692
views
0
recommends
+1 Recommend
1 collections
    3
    shares

      If you have found this article useful and you think it is important that researchers across the world have access, please consider donating, to ensure that this valuable collection remains Open Access.

      State Crime Journal is published by Pluto Journals, an Open Access publisher. This means that everyone has free and unlimited access to the full-text of all articles from our international collection of social science journalsFurthermore Pluto Journals authors don’t pay article processing charges (APCs).

      scite_
       
      • Record: found
      • Abstract: found
      • Article: found
      Is Open Access

      Ransomware through the lens of state crime: Conceptualizing ransomware groups as cyber proxies, pirates, and privateers

      Published
      research-article
      Bookmark

            Abstract

            Cybercrime and other cybersecurity harms are gaining increasing political and public attention across many countries. One of the most serious and fastest growing categories of such harms relates to ransomware attacks. Many of the groups responsible for ransomware attacks have come under political pressure in recent years as they have become more aggressive in their methods and targeting. On a geopolitical level, an area attracting increasing interest is the complex relationships between ransomware groups and states, in particular, Russia. This paper introduces the concept of state crime to ransomware groups. Starting with the concept of proxies before turning to the historical examples of privateering and piracy, we focus on the notion of “cyber privateers” to analyze two select ransomware groups—DarkSide and REvil—that are believed to be affiliated with the Russian state. We argue that approaching these ransomware groups as cyber privateers engaged in state crime has the potential to enhance our understanding of how these groups operate. We further posit that a state crime perspective also assists in identifying how ransomware may be countered, highlighting the need for policy responses that are effective even when ransomware groups may be tacitly protected by a state.

            Main article text

            Introduction

            The role and behaviour of states has been rapidly evolving in the field of cybersecurity, as states have assumed much greater roles in promoting cybersecurity among their citizens as well as corporate and other entities within their borders. At the same time, many states are calling attention to other states as potential threats to cybersecurity. For example, the 2021 Microsoft Exchange attacks involved a series of sophisticated data breaches which the United States (US), United Kingdom (UK), European Union (EU), the Northern Atlantic Treaty Organization (NATO) and several other countries attributed to a hacking group publicly alleged to have ties to China’s Ministry of State Security. This was the first time that multiple governments and international governmental organizations collectively sought to hold one state responsible for such behaviour (US White House 2021a), with other countries such as Australia also releasing their own statements expressing concern over China’s malicious cyber activity (Andrews and Dutton 2021). State (mis)behaviour has now become an overt topic in many cybersecurity strategies across the Global North. For example, the EU’s most recent cybersecurity strategy includes a statement on “advancing responsible state behaviour in cyberspace”, aligned to a larger ideal of a global, open, stable and secure internet where international law is respected (European Commission 2020: 20–21). From a criminological perspective, the question of state behaviour has been approached in a national security context, with areas of concern including potential attacks on critical infrastructure, theft of intellectual property, trade secrets and so on (e.g., Broadhurst et al. 2014; Grabosky 2015; Wall 2015). Much less considered has been the role of states in the context of other cybercrimes, particularly financially motivated crime, which reveal complex relationships between states and cyber criminals (Dupont and Whelan 2021; Maurer 2018). Nowhere is this complexity more apparent than in the area of ransomware.

            Ransomware is a form of malware (malicious software) designed to seek out vulnerabilities in computer networks and/or operating systems that allows the perpetrator to extract and/or encrypt data until a unique code (or “key”) is used to unlock that data or device. Ransomware attacks can take a variety of forms. The most common include requiring a ransom be paid in cryptocurrency before a key is provided to allow the victim to regain access to their data (e.g., Connolly and Wall 2019). More recent trends involve groups requesting a second ransom—what some call a “double extortion”—in exchange for destroying or at least not publicly disseminating data extracted during the attacks. Ransomware attacks have grown exponentially in number and sophistication in recent years, particularly alongside the pandemic. The UK National Cyber Strategy refers to ransomware as the most significant cyber threat facing the nation (HM Government 2022) while Europol’s European Cybercrime Centre has identified ransomware as its highest priority, referring to it as “the most dominant threat … within as well as outside of Europe” (Europol 2020: 25). A further concern that has risen to prominence in the last two years is the provision of Ransomware as a Service (RaaS)—groups that facilitate ransomware attacks by selling or licensing malicious code to less technologically sophisticated criminal actors via various forums on the dark web, as well as so-called “big game hunting” tactics, where highly sophisticated ransomware attacks target large corporations and demand increasingly large sums into the tens of millions of dollars. The rise of RaaS has created new opportunities for criminal groups to conduct ransomware attacks as well as made it more difficult to identify those responsible.

            Many—if not most—of publicized ransomware attacks in recent years have been attributed to groups believed to be based in or closely proximate to Russia. These groups include Conti, DarkSide, Evil Corp, Hive, LockBit, and REvil, each of which has been linked to large-scale ransomware attacks that have resulted in substantial economic and social harms. Arguably the most well-known of these groups currently is Conti, which has been active since early 2020 and is responsible for a series of devastating attacks targeting healthcare providers in various countries—most notably the Health Service Executive of Ireland—during the pandemic. According to Chainalysis, Conti was the biggest ransomware strain by revenue in 2021, extorting at least USD 180 million that year (Chainalysis 2022). Following Russia’s invasion of Ukraine, Conti took the unusual step of publicly declaring its support for the “special operation”. Conti announced that it would deploy cyber-attacks against all adversaries of Russia in what was overtly a “patriotic” statement (Bing 2022). In response, one affiliate of the Conti group leaked tens of thousands of internal chat messages, indicating their support for Ukraine. While in Russian and full of technical jargon, these chat logs are currently the subject of much analysis of cybersecurity analysts (e.g., Checkpoint 2022; Figueroa et al. 2022; Forescout 2022; Krebs 2022). Interestingly, despite speculation following Conti’s declaration of support for Russia, the exact nature of Conti’s relationships with the Russian state remains unknown.

            Arguably next in terms of international notoriety are DarkSide and REvil, believed to be closely connected due to their similar attack vectors and ransomware code (DiMaggio 2022). DarkSide was most famously responsible for the 2021 Colonial Pipeline attacks, which caused widespread disruption to the supply of oil across the US East Coast and created a panic over fuel shortages, with US President Biden subsequently declaring a state of emergency in direct response to the attacks. Given the sheer scale of the attacks, the Federal Bureau of Investigation (FBI) intervened and helped facilitate the payment of a significant ransom, the majority of which they later recovered (Chainalysis 2022). President Biden was quick to publicly identify DarkSide as the group responsible, and to declare the Russian government also at least partially responsible for enabling the group to operate within its borders (US White House 2021b). The DarkSide attacks used a strain of ransomware very similar to that also used by REvil, a group believed to be responsible for at least 140 known attacks since April 2019 (Singleton and IBM Security 2021). Only one month after the Colonial Pipeline attacks, REvil conducted a high-profile ransomware attack against JBS Foods, a global meat processing company. These attacks led to concerns about potential food shortages in Australia and several other countries (Claughton and Beilharz 2021). REvil was paid an USD 11 million ransom and the attack led to an escalation in President Biden’s determination to address Russian ransomware groups (Miller and Tucker 2021). The JBS attacks also occurred within days of the widely publicized attacks against Kaseya, a US-based software as service company that had significant impacts for over 1,500 companies across more than 20 countries (DiMaggio 2022).

            As a result of these attacks the US further escalated their response against REvil, including directing Cyber Command and other agencies to disrupt their activities and requesting the Russian state to intervene. In January 2022, 14 members of REvil were arrested in Russia following the arrest of two members in Romania and Ukraine (US Committee on Homeland Security 2022). The US Department of State (US DoS) continues to offer a USD 10 million reward for information leading to the identification or location of top members of the group (US DoS 2021a). DarkSide and REvil are more relevant than Conti for the purpose of this article for two key reasons: first, they have described themselves as exclusively financially interested groups whereas Conti has also declared patriotic motivations; second, the examples of the attacks against the Colonial Pipeline, Kaseya, and JBS Foods brought about key escalations in US responses to ransomware groups and Russia more generally that we engage with throughout the article.

