Since 2020, the Iran-nexus threat landscape has evolved to include a significant ransomware component that does not have a readily apparent financial motive. While ransom notes and dedicated leak sites may profess a desire for cold hard cryptocurrency, the actual operations and observed behavior of responsible actors have signaled a distinctly different set of motives. Across four separate adversaries between 2020 and 2021, available evidence points to the Iranian cyber operations enterprise as having recognized ransomware’s potential as a cyberattack capability able to inflict disruptive impacts on victims with low cost and relatively plausible deniability.
The first half of this talk will trace the arc of how this trend built up momentum from discrete intrusions that dovetailed with espionage operations into high-visibility “lock and leak” campaigns against entities in the Middle East that persisted despite significant public scrutiny. The latter half of the talk will explore the various potential motives behind these incidents — including cover for action, harassment, degradation, and influence operations. These motives will be contrasted with those of Russian cases of cyberattack and operational preparation of environment activity, as well as ransomware deployments undertaken by North Korean threat actors. The final picture that emerges is one where, with ransomware fully adopted as a tool of computer network attack, the potential target scope of state cyberattack operations is wider than ever.