Skip to main content

Explaining Organizational Instability in Russian Ransomware Gangs

October 16, 2023


Max Zuber

The cyber landscape of the 21st century has become one of the fastest-growing areas of concern for governments, individuals, and corporations alike. With more and more of the world connected to the internet and familiar appliances (from thermostats to refrigerators) being hardwired with computer systems, the security of our everyday devices has risen to the top of the public’s perception of the threats to our livelihoods. One of the most prolific threats from this development is the proliferation of ransomware attacks on private and public entities. Ransomware attacks have become a global issue, necessitating the creation and development of a complex black market for cybercriminals. With this development of a cybercrime market and, within it, ransomware, some groups have risen to the top and dominated the market, particularly in Russia.

Russia has been unwilling to prosecute cybercriminals, acting as a haven and even offering advice for evading the law. Some of the most successful and prolific Russian ransomware gangs include Conti Group, DarkSide, REvil, and Avaddon, each raking in tens of millions of dollars in profit and causing global panic over the risk of being the victim of a ransomware attack. However, despite the skill, prolific successes, and size of each of these gangs, they’ve all disbanded and officially shut down operations publicly. In the world of legitimate businesses, the more money a firm makes, the higher its chances of success and climbing the ladder of capitalism become. However, the opposite seems true in this burgeoning cybercrime market, presenting a fascinating puzzle.

This paper will examine the nature of the economic market for cybercrime and the political interactions between cybercrime and state actors to understand these groups’ economic and political functions. Having laid out the weaknesses inherent in cybercrime organizations such as these, I will then explain how the pressure from international actors acts as a catalyst that capitalizes on these weaknesses to initiate the collapses while offering a critique of current interpretations of international pressure in this context. Ultimately, the international actors’ pressure on the Russian government is more important than the pressure on the syndicates and causes the Russian state to initiate measures leading to these sudden and seemingly inexplicable collapses.

What is Ransomware?

A ransomware attack utilizes a specific kind of malware, malicious code often unwittingly installed on a user’s computer, to extort money from victims. The particular malware used in ransomware attacks takes control of a computer or network and then freezes access to it, making the victim unable to access any files on their computer.[1] Not only does ransomware freeze access, but in most cases, the ransomware gang behind the attack also steals sensitive files and holds them with the threat of releasing them to the public or selling them to the highest bidder. This technique is called double extortion because the ransomware gang is applying twofold pressure on their targets – the risk of losing access to their network entirely and having sensitive information leaked or sold.[2]

Ransomware attacks have targeted thousands of individuals and organizations, such as police departments, hospitals, and high-ranking public officials across the globe. These attacks force victims to run their usual operations without using their computers and networks, which can have devastating ramifications. Police officers working in precincts targeted by ransomware attacks are forced to dispatch calls manually, public transportation services cannot collect fares, and in some cases, hospital patients have had to be dangerously relocated to other medical facilities.[3]

To stop the attack, the victim pays a ransom in exchange for retrieving access to their files unchanged, unreleased, and not sold to any other interested actors. In a template for an email sent to the victims of a ransomware attack, the attacker promises to decrypt all of the encrypted files and even offers to protect the victim’s network from future attacks.[4] The email is very professional, claiming that the attack was “just business” to gain the victim’s trust – which succeeds a shocking amount of times. According to Symantec, 64% of ransoms are paid in the United States, with the global total at just over one-third.[5] The US Department of Justice, in its analysis of LockBit, a prolific ransomware gang, identified that the syndicate had requested $100 million from its 1,000 victims worldwide, often extracting actual payments closer to the tens of millions.[6] DarkSide, the syndicate responsible for the Colonial Pipeline hack, extracted a payment of nearly $5 million worth of Bitcoin from its victim.[7] With the average ransom demand in 2022 reaching $6 million,[8] it’s no surprise that the market for ransomware attacks is rapidly expanding.

Ransomware-as-a-Service (RaaS)

The expansion of the cybercrime market has ushered in the evolution of the market for ransomware attacks, allowing for the development of a new business model called Ransomware-as-a-Service (RaaS). RaaS is a business model in which the developers of specific ransomware code lease out the software and the infrastructure needed to utilize it to other cybercriminals.[9] This means there is a supply chain in a highly diversified marketplace for ransomware software, much like any other business market.