            While much media and political attention has been placed on policy considerations in this field, including advice for preventing ransomware attacks, legislative debates regarding the reporting of ransomware attacks, and payment (or otherwise) of ransoms, our approach in this article is more a conceptual one. We focus in on the actors responsible for conducting and facilitating ransomware attacks and their relationship(s) with the state. We seek to analyze how the conceptual lens of “state crime” applies to select ransomware groups with reference to Maurer’s (2018) typology of “cyber proxies” and Egloff’s (2022) concept of “cyber privateers”. We do so limiting our focus to ransomware groups that are often associated with Russia. However, the arguments presented are likely to have relevance to other groups involved in cybercrime elsewhere, including in China, Iran, and North Korea, in addition to other types of cybercrime such as theft of intellectual property. We approach cyber proxies and cyber privateers as groups engaged in state crime, arguing that each concept holds considerable utility in accounting for the diverse relationships that ransomware groups are likely to have with the Russian state. Further, each of these concepts allows us to focus on the types of policy responses that better account for the complex relationships between ransomware groups and states, and which will therefore be more effective in mitigating the threat.

            The article proceeds as follows. First, we outline the concept of state crime, its applications to cybercrime and ransomware groups, and the concepts of cyber proxies and cyber privateers as groups engaged in state crime. We argue that the lens of state crime allows us to understand contemporary developments in cybercrime such as states utilizing proxy groups to further their own interests while also permitting such groups to engage in criminal activity within tacitly agreed parameters. Second, we turn our attention to cyber proxies and developments in the context of Russian affiliated ransomware groups such as those named above. We do so with a caveat at the outset in that we fully recognize there is limited empirical evidence in this field, with much of it classified, and a great deal of the reports produced by government agencies and cybersecurity analysts drawing associations between such groups and the Russian state are doing so on the basis of professional judgements amidst degrees of unavoidable uncertainty. We do not seek to enter this haze of uncertainty ourselves but rather maintain a theoretical and conceptual focus providing an introductory discussion of the applications of state crime to ransomware groups. We argue that the notion of cyber privateers holds particular utility when seeking to make sense of ransomware groups and their activities. We further argue that the activities of select ransomware groups, in this case specifically DarkSide and REvil, should be understood as a form of state crime, specifically cyber privateering, due to the de facto control of these groups by the Russian state. This reconceptualization has significant implications for how the problem of ransomware is framed and responded to. We conclude the article by reflecting on how responses to historical privateering offer some useful insights in informing contemporary policy responses to state-facilitated ransomware attacks. Lastly, we note that this article represents a modest beginning to these discussions, and hope that future researchers will further develop the concepts outlined herein to ransomware groups and their relationships with the state.

            From state crime to state cybercrime

            State crime has existed in criminological discourse for more than three decades. Chambliss defines state crime, as “acts defined by law as criminal and committed by state officials in the pursuit of their job as representatives of the state” (Chambliss 1989: 184). This definition has since been expanded to include acts or omissions on the part of state organizations that constitute both a violation of human rights as well as organizational deviance in the pursuit of institutional goals (Green and Ward 2000). The broadening beyond a legalistic definition of state crime is necessary because states themselves are responsible for the creation of laws and are the final arbiters of what is deemed criminal or not. Non-legalistic definitions therefore allow us to identify instances of state crime even when such activity may not be in direct violation of the law of an offending state (Bassiouni 2011). In the absence of such definitional inclusivity many of history’s most egregious examples of state crime, such as the Holocaust, the Cultural Revolution, or the genocide of Native Americans or First Nations Australians, could not be defined as such because they were legal at the time in the jurisdictions in which they were committed (Williams 2010).

            While state crime encompasses a wide range of criminal activity, it has been most readily applied to acts of large-scale and systemic violence on the part of militaries, police, and state-affiliated militias against disempowered groups, as well as the mass misappropriation of public funds by ruling elites (Green and Ward 2016). Significant examples of these “core” types of state crime include apartheid repression in South Africa (Martin 2012; Chambliss 1989), the genocide of Armenians in Turkey (Green and Ward 2000), and colonial-era policing in the Congo Free State (Ward 2005). Also relevant to this discussion is the inclusion in definitions of state crime acts by state-linked proxy forces (Jamieson and McEvoy 2005; Chambliss 1989) and, through systemically negligent policing or other failures to enforce laws, the creation of conditions in which crime is certain to flourish (Green and Ward 2000; Williams 2010; Martin 2012). These latter inclusions are significant in that they demonstrate that state crime can be attached equally both to acts and failures to act, as well as to activities carried out by non-state proxy actors when they are undertaken at the behest of states.

            Over the past decade, researchers have increasingly acknowledged the role of states in the commission of cybercrime, though ransomware has not yet been examined from this perspective. The types of state cybercrimes that have recently attracted scholarly attention include mass surveillance (Watt 2021; Nyst 2018); military and industrial cyberespionage (Rowe 2020); attacks on critical infrastructure (Carl 2017; Holt and Kennedy 2019); and information operations and the proliferation of disinformation (Paterson and Hanley 2020; Blank 2017). The preponderance of research on this relatively narrow range of activities is explained by Grabosky, who claims that state cybercrime “tends to be motivated by the need to identify and to neutralize perceived national security threats, or to give one’s nation a strategic advantage” (Grabosky 2015: 11). This may be differentiated from the other types of cybercrimes committed by non-state actors which “tend to involve a wider variety of objectives, from financial gain, to sexual gratification, to political protest, to notoriety” (Grabosky 2015: 11).

            The fact that states are increasingly implicated in cybercrimes intended to protect their own national security and undermine that of rival states is unsurprising. States have, to a greater or lesser degree, consistently engaged in all of these activities—espionage, surveillance, propaganda, and clandestine attacks on rivals—throughout most of civilized history. Whether carried out through the exploitation of information and communications technologies (ICT) or via less technologically sophisticated means, spying on one’s citizens, stealing secrets from foreigners, and carrying out secret attacks on enemies are all well-established state behaviours that, while not universally welcomed or tolerated, are broadly consistent with international norms and the prerogatives of statecraft. The notion that states are simply engaging in more of these age-old practices online is consistent with Grabosky’s (2001) view of cybercrime as “old wine in new bottles”, which frames cybercrimes as simply digital iterations of earlier forms of crime (Grabosky 2001). From this perspective, states that commit cybercrimes are merely adapting to the emergence of cyberspace just as regular offenders are—by continuing pre-existing criminal behaviours through the use of new digital tools and networks. Of course, other scholars, notably Wall (2007), Yar (2013), and Holt (2013), have also offered their own respective definitions of cybercrime. These definitions make further, useful contributions such as delineating between cyber-enabled crimes in which ICT is a useful facilitator, and cyber-dependent crimes which are wholly dependent upon computers and associated networks (e.g., hacking, deploying malware).

            State cybercrime and cyber proxies

            Adding further credibility to Grabosky’s (2001) notion of cybercrime as “old wine in new bottles” is the fact that state cybercrimes are often undertaken either directly by state agencies (e.g., the US National Security Agency, China’s People’s Liberation Army) or by proxy actors—which we refer to as cyber proxies—whose links to the state are explicit and well understood (Maurer 2018). Notable examples of the latter include Russia’s Internet Research Agency, which carried out misinformation operations intended to disrupt the 2016 US presidential elections (DiResta et al. 2019), and Booz Allen Hamilton, the NSA-linked cybersecurity firm and former employer of Edward Snowden, which was involved in the illegal mass surveillance of US citizens (Finley and Esposito 2014). Grabosky (2015) acknowledges that non-state cyber proxies such as these may be involved in state cybercrime and proposes a private-state continuum where involvement between state and non-state actors occurs at varying levels:

            From state ignorance of private criminal activity at one extreme, to state monopoly of criminal activity at the other. In between these polar extremes, one might find state incapacity to control private illegality; the state turning a “blind eye” to the activity in question; tacit encouragement of non-state crime; active sponsorship by the state; loose cooperation between state authorities and private criminal actors; then formal collaboration between state and non-state entities.

