Russian Ransomware Projects Renamed to Avoid Western Sanctions: Report

Blockchain intelligence firm TRM Labs has revealed that some of the major Russian-linked ransomware syndicates have renamed their activities in 2022 to avoid sanctions from Western countries.

according to a new report Recently published, rebranding and other significant activity showed notable changes in the cybercrime space and darknet markets (DNMs) after Russia invaded Ukraine.

Renamed Ransomware Operators to Avoid Sanctions

After the Russian invasion of Ukraine, several Western law enforcement agencies imposed stricter sanctions on Russian ransomware platforms.

Similarly, sanctions imposed by the US Office of Foreign Assets Control (OFAC) on the popular darknet platform Hydra crippled ransomware projects as they struggled to gain market dominance while avoiding law enforcement agencies.

To strengthen their anonymity through changes to on-chain behavior, two major ransomware syndicates, LockBit and Conti, have restructured their activities.

Through TRM’s on-chain analysis, open-source reporting, and proprietary information, the intelligence firm discovered that Conti ended its original operation and restructured into three smaller groups called Black Basta, BlackByte, and Karakut. Prior to diversification, Karakut was a side project run by Conti operators.

LockBit, on the other hand, has rebranded its operations since the invasion of Ukraine last February. Four months later, the syndicate released LockBit 3.0, which it designed as apolitical and focused on monetary gain.

“LockBit’s claim that it had no intention of purposely attacking Western countries may have been motivated by the possibility of Western sanctions against Russian entities. Furthermore, LockBit stated that it had prohibited attacks against entities related to critical infrastructure, presumably to minimize the risk of attention from authorities and possible sanctions,” TRM said.

Western sanctions had little impact on DNMs

In addition, the TRM analysis also found significant growth in the use of Russian-speaking darknet markets. Due to sanctions imposed on DNMs, criminals have fled to Russian-related platforms to evade Western law enforcement.

Collectively, Russian-speaking darknet markets have seen several periods of sustained growth between April-July and October-December 2022. By the end of the year, they had amassed over $130 million in sales.


Binance Free $100 (Exclusive): Use this link to register and receive $100 free and 10% off fees for the first month of Binance Futures (terms).

PrimeXBT Special Offer: Use this link to register and enter code POTATO50 to receive up to $7,000 on your deposits.

Leave a Comment