In its 2022 Digital Defense Report, Microsoft outlined the key players in this supply chain, with RaaS gangs being centrally located. At the beginning of the supply chain are the operators – individuals with programming capabilities who develop and maintain the tools used in ransomware attacks, including malware code, payment portals, and communications systems. The operators themselves rarely launch ransomware attacks, so they sell their code and tooling to what are known as affiliates, who choose their targets and launch the attacks. In the middle of the operators and the affiliates sit the RaaS syndicates, which provide the infrastructure that allows the affiliates to launch their attacks with the tools created by the operators while also assisting with services such as web hosting, decryption negotiation assistance, payment pressure, and crypto transaction services.[10]

Structural Flaws in the Cybercrime Marketplace

The ransomware market has exploded in recent years, drastically changing the economic functioning of every actor involved. A market, in the simplest definition of the term, is usually composed of two primary parties. A buyer and a seller, a consumer and a vendor, which, in economic terms, can be called demanders and suppliers. In this market, the demanders are the affiliates, those who want to purchase ransomware packages from operators to launch their own attacks. The suppliers are the operators and the RaaS gangs, those who write the code and provide the necessary infrastructure and support to utilize ransomware to extort profits. Understanding the nuances of the demand side of the ransomware market is critical to understanding the supply side and the market as a whole. As a whole market, supply and demand side shifts lead to an overall reduction in prices, which then, in turn, affects the functioning of the individual organizations and, ultimately, their demises.

The democratization of the cybercrime market increased the demand for ransomware services in multiple ways. The first is that there are, simply put, more people who are demanding these services. Most ransomware kits are sold on the dark web, which is easily accessible through software that anyone can download, with the most common being the Onion Router (Tor). The ease of accessibility of the dark web and the fact that browsing on it is perfectly legal means that there will be thousands, if not hundreds of thousands, of potential customers for RaaS gangs on the dark web. Somewhere between 70% and 80% of dark web users are individuals, meaning the market is saturated with potential buyers.[11] However, market saturation in this context doesn’t automatically lead to an increased demand for ransomware packages. The crucial piece that allows this wealth of potential consumers to enter the marketplace is that the RaaS model eliminates many of the barriers that previously withheld people who otherwise would have wanted to engage in ransomware attacks due to their lack of technical knowledge. Someone only needs to know their way around a web browser to access the dark web, find a ransomware salesperson, buy the package along with its support, and launch an attack.[12] With the combination of these two factors, the demand side of the market for ransomware has seen massive growth.

On the supply side, a simple economic explanation comes from the increased demand – where there’s demand, supply will follow. With the opportunity to make millions of dollars in profit, it is no surprise that capable, skilled groups supply these goods and services. As encryption gets better and security gets more robust, the skill of those offering their services also increases.[13] The rapid expansion of this market and the need for suppliers of ransomware packages breeds the commercialization of the market, and thus, RaaS is born and flourishes. The existence of highly skilled operators who each develop unique software that utilizes the most cutting-edge exploits births new RaaS groups, creating competition and driving supply further toward the market’s demand. This is not just a theory – the most in-demand job listed on the dark web from 2020 to 2022 was operator, with 61% of job postings being for that role.[14] The demand for this role is easily met, as plenty of eager coders are willing to work for RaaS gangs despite the work being illegal. Coders flooded the market in March 2020, directly after the start of the COVID-19 pandemic and the subsequent layoffs in the legal tech industry. Lax dress codes, flexible hours, high pay, and a lack of legal jobs incentivized people to search for jobs on the dark web, where they were met with hundreds of job postings awaiting their expertise.[15] An increase in demand and the impacts of COVID-19 on technology jobs converged at the perfect time to enable a massive increase in the supply of ransomware packages.