            (Grabosky 2015: 10)

            Maurer (2018) proposes a similar yet more detailed spectrum mapping the potential relationships between a state and its cyber proxies across three general categories: delegation, orchestration, and sanctioning. The wide variety of relationships captured across these categories is particularly useful for this analysis. Delegation refers to states exercising a significant level of control over a cyber proxy that may be specifically tasked and resourced to carry out cybercrime by a state. Orchestration reflects a broader set of relationships between a state and a cyber proxy; for example, this includes a state providing financial or technical forms of support. A relationship characterized by orchestration may involve cyber proxies having flexibility in selecting targets or determining operations, but still acting under the state’s general control and influence. The last category, sanctioning, refers to the most distant relationships between a state and a cyber proxy. This form of relationship refers to environments where “the state indirectly creates a fertile ground for malicious activity to occur” (Maurer 2018: 94). It includes what is typically referred to as “harbouring”, in which a state is aware of a proxy’s criminal activities and has the power to stop them but does not, through to various forms of negligence where a state does not take adequate steps to prevent or punish groups located within its territory that are involved in cybercrime.

            The utility of both Grabosky’s (2015) continuum and Maurer’s (2018) spectrum lie in informing analysis which can assist in the development of effective policy responses. For example, if a state is unaware of the existence or operation of a cybercrime group operating within its territory, another state may offer intelligence in determining its whereabouts and the identities of group members (see, e.g., Perry 2008). Similarly, if a state lacks the law enforcement capability to investigate a local group engaged in cybercrime, external policing assistance may be provided to help gather evidence and secure convictions. However, if a state has a collaboration with a proxy engaged in cybercrime, recourse to law enforcement would likely be abandoned in favour of a state-based solution. The 2015 cyber treaty negotiated between US President Obama and Chinese President Xi Jinping offers a rare example of how state crime committed by cyber proxies—in this case industrial espionage—can be effectively mitigated between strategic competitors, albeit for a limited period (Bing and Martina 2018).

            As Maurer (2018) notes, the relationships between a state and its cyber proxies tend to reflect its general approaches to engaging with non-state actors. For example, relationships between the US and its cyber proxies tend to be characterized by delegation in the form of government outsourcing to private companies through contracts. Cybersecurity firm Booz, Allen and Hamilton earns 99 per cent of its income from government contracts, with the US army constituting its largest source of revenue (Riley 2013). This relationship is consistent with how the US government engages with non-state actors operating in other domains, such as aerospace and security firms McDonnel Douglas and Lockheed Martin which are delegated to develop weapons and other “defense” technologies under contract from the state. The close nature of these relationships affords the US government the benefit of a high degree of control over its proxies, with specific objectives, targets, scopes of operations, and project funding all subject to state oversight. Less beneficial, at least from the perspective of the state, is that when crimes committed by closely controlled proxies come to light, the state itself becomes implicated in criminal conduct.

            By contrast, Russia’s relationships with its cyber proxies often fall under the categories of orchestration and/or sanctioning, where criminal activities that are beneficial to the state are cultivated and permitted covertly by government authorities (Maurer 2018). This too is consistent with Russia’s use of proxies in other, non-cyber domains. For example, Galeotti claims that Russia uses organized crime networks “as an instrument of statecraft abroad” (Galeotti 2017: 2), carrying out a range of activities in the furtherance of its own interests and to the detriment of its adversaries. These activities, often carried out with the participation and support of state agencies, particularly the FSB, include money laundering; trafficking in illicit drugs and weapons; political assassinations; repression of anti-Putin sentiment amongst Russia’s diaspora; exfiltration of compromised covert agents; and, increasingly, cybercrime (Grzegorzewski 2020; Lauder 2018; Galeotti 2017). Organized crime groups, including cybercrime groups and even outlaw motorcycle gangs such as the Night Wolves, have played a prominent role in regional conflicts in eastern Ukraine, Crimea, Georgia, and Chechnya (Harris 2020; Lauder 2018; Galeotti 2017).

            As is the case with all state–proxy relationships, the use of criminal proxies brings both benefits and complications for the Russian state. In terms of benefits, criminal participation and expertise in clandestine activities constitutes an important component of Russia’s grey zone warfare capabilities, which serve to counter and weaken US dominance across conventional military, economic, and diplomatic domains (Baqués-Quesada and Colom-Piella 2021; Wirtz 2017). Grey zone warfare differs from conventional warfare in that it is intended to shift the balance of force in favour of an antagonist whilst maintaining a façade of peace. Central to the success of grey zone warfare are two methods that appear to be routinely employed by the Russian state. The first is the maintenance of plausible deniability, which allows states to obfuscate their hostile activities and intentions (Karlsen 2019). For the purpose of plausible deniability, the use of criminal proxies is ideal; by outsourcing its “dirty work” to proxies, the Russian state is able to deny responsibility for its actions, and instead direct blame towards forces over which it professes it has no control.

            It is precisely this ambiguity that allows actors to project their power knowing that, if their activities cannot easily be traced back to them, can be plausibly denied, and do not affect the vital interests of their victims, it will be difficult to deploy a clear and effective response by the defenders of the status quo ante.

            (Baqués-Quesada and Colom-Piella 2021: 30–31)

            The second is what grey zone warfare strategists describe as “salami slicing” tactics (Baqués-Quesada and Colom-Piella 2021; Wirtz 2017). These involve the careful calibration of attacks such that they avoid crossing escalatory thresholds that would provoke direct confrontation. Here the targeting, timing, and scale of attacks are critical; as noted in the quotation above, attacks must target non-vital interests, and also be sufficiently small and temporally dispersed so as to fall under an escalatory threshold. While the use of criminal proxies is well suited to the maintenance of plausible deniability, their effectiveness in executing salami slicing tactics is much more problematic. This is because the necessarily loose control exercised over criminal proxies by the Russian state renders complex tasks—such as precise targeting—extraordinarily difficult. This points to one of the principal problems associated with the use of criminal proxies: the very distance between state and criminal proxy that enables plausible deniability also precludes the close coordination necessary to ensure that targeting avoids undue escalation.

            Pirates and privateers—state crime and proxies in historical context

            The use of criminal proxies to undermine the interests of rival states is not without historical precedent. Indeed, these same patterns of criminal proxies being used for the commission of state crime, coupled with problems in coordination and control, have played out in previous eras when great powers similarly used criminal proxies to attack the interests of rival states. Although Maurer’s (2018) conceptualization is broader, for many the idea of proxies mainly applies to states delegating or outsourcing their activities (e.g., Cancel 2022). Proxies applies better, for us, to groups whose activities are more likely to be politically aligned—as essentially an extension of the state—than to financially motivated groups whose activities may in some way be sanctioned, such as in instances when they are offered safe harbour by a state (Maurer 2018; on financially motivated cybercrime generally, see Leukfeldt et al. 2017). In this context, we argue that other frameworks are useful such as Egloff’s (2022) notion of cyber privateers. Cyber privateering, as will be made clear throughout the remainder of this section, is a particularly appropriate concept in this context because it helps link the activities of historical state-linked criminal groups with those of contemporary ransomware groups.

            Arguably the most fitting historical analogy to the present proliferation of ransomware may be found in the 16th and 17th centuries when advances in shipping technology catalyzed competition across Europe for access to the riches of the New World. At this time Spain was the global hegemon due to her colonization of South and Central America, which provided an unprecedented source of wealth from gold and silver mining carried out by newly enslaved indigenous populations. Spain’s early dominance of the New World, and the vast riches it accumulated as a consequence, was challenged by the emergence of a sea-borne criminal threat: piracy. Preying upon the lumbering, gold-laden Spanish galleons, small, agile pirate vessels took advantage of the vast stretches of ocean to not only prey upon isolated ships but also to evade capture (Lane and Levine 2015). The success of pirates, and the inability of the Spanish to protect their vessels on the high seas, attracted the attention of rival European powers, which began to co-opt pirate forces to supplement their relative lack of naval power. The quid pro quo was simple: states would offer pirates safe haven in return for a share of the profits of piracy. So long as pirates limited their targets to the host state’s strategic rivals, they would not only escape punishment, but be rewarded with a portion of whatever wealth they had stolen. Over time, this arrangement was increasingly formalized through the issuance of “letters of marque” which transformed a pirate vessel into a “privateer” with a dubious and contested legal authority to prey upon vessels belonging to the issuing state’s strategic rivals (Lane and Levine 2015; Chambliss 1989).

