Russian-speaking cybercrime evolution: What changed from 2016 to 2021

Experts at Kaspersky have been investigating various computer incidents on a daily basis for over a decade. Having been in the field for so long, we have witnessed some major changes in the cybercrime world’s modus operandi. This report shares our insights into the Russian-speaking cybercrime world and the changes in how it operates that have happened in the past five years.

We overview what kind of attacks are now carried out by cybercriminals and what influenced this change — including such factors as changes in vulnerability market and browser safety. We also review what pushed cybercriminals to transform their operations into the now well-known malware-as-a-service model — the use of cloud servers, the decreasing relevance of custom malware and the subsequent emergence of small, agile teams. Lastly, we analyze the targets that cybercriminals select these days as opposed to a few years back, the reasoning behind them and criminal-to-criminal services offered on the dark web.

While this report is primarily focused on cybercriminals that operate on Russian territory, cybercriminals rarely restrict themselves to national borders — with ransomware gangs being a prime example of such cross-border activity. Moreover, trends that are visible in one country, more often than not resurface in other places and among new cybercriminal gangs. This report attempts to shed light on the changes in cybercriminals’ operations that we deem important — and actionable.

Incident analysis

Kaspersky’s Computer Incident Investigations Department specializes in attacks by Russian-speaking and Russia-based cybercriminals. The services we offer include incident analysis, investigation and post-incident expert support, all directed at preventing and mitigating the consequences of cyberattacks.

Back in 2016, the primary focus of our expert was on major cybergangs that targeted financial institutions, banks in particular. Big names such as Lurk, Buhtrap, Metel, RTM, Fibbit and Carbanakboldly terrorized banks nationwide, yet eventually fell apart or ended up behind bars — with our help too. Others cybercriminal groups, such as Cerberus, left the game and shared their source code with the world.

These days, the industries under attack are not limited to financial institutions, while major attacks like those we investigated back in the day thankfully are no longer possible. On top of that, due to changes in legislation that limited financial institutions in hiring external services, the number of cases we investigated for financial industry clients in 2020 was zero.

We investigated 200 cases for clients in Russia in 2020, and already over 300 in the first nine months of 2021. The industries affected included everything from IT to retail, from oil and gas to healthcare. This is a surprising trend, as one would expect COVID-19 and the move to remote working to have prompted more computer incidents. But our visibility showed otherwise.

Key trends

The cybercriminal ecosystem has always consisted of various roles. The main constants in this system are the infrastructure needed for carrying out cybercriminal activity and the instruments used for this activity. The roles of people in the game directly depend on the infrastructure and the instruments — and these have changed. Let’s delve into some of the major shifts that have taken place in the cybersecurity sphere in the past five years and see how they have transformed the way Russian-speaking cybercriminals operate.

Client-side attacks on the wane

It may be hard to imagine these days, but just five years ago to get your computer infected with a Trojan was as easy as visiting a news website. In fact, a lot of malware in Russia was distributed “straight from the front page” — via news platforms and other legitimate websites. True, web attacks are not a thing of the past yet, but with increasing browser security, attacks via this vector have become much harder. Previously, many cybercriminals lived simply by distributing exploits via legitimate websites. A whole market was built around that process — with dedicated staff to make it roll.

At the time, browsers were full of vulnerabilities, offered bad user experience and were generally insecure. Many used browsers that they were accustomed to, not browsers of choice, or default browsers set by organizations, such as the Internet Explorer. Attacks via plugins, such as Adobe Flash, Silverlight and Java, were also among the easiest and most often used ways to infect user devices — and now they are a thing of the past.

In 2021, browsers are much safer, with some of them updating automatically, without any user participation, while browser developers continually invest in vulnerabilities assessment. Furthermore, with the development of numerous bug-bounty programs, it has become easier to sell discovered vulnerabilities to developers themselves, rather than look for a buyer on the dark web. That also led to higher prices for vulnerabilities.

With safer browsers, web infections have become more challenging and, ultimately, unattractive to cybercriminals. As a result, targeting regular rather than corporate users with such means has become too expensive and not commercially viable.