As per classic economic theory, an increase in supply and demand leads to a decrease in the price of goods sold and an increase in the quantity of goods. To apply this theory to the ransomware market, we can look at the price of a Windows Locker (WinLocker), the category of tool usually used in the encryption aspect of a ransomware attack. The cost ranges from $10-20 depending on the code’s quality, with the code’s implementation ranging from $20-$25. Although this doesn’t consider the percentage that RaaS gangs take from any successful ransom payout (usually anywhere from 10-30%, depending on the size of the ransom[16]), an interested buyer could have a sophisticated ransomware attack on their hands for as low as $30.[17] Pre-made phishing scams specifically designed to mimic well-known companies for as low as $2, configuration files for cracking passwords for $2, and malware for emptying Bitcoin wallets for $6.07 – these are all products available on the dark web for anyone who wants them to buy and implement.[18] To say that prices are low would be an understatement.

In terms of quantity, when Verizon published its yearly Data Breach Investigations report for 2022, it identified ransomware attacks increased by 13% from the previous year.[19] More ransomware packages are being launched, and more actors can distribute them en masse. This is the commercialization of the ransomware marketplace.

Although not entirely apparent initially, the development, as mentioned above, of the ransomware market is one of the primary causes of the dissolution of prolific RaaS syndicates. The first reason this is the case is that competition and saturation of markets, although the drivers of lower prices and a higher quantity of sales, cause the failure of large entities, even in the legitimate business world. As prices fall, the likelihood that a competitor can undercut one firm’s product and price becomes more significant. The second reason the market’s commercialization has led to these syndicates’ failure is that there was too much growth in too short a period. Avadonn, which is estimated to have netted its four primary operators a tidy $7 million each, was operational for only one calendar year from June 2020 until June 2021.[20] DarkSide, the RaaS gang responsible for the Colonial Pipeline hack, which is estimated to have pulled in more than $90 million, operated for an even shorter amount of time, from August 2020 until May 2021.[21] These gangs were responsible for maintaining the infrastructure needed to launch thousands of attacks, all while providing customer service to their buyers, payment portals to their victims, and even HR departments on call for tech issues.[22] The quality of their services became questionable, and the amount of quality control they could enact became much lower. When the scale of their operations got too large, and the heat bore down upon them from law enforcement, their quick rises to power and shaky foundation led to their collapse.

Moscow’s Hand in the Collapse of Russian RaaS Syndicates

The theory of economic instability cannot be applied in all cases of RaaS collapses. Conti Group, a RaaS gang that puts others to shame, which brought in an estimated total of $180 million in 2021 alone, invested heavily in its product to ensure that it rested on a solid foundation. It paid $60,000 for a license for a network penetration testing and reconnaissance tool, allocated several thousand dollars a month for anti-virus software for its operators to reverse engineer, and invested in the reverse engineering of Windows 11 as soon as Microsoft launched it.[23] Conti still collapsed in May 2022, regardless of the effort it had put in toward fighting the issues that arose from the quick commercialization of the market.

For many years, experts have believed that the Russian government was exerting influence over the ransomware syndicates, utilizing loose connections and affiliations to achieve specific international aims while maintaining a safe level of plausible deniability. Unfortunately, if that were to be the case, it does an excellent job of keeping that relationship hidden, and as such, there is no evidence that these relationships actually exist. That was the case, at least, until the invasion of Ukraine in February of 2022. With Putin’s all-out war against Ukraine came a slew of cyber-related attacks, both state-sponsored and not, that shine some light on these relationships. The war in Ukraine put political stress on Russian ransomware groups, forcing them to become pseudo-political entities. This pressure led to the collapse of Conti Group, which will be outlined in detail later. It also highlights another reason prolific RaaS groups collapse, allowing us to look back at groups that dissolved before the Ukraine war and examine their collapses through this particular analytical lens.

The evidence points to the claim that in these instances, the RaaS groups did not dissolve on their own but were shut down by the Russian government due to becoming too publicly affiliated with it in the political realm. New research presented at the Cyberwarcon conference in Arlington, VA, in late 2022 highlights a pattern of ransomware attacks in France, the UK, the US, Canada, Germany, and Italy leading up to their national elections that closely align with Russian foreign interests. The research found that in the two months leading up to the elections, organizations within each of those six countries were 41% more likely to be the victim of a Russian ransomware attack compared to a baseline vulnerability.[24] There is a clear alignment of Russian state interests with the actions of RaaS groups, but there was no apparent evidence to prove it until Conti.