            In addition to privateering playing a major role in the decline of the Spanish empire in the 16th century, privateers were critical in securing victory for the colonists in the American War of Independence, inflicting substantial damage on British maritime trade despite the overwhelming pre-eminence of the Royal Navy (Leiner 2013). Similarly, during the French Revolutionary Wars, French privateers (corsairs) were able to impose significant costs on their British adversaries, which came with the additional benefit of helping to finance their own military conquests on the continent. Whilst beneficial for offending states, particularly those at a disadvantage in terms of conventional naval power, privateering also carried risks. Foremost amongst these was the absence of effective state control over privateers, the most problematic manifestation of which occurred when ships were attacked without proper authorization (e.g., the ships of neutral countries) (Egloff 2022). These actions were dangerous in that they damaged the diplomatic relationships between privateering and victim states. Uncertainty regarding whether a ship was acting with the authority of a sovereign (i.e., as a privateer) or without it (i.e., as a pirate) also enabled victim states to assert state responsibility for acts of piracy as and when it suited them. Naturally, these unauthorized or incorrectly attributed acts of piracy/privateering were deplored by state authorities, which increasingly perceived the whole privateering enterprise as a dangerously volatile element in their relationships with other states.

            Underlying the problems of control between states and privateers were distinct sets of motivations and interests between the two parties. States were motivated to recruit privateers by their desire to expand their own power at the expense of rival states. Privateers, meanwhile, were motivated by a desire for plunder, personal enrichment, and glory. Oft times, these two sets of motivations coincided such that a working and mutually beneficial relationship could be maintained. In others, however, these overlapping but distinct interests of states and privateers became dangerously misaligned. The famous English privateer and explorer Sir Walter Raleigh offers just one example of this misalignment. Raleigh made his fortune and earned a knighthood for privateering against the Spanish in the New World. However, when peace was established between the English and Spanish empires in 1604, Raleigh’s privateers continued attacks against Spanish possessions in South America (Nicholls and Williams 2011). These attacks outraged the Spanish who demanded retribution. As a consequence, the English King James I had little choice but to order Raleigh’s execution in order to maintain peace with Spain (Egloff 2022).

            It is noteworthy that Chambliss (1989) used historical privateering as an archetypal example of state crime when he first introduced this criminological concept. However, it seems unlikely that even the most forward-thinking criminologists in the 1980s could have envisioned a return to an era of rampant state crime facilitated by the emergence of new and increasingly powerful information and communications technologies (ICT). Similarities between historical privateering and the contemporary activities of state-linked cyber proxies, which Egloff (2022, 2015) refers to as cyber privateers, have since come to the attention of politicians, military professionals, researchers, and cybersecurity professionals alike (Dwan et al. 2022; Horsley 2018; Egloff 2022, 2015; Garrett 2012). As Egloff (2015) claims, this analogy is “both historical and conceptual”, noting the similarities between historical maritime environments and contemporary cyberspace as “largely ungoverned spaces” ripe for great power competition. In addition to a lack of state control, both maritime environments and cyberspace are also major sites for commercial activity and innovation. Since the 1990s, the widespread proliferation of ICT has been a primary factor driving economic growth and increases in productivity, with the most pronounced effects in those countries with the highest proportions of internet connectivity (Manyika and Roxburgh 2011). In the Global North, nearly every public and private organization is now in some way dependent upon access to cyberspace, and the capacity to securely operate within it, for the success of its operations. These two factors—commercial dependence on cyberspace and an inability on the part of states to provide security within it—provide the critical opportunity for states and cyber privateers to steal property, disrupt economies, and, over time, potentially tip the balance of global power in favour of antagonists.

            Approaching ransomware as cyber privateering

            While there appear to be many similarities regarding criminal activity and great power competition in historical maritime environments and contemporary cyberspace, determining the extent to which ransomware groups may be regarded either as purely non-state criminal actors (cyber pirates) or state-linked proxies (cyber privateers) is less straightforward. Most definitions of cyber privateers emphasize the importance of an explicit, formal relationship between a state and its proxy (Dwan et al. 2022; Egloff 2022, 2015). For example, Egloff (2022: 30) specifies that:

            The privateer differs from the pirate because the actions of the privateer are committed under the authority of a state . . . Pirates are considered non-state actors, as they work outside the state system, sometimes even rejecting the state’s authority to govern them.

            According to Egloff (2022), therefore, ransomware and other cybercriminal groups that have no formal relationship with a state should be regarded as “cyber pirates”, whereas those that are formally sanctioned by a state would be considered cyber privateers. While we cannot rule out the possibility of a formal collaboration between the Russian state and domestic ransomware groups, there is currently no evidence of either a formal relationship with the state or direct control by state representatives, and the selection of specific targets is most likely determined by the ransomware groups themselves. Despite this, we posit that there are a range of similarities between historical privateers and contemporary ransomware groups which provide strength to the analogy when viewed through the conceptual lens of state crime.

            Here some additional context regarding the Russian state seems relevant. Unlike states in which there is widespread respect for the rule of law, in Russia scholars have argued that the state and local organized crime and are deeply entwined at all levels of society (Harris 2020; Galeotti 2017; Stephenson 2017). The connections between the Russian state and organized crime are longstanding, dating back to at least the Soviet era, and have been centralized and institutionalized to an unprecedented extent by several decades of autocratic rule under two-time President, and former director of the FSB (Federal Security Service), Vladimir Putin (Volkov 2016; Anderson 2012). According to Galeotti (2017: 2), formerly independent criminal actors and networks have effectively been repressed, assimilated, or co-opted by “the biggest gang in town”, the Russian state. The extraordinary degree of integration between the Russian state and domestic criminal networks ensures that no criminal industry of any size or significance escapes the notice of state representatives who, it is argued, are not concerned in the administration of law enforcement and justice per se, but rather in state control and the steady flow of illicit profits all the way up to the Kremlin (Gilinsky and Siegel 2019; Stephenson 2017). The integration between the state and local organized crime groups has contributed to the vast personal enrichment of Putin and his oligarchic inner circle and widespread denouncement of Russia as the world’s most powerful kleptocracy (Åslund 2019; Lanskoy and Myles-Primakoff 2018). In this context, it seems unlikely that local ransomware groups would be able to survive, let alone flourish, without at least the tacit approval of state representatives operating at the highest level.

            Fortunately, we also have more direct evidence of state involvement with ransomware groups. Central to our argument that many Russian ransomware groups act as cyber privateers is the notion of state control over quasi-independent criminal actors. However, unlike historical privateers which, through the issuance of letters of marque, had an explicit legal authority to prey upon maritime targets, Russia’s ransomware groups have no such formal arrangement with the state. Instead, we argue, it is more likely that Russia exercises de facto control over ransomware groups located in its territory through, for example, setting the rules within which such groups are permitted to operate and the selective enforcement of laws prohibiting ransomware attacks for groups that fail to respect these unspoken, but widely understood boundaries. This selective law enforcement signals to private criminal actors which targets are prohibited (i.e., any organization located within Russia and the broader Commonwealth of Independent States, CIS) and which are “fair game” and may be targeted without fear of reprisal (i.e., anything outside the CIS and, particularly, targets located in Western countries so long as those targets do not risk unacceptable escalation, see below).

            Evidence of Russia’s use of selective law enforcement with regard to ransomware groups operating within its territory comes from a wide variety of sources. For example, academic researchers such as Nad (2022), Maurer (2018), Grzegorzewski (2020), as well as many within the cybersecurity industry (e.g., Cimpanu 2020; Krebs 2021), have described the widespread understanding amongst Russian cyber criminals that they may operate freely and without fear of government intervention so long as they do not target organizations located within the former Soviet Union:

            Russian cybercriminals know that any cybercrime committed against an external target will not be punished, but that an act targeted within Russia will bring down the wrath of the state. Through this practice, the Russian state has defined the cyberspace “rules of the road” within the country.

