Russia ushers in a new era of cyber-physical attack
Read more 
State-backed ransomware at the intersection of espionage, sabotage, and cybercrime
The governments of Russia, China, Iran, and North Korea use ransomware for diverse ends.
Image created using Chat GPT-4o
Ransomware has rapidly evolved into one of the most significant and pervasive cybersecurity threats. High-profile incidents demonstrate its far-reaching impact and potential for disruption. The 2021 Colonial Pipeline attack caused fuel shortages across the United States, the 2022 Conti group attack on the Costa Rican government crippled the country’s infrastructure and financial systems, and the 2024 the Russian-linked Qilin ransomware gang targeting of prominent hospitals in London caused significant disruption to emergency and surgical care.
This is no longer the sole domain of criminal groups. State actors are now deploying ransomware to achieve strategic objectives as well. By examining the cases of Russia, China, North Korea, and Iran, we can see that states use ransomware not only for financial gain but also to achieve political aims.
Presented here is an excerpt from Virtual Routes’ latest Pharos Report, which explores the diverse purposes and methods of state-linked ransomware operations.
Different approaches
Divergent motives and operational ecosystems contribute to varying uses of state-linked ransomware to gain strategic advantages.
Russian state-linked groups, often with ties to criminal ecosystems, deploy ransomware as an operational tool in high-intensity conflicts. A notable example is GRU Unit 74455’s ransomware attacks during the 2022 invasion of Ukraine, which targeted supply routes vital to Ukraine’s defense.
Meanwhile, Chinese state-linked groups tend to prioritise plausible deniability, using ransomware in cyberespionage campaigns to distract, misattribute, or erase evidence. For example, suspected China-based ransomware operator Bronze Starlight (also known as DEV-0401 or SLIME34) is believed to use ransomware to cover up espionage. The group’s victimology, including government, manufacturing, technology, and financial services organisations across North America, Europe, and Asia; the short lifespan of its ransomware strains; and its use of malware associated with cyberespionage threat groups suggest that Bronze Starlight is not a conventional, financially motivated cybercriminal group.
In contrast, North Korean ransomware use primarily focuses on financial gain to support its regime and operations – one 2023 US government assessment suggested that around half of the North Korean ballistic missile program was believed to be funded by cyber-enabled theft and extortion.
A closer look at Iranian ransomware usage
Iran-linked groups have a long history of disruptive and destructive cyber operations, often aimed at signalling strength or retaliating against regional adversaries, particularly Israel. In the past few years, they have added ransomware as a means to achieve these objectives.
The first documented ransomware activity attributed to Iran was Operation Quicksand, reported in October 2020. This campaign, attributed to a Ministry of Intelligence-associated contractor called Muddywater, used Thanos ransomware in destructive attacks against state-run organizations across the Middle East and North Africa.
Since then, many ransomware attacks conducted by Iran have sought to impact Israel. A notable example is the Pay2Key campaigns in 2020, attributed to Fox Kitten. Here, instead of demanding a ransom, the group leaked stolen data in order to incite panic in Israel through public threats and propaganda, emphasising psychological impact over financial gain.
Similarly, in February 2023, Muddywater targeted the Israel Institute of Technology, forcing it to shut down IT systems and postpone exams. They demanded 80 bitcoins (worth around $1.7 million at the time) and issued an ideologically charged note condemning Israel as ‘an apartheid regime’ and stating that Israel should ‘pay for occupation, war crimes against humanity, killing the people (not only Palestinians’ bodies, but also Israelis’ souls).’
Other states have also been targeted. In July 2022, the group HomeLand Justice – believed to be a collaboration between multiple Iran-linked actors – conducted an attack against the government of Albania. The group deployed a ransomware-style file encryptor alongside disk-wiping malware, disrupting websites and essential services. In addition to causing operational damage, the attack carried a clear political message: infected systems displayed an anti-Mujahedin-e-Khalq statement criticising Albania’s decision to host the Iranian dissident organization. The message, ‘Why should our taxes be spent on the benefit of DURRES terrorists?’ underscored the political motivations behind the campaign.
While these political motivations are common, Iranian state-linked groups have also apparently used ransomware to cause misattribution or plausible deniability and for financial gain. These purposes have remained relatively consistent since Iran-linked groups began pursuing their goals through cyber operations, but three notable trends have been observed over the years:
First, these groups appear to have shifted away from using wipers – data destruction malware – such as Shamoon, as their primary tools for disruption and destruction, instead favoring ransomware or pseudo-ransomware, likely to preserve plausible deniability.
Second, groups like Pioneer Kitten and Fox Kitten have increasingly engaged with the ransomware ecosystem by offering services to other groups, such as providing initial access through marketplaces.
Finally, while difficult to quantify, Iranian state-linked groups have frequently utilised social media to publicise their ransomware activities as part of propaganda campaigns aimed at instilling fear and diverting attention.
Shared uses
Despite the different geopolitical motives and positions of these states, and thus their differing approaches to ransomware usage, there are also commonalities and convergences. While North Korea has long used ransomware to fund itself and Chinese state hackers have incorporated it into moonlighting activities, Iranian state-linked groups have also begun exploiting unauthorized access for financial gain.
Similarly, while Iranian and Russian state-linked groups have histories of using ransomware for politically and militarily motivated disruption, there is now evidence that China is also using ransomware for such purposes, as evidenced by incidents such as those targeting the All India Institute of Medical Sciences and the Brazilian presidency.
Another broader trend has emerged: states are not building ransomware operations entirely from scratch. Instead, they are leveraging established ransomware infrastructure – relying on well-known affiliates, purchasing access, or deploying widely used strains like LockBit. In doing so, they reduce their operational overhead and complicate attribution.
In some cases, such as with North Korea and Iran, groups don’t stop at access acquisition but play an active role in the execution of ransomware operations, from negotiation to payment, blending state objectives and personal or organisational financial gain. This includes activities such as moonlighting, redirecting funds to support other operations, and working independently under loose or shifting chains of command. Given these dynamics, we should expect even greater entanglement between state and criminal ransomware activity in the future.
The transition of states to using more ransomware over wipers over the past years may signify the myriad advantages of ransomware. It offers plausible deniability for some, financial gain for others, while taking less development time for most, as they can simply use off-the-shelf ransomware as a service (RaaS) variants.
States are increasingly embedding themselves in the ransomware ecosystem, not merely as outside beneficiaries but as active participants. Despite divergent motives and operational ecosystems, states exploit ransomware for strategic advantage in increasingly similar ways.