Conti Group, making more money than most other RaaS gangs combined in a single year, went up in flames right after the war’s outset. The catalyst of this collapse was not international scrutiny but rather the group’s politics, which ultimately led to the leak of over 60,000 internal chat logs shining a spotlight on the group’s dynamics, politics, and structure leading to its collapse. The announcement posted by Conti Group on February 25, 2022 (the day after Putin invaded Ukraine) states that the group is in “full support of [the] Russian Government.” They vowed to strike back at any enemies engaging in cyber or kinetic warfare against the Russian state. This announcement quickly became a problem for Conti, as its membership is not geographically isolated to Russia but extends into Belarus and Ukraine. Discussions between various Conti affiliates (translated from Russian) reveal discussions perpetrating lies and misinformation about the invasion, which include that Ukraine is run by a “Neo-Nazi junta” (нионацисткая хунта) and repeated anti-semitic remarks aimed at Ukrainian President Volodymyr Zelenskyy.[25] Within these internal chats, some users voiced their doubts regarding the truth of these statements. In one instance, the user using the pseudonym “Elijah” questioned what Putin had to gain from the invasion, sparking debate amongst the group and further anti-semitic remarks. Another user said, “Things will change when bonfires burn on Red [Square].” Not only was contempt stirring within Conti internally, but this clear political affiliation drew the attention of an independent Ukrainian cybersecurity researcher who had been following Conti closely, who ultimately ended up being the one to leak the chat logs on Twitter. Another critical piece of information found in the chat logs is evidence that the Russian government asked Conti on at least one occasion to hack for them.[26] This is the first significant confirmation of the collusion between the Russian state and RaaS actors and is precisely why Conti disbanded.

Although it is known to all that Russia does not cooperate with international efforts to apprehend cybercriminals and offers advice on how not to get caught, hard evidence linking the actions of these groups to state commands is hard to come by.[27] There is an obvious incentive for the Russian government to keep it this way, which will be described in further detail later in this paper. In the context of Conti, the group flew too close to the sun, and as a result, its affiliations with the Russian government and intelligence agencies became too clear, resulting in its swift “collapse.”

This process is evident in the dissolution of Conti, and it creates a template to follow in the analysis of the dissolution of the other groups. DarkSide was the RaaS gang responsible for the Colonial Pipeline hack, one of the most famous ransomware attacks in recent years. Colonial Pipeline is one of the largest pipelines in the United States and carries refined gas and jet fuel from Texas to New York. DarkSide launched a ransomware attack that didn’t halt pipeline operations but shut Colonial out of its payment processing system, forcing them to shut down the pipeline preemptively. Colonial agreed to pay a nearly $5 million ransom before alerting the FBI to the situation.[28] Within days of the attack, DarkSide announced online that they were shutting down operations due to pressure from the US. In that announcement, they claimed to be an apolitical group with no affiliations with the Russian state and only engaged in the attack to make money. They claim that the targeting of the Colonial Pipeline simply came down to how large of a ransom they believed they could extract.[29] The syndicate did not foresee the scale and impact of their hack, and the international pressure they faced caused them to shut down.

Looking at the speech given by President Biden shortly after the attack tells a different story, however, a story that is much more in line with the explanation for Conti’s dissolution. In his speech, Biden did assert that there was no evidence that the Russian government was colluding with DarkSide. Still, he did, on two occasions, state that the attack was from Russia and that the Russian government has an obligation to take care of the cybercriminals.[30] There are two possible explanations for what occurred here, both of which have the same outcome. Either the government heeded the words of Biden and took covert action against DarkSide, or they took action out of fear that an investigation would point to ties between the syndicate and the state. Either way, the spotlight that DarkSide put itself under turned it into a political liability for Putin. The announcement coming from DarkSide sounds like it was written by the Russian state to dissolve any idea of cooperation, allowing it to maintain its plausible deniability.