            (Grzegorzewski 2020: 56)

            While Russian ransomware groups that extort appropriate foreign targets may operate freely, those that make the mistake of targeting domestic organizations have quickly found themselves arrested by Russian authorities (Grzegorzewski 2020; Maurer 2018). This selectiveness in the enforcement of laws prohibiting ransomware attacks demonstrates that the Russian state does not lack the capability to identify and apprehend domestic ransomware groups but rather that it likely chooses not to when it deems such activities are in its interests. Further evidence for the tacit arrangement between the Russian state and domestic ransomware groups is that, despite diplomatic protestations and offers of policing assistance from victim states, and the US in particular, Russia has consistently denied requests for law enforcement cooperation (Nad 2022; Maurer 2018). Russia has also sought to frustrate attempts to extradite Russian cyber criminals who have been arrested in foreign jurisdictions (Maurer 2018). Interventions such as these indicate that Russian support for ransomware groups extends beyond passively permitting the violation of domestic laws prohibiting ransomware attacks, to active intervention on behalf of the Russian state to protect domestic ransomware groups from foreign law enforcement.

            This signalling on the part of the Russian state has not been lost on ransomware actors located within the country. Not only do Russian ransomware groups avoid explicitly targeting local organizations, they often code ransomware in such a way that it may not target Russian computer systems (Chainalysis 2022; Krebs 2021; Maurer 2018). For example, Nefilim ransomware was coded to check on country and geographical names associated with Russia and other CIS countries before it infects a system (Malwarebytes 2021). Other popular ransomware strains check a target’s IP address, avoiding domains ending in .ru (Russia) and other prohibited country domains within the CIS, while others check a computer’s language settings and avoid targeting systems configured with Russian keyboard layouts (Krebs 2021). Coding practices such as these prevent ransomware from being used against Russian interests even when it is sold as RaaS to criminal entities outside of Russia.

            As one might expect, links between ransomware groups and the Russian state are denied by Russian authorities; even President Vladimir Putin has gone so far as to explicitly reject the notion of any state involvement in ransomware attacks. For example, referring to the 2021 JBS attacks, Putin was incredulous, “[Russia does not] deal with some chicken or beef. This is ridiculous” (Khurshudyan and Morris 2021). This apparent stonewalling on the part of the Russian state does not, however, preclude us from demonstrating its tacit support for ransomware attacks carried out from its territory. On the contrary, not only is state denial and resistance towards international and foreign prosecution a common and anticipated feature of state crime (Chambliss 1989) and the use of proxies more generally (Maurer 2018), it also, in this instance, constitutes a key component of the Russian state’s complicity in these offences. This is because efforts on behalf of the state to frustrate both domestic prosecution and foreign extradition help establish a link between those entities that carry out ransomware attacks (i.e., ransomware groups) and those that enable and protect them (i.e., the Russian state).

            The notion that the Russian state provides, at a minimum, tacit support for its ransomware groups is logical considering the broader impacts of ransomware on both Russia as well as rival states. Not only is cyber privateering consistent with Russia’s use of non-state, criminal actors in other forms of grey zone warfare, it also brings a variety of benefits to the Russian state. These include the enrichment of their economy (and possibly the personal remuneration of permitting elites); direct economic damage, disruption, and embarrassment to rival states and their subsidiaries; and the imposition of indirect costs on victims by necessitating the development and deployment of cybersecurity resources. Importantly, this damage is typically inflicted in small amounts and is spread over time. The particular pace and scale of ransomware attacks appears consistent with Russia’s use of salami slicing tactics in other spheres of geopolitical conflict, such as in its 2014 annexation of Crimea and Eastern Ukraine (Wirtz 2017). While territorial invasion and cyber-attacks may at first appear unrelated, there are strategic similarities in that both types of offensive action are carried out in such a way that they are sufficiently small and incremental as to avoid escalation. We posit that cyber privateering in the form of ransomware attacks may therefore be perceived as an online evolution of these same salami slicing tactics that Russia has frequently employed in the offline world.

            Despite its many benefits, cyber privateering is not entirely without risk. As was the case with its historical iteration, foremost amongst these is the lack of direct state control over (cyber) privateers. As discussed previously, calibrating clandestine attacks in such a way as to avoid escalation into outright conflict is a complex endeavour even with close control over one’s forces. In the case of cyber privateers, an absence of direct control by the state makes such precise calibration even more difficult. From this perspective, we argue that some of the largest and ostensibly most successful ransomware attacks, particularly that on the Colonial Pipeline and Kaseya, may be more accurately perceived as dangerous miscalculations, if not outright failures. This is because these attacks were so damaging that they finally crossed a threshold of seriousness that compelled the US to proactively respond; in the days following the Colonial Pipeline attacks a dedicated anti-ransomware taskforce was established by the US Department of Justice, which successfully recovered most of the ransom paid to DarkSide, the ransomware group that claimed responsibility for the attacks (US DoJ 2021). Public statements by US President Biden that the Russian state bore “some responsibility” for the attacks (Khurshudyan and Morris 2021) leveraged further pressure upon Russia’s ransomware groups, with DarkSide suspending its operations and going into hiding.

            Significantly, the pressure leveraged upon the Russian state by the US in the wake of the Colonial Pipeline attacks resulted in a rare crackdown by Russian law enforcement on those ransomware groups deemed responsible. Multiple arrests were made targeting members of REvil and DarkSide, with the White House claiming that the arrests were the direct result of pressure applied by the US (US White House 2022). An initial reading of this response from the Russian authorities may seem to undermine our argument that ransomware groups that target foreign interests are protected by the Russian state. However, we contend that the Russian state likely engaged in this apparent crackdown because the ransomware groups responsible for the attacks made the mistake of targeting vital US interests. Paralyzing the Colonial Pipeline was therefore inconsistent with the salami slicing tactics successfully employed by other Russian ransomware groups, and necessitated a response from the Russian state in an effort to de-escalate tensions with the US.

            The proactive responses from the US witnessed in the wake of the Colonial Pipeline attacks are useful in that they help re-establish a “red line” that may deter Russia’s cyber privateers from repeating these strikes against critical infrastructure. This red line was subsequently made explicit in a phone call between Presidents Biden and Putin, when Biden provided a list of 16 areas of critical infrastructure that “should be off limits to attack by cyber or any other means” (White House 2021c). Biden declared that he issued a veiled retaliatory threat towards Putin, asking the Russian President “How would you feel if ransomware took on the pipelines from your oil fields?” and further stating that “I pointed out to him [Putin] that we have significant cyber capability. And he knows it … And if, in fact, they violate these basic norms [by permitting ransomware attacks], we will respond with cyber [attacks]” (White House 2021c).

            Threats from the US to engage in offensive cyber operations may assist in deterring large-scale ransomware attacks targeting critical infrastructure, whether in the US or in allied states. However, problematically, they do little to alter the vulnerability of other large, yet non-critical enterprises or the vast majority of ransomware victims which are comprised of small to medium-sized businesses, many of which lack both the financial and technical capability to develop sophisticated cybersecurity defences (Coveware 2020; Voce and Morgan 2021). In the absence of an effective deterrent, ransomware attacks against these less prominent targets will almost certainly continue to grow rapidly, with victim states suffering increased losses while cyber privateers reap ever greater profits for both themselves and the Russian state. This trend places the onus on victim states to develop new, more powerful forms of offensive deterrence rather than relying solely on defensive measures that have so far proven ineffective in preventing the growth in ransomware attacks.

