and influence. This underscores the importance of considering geopolitical factors when assessing the threat landscape of ransomware.

The data used in this study spans from May 2019 to May 2022. It’s important to note that the threat landscape is dynamic and constantly evolving, so while this analysis provides a snapshot of the situation during this period, it may not fully represent the current state of affairs. It’s crucial to continue monitoring and analyzing new data to stay abreast of the latest developments in the threat landscape.

Further Reading

  • “Assessing the Political Motivations Behind Ransomware Attacks” by Karen Nershi and Shelby Grossman Full Text