In January 2022, the Russian government took its first overt action against a ransomware syndicate by arresting 14 members of the gang REvil. REvil was responsible for the $11 million ransom paid by the US meat supplier JBS and thousands of other medium/high-profile ransomware attacks.[31] The arrests came down right as tensions in Ukraine heated up. Many experts believe that the Russian government cracked down on REvil not for practical reasons or in the name of justice but with ulterior political motives. The Russian state faced growing political pressure regarding cybercrime’s ability to flourish in Russia and its conduct in Ukraine and sacrificed REvil to distract and deflect.

These three cases all have complex political contexts that predicate their collapses – a common thread being the undeniable value the Russian government gets by shutting these groups down at times strategically crucial in the broader geopolitical landscape. The otherwise unexplainable collapse of Conti Group, the seemingly forced messaging from DarkSide, and the virtue signaling from Russia regarding REvil all point to the conclusion that the Russian government, when it no longer has any need for them, and the risk of maintaining ties with them gets too high, plays an integral role in their collapse. The government has the capability and the intelligence connections to influence these collapses easily, and when it benefits the state to do so, it will.

International Scrutiny as an Agent of Collapse

International scrutiny has significant impacts and often acts as the catalyst of the collapse of RaaS groups. That said, it’s for a different reason than most experts claim. When asked about the destruction of DarkSide after the Colonial Pipeline attack, experts chalked it up to the simple answer that the US cracked down on them due to the scale of the attack. Biden’s remarks were assumed to have scared Darkside into the shadows, and the US government has been credited with the “takedown” of the syndicate. The same argument has been made regarding the other prolific cases mentioned above. Cybercriminals operating in such a hard-to-regulate space as the internet enjoy luxuries that real-world criminals do not. They can operate entirely anonymously and do not have to meet face-to-face to transact as a drug dealer would have to. This luxurious criminal lifestyle can fuel large egos and a heightened sense of security, so the logic is that cybercriminals are unprepared for the fallout once the heat from international actors intensifies.

Although the impact of international attention on the groups themselves plays a role in their ultimate demises, there is a dual role that international pressure plays, which incorporates the political assessments made in previous sections of this paper. When the US scrutinizes these syndicates, they are not simply concerned with the groups themselves. They are interested in the role these groups play in the global security landscape, how they interact with state actors, and the implications that their presence has on international relations. The US must also scrutinize Russia and its behavior regarding RaaS syndicates. The Russian government has clear incentives to avoid official connections between itself and RaaS gangs and will do what is in its power to avoid this liability.

This situation parallels another – that of the mercenary groups operating out of Russia in the Ukraine war and in parts of Africa. However, it appears that Moscow cares more about being affiliated with cybercriminal organizations than mercenary groups such as Wagner Group, which are arguably committing more atrocious acts. Why would the Russian state try so hard to cover up these connections when it has been directly linked to Wagner? The answer to this question comes from the fact that cybercrime is unlike any other type of crime – in that actors located in Russia can remotely carry out their crimes that affect devices and people all the way across the world. This is already a massive difference. If Wagner mercenaries were to come onto US soil and start murdering civilians, their affiliation with Moscow would be cause to ignite a war between Russia and the US. Hence, this doesn’t happen. Unlike the mercenary groups, Russian ransomware gangs are committing crimes in the US, such as DarkSide’s ransomware attack against Colonial Pipeline. Although this is a heavily debated cybersecurity topic, many believe cyberattacks against critical infrastructure can be considered acts of war. So now, imagine if Moscow is directly connected to entities actively engaging in acts of war in the US. Because of the global nature of cyberspace, the Russian state has to take precautions with its connections to ransomware gangs so much more seriously than with its connections to groups operating within its own sphere of influence.

Conclusion: What’s Next for Ransomware?

The evolution of the digital landscape has ushered in a plethora of new challenges, not the least of which is the emergence of cybercrime and RaaS operations. The commercialization of the cybercrime market has led to the stunning rise of multimillion-dollar Russian ransomware syndicates, and just as quickly as they rose, they collapsed. The rapid rise of these groups led to economic instability, and the unique location of these groups within the geopolitical landscape caused the Russian government to target them for its preservation. When international actors enter the arena, they apply pressure on precisely the right places. Economic or political factors weakened these groups, and a combination of the two is often at play. This pressure, applied unilaterally to the groups and the Russian state, facilitates the covert actions of the Russian state and ultimately leads to the collapse of prolific RaaS gangs.