            The similarities between historical and cyber privateers are not merely a conceptual matter or empirical curiosity, they also assist in illuminating how such a practice may be more comprehensively countered. Historical privateers were not eliminated by improving the defences of merchant vessels—which can readily be analogized with contemporary firms improving their cybersecurity—but rather through the growing assertion of state power on the high seas and, specifically, the development and deployment of offensive naval capabilities that enabled states to destroy privateer vessels and blockade ports that harboured privateers. Emerging trends suggests that these responses may be emulated to reduce contemporary ransomware attacks. For example, in 2019, the US Treasury’s Office of Foreign Assets Control (OFAC) intervened against a Russian group known as Evil Corp, placing it on the sanctioned list in an effort to destroy its business model by making it a strict liability offence for any person or entity subject to a US jurisdiction to facilitate a ransom payment to Evil Corp (US DoT 2021). While it is always possible for groups to evolve their tactics and rebrand in an effort to get around sanctioned lists, we are somewhat surprised there have not (yet) been more efforts to add groups to OFAC’s sanctions since. This approach would add considerable uncertainty and risk in the minds of those considering paying a ransom to any ransomware group, including the cyber insurance industry (Baker and Shortland 2022). Instead, it seems the US has focused more on setting clear expectations of Russia—certainly prior to the invasion of Ukraine—and preparing for more offensive cyber operations. As President Biden has publicly stated, the US now has significant offensive capabilities that could be more widely used against cyber privateers (US White House 2021c). Should the US or other victim states intend to genuinely disrupt cyber privateers, we would contend that rather than limiting the use of these offensive capabilities to retaliatory attacks against critical infrastructure, which risks displacement to lower threshold targets, they would need to engage in limited cyber offensives directly targeting ransomware groups located in Russia or indeed any other country that fails to enforce laws prohibiting ransomware attacks. Similar views are also emerging in cybersecurity and related disciplines along with more specific strategies advocating targeting offensive cyber operations against individual ransomware actors (e.g., targeting internet servers traced to specific ransomware groups), elements of the broader ransomware ecosystem (e.g., attacks against hacker forums trading in ransomware related tools and services), as well as hacking of cryptocurrency infrastructure (e.g., take downs of payment portals used to receive ransoms) (Bátrla and Harašta 2022; Libicki 2022).

            Conclusion

            While cybercrime victims can be located anywhere in the world and constant efforts need to go into improving cybersecurity, “cybercrime also needs to be tackled in the places where it originates” (Lusthaus and Verese 2021: 11). This requires, of course, “good local law enforcement and effective governance in those countries” (Lusthaus and Verese 2021: 12). While principally adopting a conceptual orientation, this article has advanced the argument that, when a state systemically and selectively fails to enforce laws prohibiting ransomware attacks, or indeed offers protection (in whatever form) to domestic ransomware groups, such activity crosses an important threshold, one delineating privately committed cybercrime (cyber piracy) from state crime committed by proxies (cyber privateering). There are, of course, some important differences between other forms of state crime and the present situation. For example, common to most examples of state crime—and indeed crime more generally—is the victimization of groups that lack power (Kauzlarich et al. 2001). Clearly, this is not the case with many victims of ransomware attacks, such as large multinational corporations that are exceptionally powerful by any measure, even when compared to many states. Indeed, the recent sustained attacks launched against Cosa Rica demonstrate how states themselves are vulnerable to ransomware, with the Costa Rican government declaring a state of emergency after reportedly refusing to pay Conti a ransom in the order of USD 10 million (Recorded Future 2022).

            There is, however, nothing inherent to state crime that necessitates powerlessness on the part of victims. Rather powerlessness is a common feature of state crime because less powerful groups more frequently lack the capabilities that are necessary to prevent victimization by states and their affiliates. Powerful organizations, whether states or corporations, may also find themselves victims of state crime if they too lack the necessary capabilities to prevent victimization or are simply unlucky given absolute security in the context of ransomware can be undermined by something as simple as a staff member opening a phishing email (Connolly and Wall 2019; Dupont and Whelan 2021). The current situation is clearly an unfamiliar one for many state and corporate victims of ransomware attacks who, by virtue of the power that they possess, in combination with an unusually benign (although arguably rapidly deteriorating) geopolitical environment, have long enjoyed freedom from state crime. However, when considered from a broader historical perspective, we can see that the current explosion of ransomware represents a return to previous eras in which even the largest and most powerful states and private entities regularly found themselves victims of crime perpetrated either directly or indirectly by foreign powers.

            We suggest the growth in ransomware can be better understood when considered in this broader context of state crime. More specifically, extending the work of Maurer (2018) and Egloff (2022), we have argued that many ransomware groups should be considered as cyber privateers engaged in state crime, much like the maritime privateers of previous eras. While we cannot empirically validate the number of criminal groups involved in ransomware attacks or RaaS that would meet this threshold, the available evidence from the examples of Conti, DarkSide, REvil would suggest it is nonetheless significant. It is likely that the apparent protections afforded by the Russian state have enabled these ransomware groups to flourish so rapidly. Indeed, it is difficult to imagine ransomware groups inflicting similar levels of damage if the Russian state uniformly enforced domestic laws, rather than selectively prosecuting those groups who either target Russian and allied interests or risk escalation with the US by targeting their critical infrastructure. At the same time, we also note there are several other factors underpinning the rapid growth in ransomware, ranging from advances in techniques, tactics and protocols such as rented infrastructure; new hacking tools and exploitation kits; greater use of initial access brokers (which many speculate has been exacerbated with the pandemic); and of course a much wider surface area for conducting ransomware attacks alongside a rapid move to work from home and otherwise distributed arrangements.

            Approaching ransomware groups through the conceptual lens of state crime generally, and cyber privateering specifically, exposes the limits underpinning much of the current policy debate in relation to ransomware. For example, much attention is currently placed on defensive options such as enhancing cybersecurity and banning ransom payments in an effort to deter financially motived criminals and disrupt their business model. Other options have focused on mandatory reporting of all ransomware attacks to build a more holistic intelligence picture, which is thought necessary to overcome the widely perceived limited reporting of such incidents. While the merits of these debates are beyond the scope of the article, when approached from the perspective of cyber privateering one can better appreciate the limits of such defensive measures. The recent actions of the US Justice Department against REvil and the subsequent actions of Russia to arrest its members have demonstrated the potential for escalation to result in aggressive law enforcement. Yet the fact that the US continues to offer significant rewards for information leading to the identity of leaders of REvil suggest they remain unconvinced sufficient action has been taken (US DoS 2021b). Ultimately, however, even aggressive law enforcement responses such as these are, in our view, unlikely to deter cyber criminals when they are, directly or indirectly, protected by a state. Current trends suggest we may be headed for increasingly aggressive cyber offensives against cyber privateers, just as historical privateering was destroyed by the advent and deployment of powerful, offensive state naval capabilities.

            Footnotes

            Conflicts of interest

            The authors declare no competing interests.

            References

            1. (2012) “Corruption in Russia: Past, present, and future” in , ed. Political Corruption in Comparative Perspective: Sources, Status and Prospects, Routledge, 71–94.

            2. (2021) “Australia Joins International Partners in Attribution of Malicious Cyber Activity to China”, Canberra: Australian Federal Government, 19 July. Available online at: www.foreignminister.gov.au/minister/marise-payne/media-release/australia-joins-international-partners-attribution-malicious-cyber-activity-china (accessed 10 October 2020).

            3. (2019) Russia’s Crony Capitalism. Connecticut, US: Yale University Press.

            4. (2022) Insurance and Enterprise: Cyber Insurance for Ransomware. Geneva: Geneva Papers on Risk and Insurance-Issues and Practice.

            5. (2021) “Russian Influence in the Czech Republic as a Grey Zone Case Study”, Politics in Central Europe, 17(1): 29–56.

            6. (2011) “Crimes of State and Other Forms of Collective Group Violence by Nonstate Actors”, in eds. State Crime: Current Perspectives. New Brunswick, NJ: Rutgers University Press.

            7. (2022) “‘Releasing the Hounds?’ Disruption of the Ransomware Ecosystem through Offensive Cyber Operations”, in 2022 14th International Conference on Cyber Conflict: Keep Moving! (CyCon), Vol. 700: 93–115.

            8. (2022) “Russia-Based Ransomware Group Conti Issues Warning to Kremlin Foes”, Reuters, 26 February. Available online at: www.reuters.com/technology/russia-based-ransomware-group-conti-issues-warning-kremlin-foes-2022-02-25/ (accessed 3 January 2023).

            9. (2018) “U.S. Accuses China of Violating Bilateral Anti-Hacking Deal”, Reuters, 9 May. Available online at: www.reuters.com/article/us-usa-china-cyber-idUSKCN1NE02E (accessed 7 October 2018).

