Well-known hacker groups extorting money from global companies by encrypting their computers do not work in the zone. ru, Ashot Hovhannisyan, an expert on data breaches, told Izvestia. We are talking about hackers carrying out attacks on large industrial enterprises, who spend millions of dollars to remove the lock. There are also organizations in Russia that could theoretically pay a serious ransom, but they are not attacked. Experts explain this by the fact that virus writers mainly live in Russia, Ukraine and Belarus. Therefore, they not only agreed not to touch the .ru zone, but also automated the code. If the program determines that the encoded object is in the .ru zone, the encryptor will not start.

Without breaking convention

Despite the fact that ordinary Russian users and small business representatives are often attacked by ransomware viruses (usually they encrypt 1C accounting), domestic giant companies that could pay a ransom of millions of dollars are not attacked in this way. Ashot Hovhannisyan, the founder of the DLBI leaks intelligence and monitoring service, told Izvestia about this.

– All these ransomware fundamentally do not work in Russia , – said the expert. – Those who write and distribute viral code have such an agreement. No one will cooperate with the person who violates it. Moreover, his own people de-anonymize it. There is such an expression “to work with ru” – it is completely forbidden.

According to Ashot Oganesyan, this agreement arose because many virus writers live on the territory of Russia, Ukraine and Belarus.

Photo: Depositphotos

– I.e if they are found, representatives of the security services of the hacked companies may come to them , – noted Ashot Hovhannisyan. – And if they come, then, perhaps, the hackers will betray their accomplices. There are complex chains of reasoning, but as a result they led to a categorical ban on working in the .ru zone. Moreover, it is automated. If the code determines what a company located in the CIS is encrypting, it simply does not start.

This is confirmed by specialists from Group-IB, one of the leading developers of solutions for detecting and preventing cyber attacks.

– Often the code checks the operating system language, and if it does not match one of the forbidden list, the encryption process begins, – Oleg Skulkin, a leading specialist of the Group-IB Computer Forensics Laboratory, told Izvestia. – For example, the Maze ransomware uses the GetUserDefaultUILanguage function to get information about the system language. This data is later compared with a set of languages ​​from the built-in list. If they match one of them, the encryption process does not start.

Food chains

According to Oleg Skulkin, communities, the result of which is the encryption of information on the computers of users or companies, include different specialists.

Usually the ransomware developers themselves do not carry out the attacks, the expert said. They often create so-called partner programs, whose members receive malware and software for decryption, after which they are planning an attack on a particular organization. At the same time, they can buy access to companies’ networks from third parties, and also hire people to carry out the attack itself.

Also, according to Oleg Skulkin, especially large players can have “in the staff” (hacker communities) people who study the business of companies, their annual income, etc., which allows you to issue the most acceptable “invoice”.

Photo: Depositphotos

The most active ransomware communities are Maze, REvil, NetWalker, LockBit, DoppelPaymer, WastedLocker, Ryuk, the expert said.

According to Ashot Hovhannisyan, people who send out ransomware viruses most likely do not understand anything about how it works.

– Some write code, others hack and sell, as a rule, remote access (Citrix, Microsoft RDP), and still others send it out. These are usually not quite “schoolchildren”, but not specialists either. Such people simply combine the purchased vulnerability and the code from the locker (a hacker who writes a program that blocks information – Izvestia), the expert believes.

Blackmail squared

Recently, according to Ashot Hovhannisyan, ransomware have increasingly begun to use another method of blackmail. They not only block information on the company’s computers, thereby stopping all work, but also threaten to make this information public.

– Now ransomware not only encrypt, but also leaked data to their server. Let’s say the firm refuses to pay. Then all the data is thrown into the public. There are accounting, employees, and credit card details. And this is already a leak, for which companies must answer both to regulators and to customers. , – the expert explained.

According to the head of the Russian research center at Kaspersky Lab, Yuri Namestnikov, there are still such ransomware viruses that encrypt Russian companies, it just usually does not receive wide publicity. Also the specialist is sure that Russian large enterprises pay great attention to cybersecurity, so the installed security solutions often successfully detect and block ransomware attacks.

Photo: Depositphotos

However, the expert confirmed that there are several groups of Russian-speaking hackers who do not work in the .ru zone. Yuri Namestnikov named Ta505, ​​Revil / Sodinokibi, Maze, Ragnarlocker.

On the other hand, Yuri Namestnikov remembered other well-known encryptors in the world – not Russian-speaking. For example, the Korean group Lazarus with their VHD encryptor.