            10. (2017) “Cyber War and Information War a la Russe”, in eds. Understanding Cyber Conflict: Fourteen Analogies. Washington, DC: Georgetown University Press.

            11. (2014) “Organization and Cybercrime: An Analysis of the Nature of Groups Engaged in Cybercrime”, International Journal of Cyber Criminology, 8(1): 1–20.

            12. (2022) “The Illogic of Plausible Deniability: Why Proxy Conflict in Cyberspace May No Longer Pay”, Journal of Cybersecurity, 8(1): 1–16.

            13. (2017) “An Unacknowledged Crisis: Economic and Industrial Espionage in Europe”, in eds. Europe in Crisis: Crime, Criminal Justice and the Way Forward. Essays in Honour of Nestor Courakis. Athens, Greece: Ant. N. Sakkoulas Publishers LP.

            14. Chainalysis (2022) “Crypto Crime Report 2022”, Chainalysis. Available online at: https://go.chainalysis.com/2022-Crypto-Crime-Report.html (accessed 10 August 2022).

            15. (1989) “State-organized crime”, Criminology, Vol. 27: 183–208.

            16. Checkpoint (2022) “Leaks of Conti Ransomware Group Paint Picture of a Surprisingly Normal Tech Start-Up … Sort of”, Checkpoint, 10 March. Available online at: https://research.checkpoint.com/2022/leaks-of-conti-ransomware-group-paint-picture-of-a-surprisingly-normal-tech-start-up-sort-of/ (accessed 20 August 2022).

            17. (2020) “Russian Authorities Make Rare Arrest of Malware Author, Zero Day”, ZD Net, 4 November. Available online at: www.zdnet.com/article/russian-authorities-make-rare-arrest-of-malware-author/ (accessed 25 November 2021).

            18. (2021) “JBS Foods Pays $14.2 Million Ransom to End Cyber Attack on its Global Operations”, ABC News, 10 June. Available online at: www.abc.net.au/news/rural/2021-06-10/jbs-foods-pays-14million-ransom-cyber-attack/100204240 (accessed 26 September 2022).

            19. (2019) “The Risk of Crypto-Ransomware in a Changing Cybercrime Landscape: Taxonomising Countermeasures”, Computers & Security, Vol. 87: 1–18.

            20. Coveware (2020) “Ransomware Attacks Fracture between Enterprise and Ransomware-as-a-Service in Q2 as Demands Increase”, Coveware, 3 August. Available online at: https://www.coveware.com/blog/q2-2020-ransomware-marketplace-report#1 (accessed 26 November 2021).

            21. (2022) “A History of REvil”, Analyst 1. Available online at: https://analyst1.com/file-assets/History-of-REvil.pdf (accessed 10 August 2022).

            22. (2019) The Tactics and Tropes of the Internet Research Agency. Washington, DC: United States Congress.

            23. (2021) “Enhancing Relationships between Criminology and Cybersecurity”, Journal of Criminology, 54(1): 76–92.

            24. (2022) “Pirates of the Cyber Seas: Are State-Sponsored Hackers Modern-Day Privateers?”, Law, Technology and Humans, 4(1): 49–62.

            25. (2022). Semi-State Actors in Cybersecurity. Oxford, UK: Oxford University Press.

            26. (2015) “Cybersecurity and the Age of Privateering: A Historical Analogy”, Cyber Studies Programme, Work Paper Series No. 1. Oxford, UK: University of Oxford.

            27. European Commission (2020) The EU’s Cybersecurity Strategy for the Digital Decade. Brussels: European Commission. Accessed online at: https://digital-strategy.ec.europa.eu/en/library/eus-cybersecurity-strategy-digital-decade-0 (accessed 10 October 2021).

            28. Europol (2020) “Internet Organized Crime Threat Assessment”. Available online at: https://www.europol.europa.eu/iocta-report (accessed 10 September 2021).

            29. (2022) “The Conti Leaks: Insight into a Ransomware Unicorn”, BreachQuest, 9 March. Available online at: https://www.breachquest.com/blog/conti-leaks-insight-into-a-ransomware-unicorn/ (accessed 20 August 2022).

            30. (2014) “‘Digital Blackwater’: The National Security Administration, Telecommunications Companies and State-Corporate Crime”, State Crime Journal, 3(2): 182–199.

            31. Forescout (2022) “Analysis of Conti leaks”, Vedere Labs, 11 March. Available online at: https://www.forescout.com/resources/analysis-of-conti-leaks/ (accessed 10 August 2022).

            32. (2017) Crimintern: How the Kremlin Uses Russia’s Criminal Networks in Europe. London, UK: European Council on Foreign Relations.

            33. (2012) “Taming the Wild Wild Web: Twenty-First Century Prize Law and Privateers as a Solution to Combating Cyber-Attacks”, University of Cincinnati Law Review, Vol. 81: 684–705.

            34. (2019) “Organized crime in contemporary Russia”, in eds. Organized Crime and Corruption Across Borders. London, UK: Routledge.

            35. (2001) “Virtual Criminality: Old Wine in New Bottles?”, Social & Legal Studies, 10(2): 243–249.

            36. (2015) “Organized Cybercrime and National Security”, in eds. Cybercrime Risks and Responses. London, UK: Palgrave Macmillan.

            37. (2000) “State Crime, Human Rights, and the Limits of Criminology”, Social Justice, 27(79): 101–115.

            38. (2016) “Understanding State Crime”, in eds. Oxford Handbook of Criminology Oxford. Oxford, UK: Oxford University Press.

            39. (2020) “Russian Cyber Operations: The Relationship between the State and Cybercriminals”, in eds. Cyber Terrorism and Extremism as Threat to Critical Infrastructure Protection. Slovenia: Ministry of Defence, Republic of Slovenia.

            40. (2020) “Russia’s Fifth Column: The Influence of the Night Wolves Motorcycle Club”, Studies in Conflict & Terrorism, 43(4): 259–273.

            41. HM Government (2022) National Cyber Strategy 2022: Pioneering a Cyber Future with the Whole of the UK. London, UK: Cabinet Office.

            42. (2013) Crime Online: Correlates, Causes, and Context. Durham, NC: Carolina Academic Press.

            43. (2019) “Technology’s Influence on White-Collar Offending, Reporting, and Investigation”, in , ed. The Handbook of White-Collar Crime. Hoboken, NJ: Wiley.

            44. (2018) “State-Sponsored Ransomware through the Lens of Maritime Piracy”, Georgia Journal of International & Comparative Law, Vol. 47: 670–681.

            45. (2005). State crime by proxy and juridical othering. British Journal of Criminology, 45(4), 504–527.

            46. (2019) “Divide and Rule: Ten Lessons about Russian Political Influence Activities in Europe”, Palgrave Communications, 5(1): 1–14.

            47. (2001) “Toward a victimology of state crime”, Critical Criminology, 10(3): 173–194

            48. (2021) “Ransomware’s Suspected Russian Roots Point to a Long Detente between the Kremlin and Hackers”, Washington Post, 11 July. Available online at: www.washingtonpost.com/world/europe/russia-ransomware-cyber-crime/2021/06/11/e159e486-c88f-11eb-8708-64991f2acf28_story.html (accessed 1 December 2021).

            49. (2021) “Try This One Weird Trick Russian Hackers Hate”, KrebsOnSecurity, 17 May. Available online at: https://krebsonsecurity.com/2021/05/try-this-one-weird-trick-russian-hackers-hate/ (accessed 1 December 2021).

            50. (2022) “Conti Ransomware Group Diaries Part II: The Office”, KrebsOnSecurity, 2 March. Available online at: https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-ii-the-office/ (accessed 10 August 2022).

            51. (2015) Pillaging the Empire: Piracy in the Americas, 1500–1750. Abingdon/ Oxon, UK: Routledge.

            52. (2018) “The Rise of Kleptocracy: Power and Plunder in Putin’s Russia”, Journal of Democracy, 29(1): 76–85.

            53. (2018) “‘Wolves of the Russian Spring’: An Examination of the Night Wolves as a Proxy for the Russian Government”, Canadian Military Journal, 18(3): 5–16.

            54. (2013) “Privateers and Profit in the War of 1812”, Journal of Military History, 77(4): 1225–1250.

            55. (2017) “Organized Cybercrime or Cybercrime that is Organized? An Assessment of the Conceptualisation of Financial Cybercrime as Organized Crime”, European Journal on Criminal Policy and Research, 23(3): 287–300.

            56. (2022) “Obnoxious Deterrence”, in 2022 14th International Conference on Cyber Conflict: Keep Moving! (CyCon), Vol. 700: 65–77.

            57. (2021) “Offline and local: The hidden face of cybercrime”, Policing: A Journal of Policy and Practice, 15(1): 4–14.

            58. Malwarebytes Labs (2021) “Russia’s Ransomware Problem”, Malwarebytes News, 15 July. Available online at: https://blog.malwarebytes.com/malwarebytesnews/2021/07/ransomwares-russia-problem/ (accessed 12 May 2022).

            59. (2012) “Vigilantism and State Crime in South Africa”, State Crime Journal, 1(2): 217–234.

            60. (2011) The Great Transformer: The Impact of the Internet on Economic Growth and Prosperity. New York, NY: McKinsey Global Institute.

            61. (2018) Cyber Mercenaries. Cambridge, UK: Cambridge University Press.

            62. (2021) “Biden Tells Putin Russia Must Crack down on Cybercriminals”, AP News, 10 July. Available online at: https://apnews.com/article/joe-biden-europe-technology-government-and-politics-russia-df7ef73f02bcba61ad6e628aa95a9f84 (accessed 26 September 2022).

            63. (2022) “Ransomware Warfare: Exploring Global and Private Negotiations to Help US Victims Respond to the Threat”, Cardozo Journal of Conflict Resolution, Vol. 23: 257–300.

            64. (2011) Sir Walter Raleigh: In Life and Legend. London, UK: Bloomsbury Publishing.

            65. (2018) “Secrets and Lies: The Proliferation of State Surveillance Capabilities and the Legislative Secrecy which Fortifies Them – An Activist’s Account”, State Crime Journal, 7(1): 8–23.

            66. (2020) “Political Warfare in the Digital Age: Cyber Subversion, Information Operations and ‘Deep Fakes’”, Australian Journal of International Affairs, 74(4): 439–454.

            67. (2008) “Australian Police Crack Global Pedophile Ring”, Reuters, 6 March. Available online at: www.reuters.com/article/us-australia-paedophile-network/australian-police-crack-global-pedophile-ring-idUSSYD2212120080305 (accessed 8 October 2021).

            68. Recorded Future (2022) “Conti Ransomware Attack was Aimed at Destabilizing Governance Transition, Costa Rica President Says”, Recorded Future, 22 April. Available online at: https://therecord.media/conti-ransomware-attack-was-aimed-at-destabilizing-government-transition-costa-rican-president-says/ (accessed 10 August 2022).

            69. (2013) “Booz Allen Hamilton in Spotlight over Leak”, CNN Money, 10 June. Available online at: https://money.cnn.com/2013/06/10/news/booz-allen-hamilton-leak/index.html (accessed 1 August 2022).

            70. (2020) “Transnational State-Sponsored Cyber Economic Espionage: A Legal Quagmire”, Security Journal, 33(1): 63–82.

            71. and IBM Security (2021) X-Force Threat Intelligence Index 2021. Armonk, NY: IBM Corporation. Available online at: https://www.ibm.com/reports/threat-intelligence/ (accessed 6 February 2022).

            72. (2017) “It Takes Two to Tango: The State And Organized Crime In Russia”, Current Sociology, 65(3): 411–426.

            73. United States Department of Justice (2021) “DAG Monaco Delivers Remarks at Press Conference on DarkSide Attack on Colonial Pipeline”, Department of Justice. Available online at: https://www.justice.gov/opa/speech/dag-monaco-delivers-remarks-press-conference-DarkSide-attack-colonial-pipeline (accessed 26 September 2022).

            74. United States Department of State (2021a) “Reward Offers for Information to Bring Sodinokibi (REvil) Ransomware Variant Co-Conspirators to Justice”, Department of State, 8 November. Available online at: https://www.state.gov/reward-offers-for-information-to-bring-sodinokibi-REvil-ransomware-variant-co-conspirators-to-justice/ (accessed 21 November 2021).

            75. United States Department of State (2021b) “Sodinokibi Ransomware as a Service (RaaS)”, Department of State, 8 November. Available online at: https://www.state.gov/transnational-organized-crime-rewards-program-2/sodinokibi-ransomware-as-a-service-raas/ (accessed 10 August 2022).

            76. United States Department of the Treasury (2021) “Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments”, Department of the Treasury, 21 September. Available online at: https://home.treasury.gov/system/files/126/ofac_ransomware_advisory.pdf (accessed 26 September 2021).

            77. United States White House (2021a) “The United States, Joined by Allies and Partners, Attributes Malicious Cyber Activity and Irresponsible State Behavior to the People’s Republic of China”, White House, 19 July. Available online at: https://www.whitehouse.gov/briefing-room/statements-releases/2021/07/19/the-united-states-joined-by-allies-and-partners-attributes-malicious-cyber-activity-and-irresponsible-state-behavior-to-the-peoples-republic-of-china (accessed 21 November 2021).

            78. United States White House (2021b) “Remarks by President Biden on the Colonial Pipeline Incident”, White House, 13 May. Available online at: https://www.whitehouse.gov/briefing-room/speeches-remarks/2021/05/13/remarks-by-president-biden-on-the-colonial-pipeline-incident/ (accessed 26 September 2021).

            79. United States White House (2021c) “Remarks by President Biden in Press Conference”, White House, 16 June. Available online at: https://www.whitehouse.gov/briefing-room/speeches-remarks/2021/06/16/remarks-by-president-biden-in-press-conference-4/ (accessed 26 September 2022).

            80. United States White House (2022) “Background Press Call by a Senior Administration Official on Cybersecurity”, White House, 14 January. Available online at: https://www.whitehouse.gov/briefing-room/press-briefings/2022/01/14/background-press-call-by-a-senior-administration-official-on-cybersecurity/ (accessed 26 September 2022).

            81. (2021) “Ransomware Victimisation among Australian Computer Users”, Statistical Bulletin, Vol. 35. Canberra: Australian Institute of Criminology.

            82. (2016) Violent entrepreneurs. New York, NY: Cornell University Press.

            83. (2007) Cybercrime, Vol. 4. The Transformation of Crime in the Information Age. Cambridge: Polity.

            84. (2015) “Dis-organized Crime: Towards a Distributed Model of the Organization of Cybercrime”, European Review of Organized Crime, 2(2): 71–90.

            85. (2005) “State Crime in the Heart of Darkness”, British Journal of Criminology, 45(4): 434–445.

            86. (2021) State Sponsored Cyber Surveillance: The Right to Privacy of Communications and International Law. Cheltenham, UK: Edward Elgar Publishing.

            87. (2010) “State Crime”, in eds. Handbook on Crime. Devon, UK: Willan Publishing.

            88. (2017) “Life in the ‘Gray Zone’: Observations for Contemporary Strategists”, Defense & Security Analysis, 33(2): 106–114.

            89. (2013) Cybercrime and Society. London, UK: SAGE Publications.

            Author and article information

            Journal
            10.13169/statecrime
            State Crime Journal
            SCJ
            Pluto Journals
            2046-6056
            2046-6064
            26 May 2023
            2023
            : 12
            : 1
            : 4
            Affiliations
            [1 ]Deakin University
            Article
            10.13169/statecrime.12.1.0004
            7056da60-be2b-4772-a798-2bc7cd7a983e
            Copyright 2023, James Martin and Chad Whelan

            This is an open-access article distributed under the terms of the Creative Commons Attribution Licence (CC BY) 4.0 https://creativecommons.org/licenses/by/4.0/, which permits unrestricted use, distribution and reproduction in any medium, provided the original author and source are credited.

            History
            Page count
            Pages: 25
            Categories
            Articles

            Criminology
            cybercrime,cybersecurity,proxies,privateers,ransomware,state crime

            Comments

            Comment on this article