Although the preconditions to the rise of these groups ultimately led to their demises, it is impossible to say with certainty that these factors will remain issues. RaaS groups can establish more robust economic foundations before targeting more affluent victims and may also be able to utilize the geopolitical landscape to their advantage in the future. On top of that, just because these groups collapsed does not mean they are gone forever. Their code is still out there, the operators and affiliates are still looking for new exploits and victims, and all that these groups would need is a simple rebrand to divert international attention.

All of this is to say – the world is constantly changing. Cyberspace is constantly evolving. However, given these groups’ limitations, successes, and failures, as presented here, security analysts and policymakers can examine the patterns of these collapses to more efficiently work against them when the next Conti or DarkSide emerges from the ashes left by its predecessor.


[1] Marion, Nancy E, and Jason Twede. 2020. Cybercrime: An Encyclopedia of Digital Crime. Santa Barbara: ABC-CLIO, LLC.

[2] CIS Center for Internet Security. “Ransomware: The Data Exfiltration and Double Extortion Trends.” Accessed April 30, 2023.

[3] Sharp, Morgan. 2017. “Cyber extortion demands surge as victims keep paying: Symantec.” Reuters.

[4] CIS Center for Internet Security. “The Conti Leaks: A Case of Cybercrime’s Commercialization.” Accessed April 30, 2023.

[5] Sharp, Morgan. 2017. “Cyber extortion demands surge as victims keep paying: Symantec.” Reuters.

[6] Department of Justice. 2022. “Man Charged for Participation in LockBit Global Ransomware Campaign.”

[7] Krauss, Clifford. 2021. “Colonial Pipeline Paid Roughly $5 Million in Ransom to Hackers” The New York Times.

[8] Baker, Kurt. 2023. “What is Ransomware as a Service (RaaS)?” CrowdStrike.

[9] Kaspersky IT Encyclopedia. “What is RaaS (Ransomware-as-a-Service)?” Accessed April 30, 2023.

[10] Microsoft. 2022. “Microsoft Digital Defense Report 2022.”

[11] Ablon, Lillian, Martin C. Libicki, and Andrea A. Golay. 2014. Markets for Cybercrime Tools and Stolen Data: Hackers’ Bazaar. N.p.: RAND Corporation.

[12] It is important to note that the claim here is not that it is easy to undertake a successful large-scale ransomware attack, as discussed in this paper, simply that the barriers for entry are significantly lower than if the market did not exist in this fashion.

[13] Ablon, Lillian, Martin C. Libicki, and Andrea A. Golay. 2014. Markets for Cybercrime Tools and Stolen Data: Hackers’ Bazaar. N.p.: RAND Corporation.

[14] Antoniuk, Daryna. 2023. “Report: Developers are most in demand on dark web.” The Record by Recorded Future.

[15] Antoniuk, Daryna. 2023. “Report: Developers are most in demand on dark web.” The Record by Recorded Future.

[16] Schwirtz, Michael. “Inner Workings Of DarkSide Cybergang Reveal It’s Run Like Any Other Business.” Interview by Terry Gross. Fresh Air, NPR, June 10, 2021.

[17] Goncharov, Max. 2012. “Russian Underground 101.” Trend Micro Incorporated.

[18] Migliano, Simon. 2018. “The Dark Web is Democratizing Cybercrime.” Medium.

[19] Verizon. 2022. “2022 Data Breach Investigations Report.”

[20] Roberts, Dawna M. 2021. “Avaddon Ransomware Gang Announces Retirement.” IDStrong.

[21] Schwirtz, Michael. “Inner Workings Of DarkSide Cybergang Reveal It’s Run Like Any Other Business.” Interview by Terry Gross. Fresh Air, NPR, June 10, 2021.

[22] CIS Center for Internet Security. “The Conti Leaks: A Case of Cybercrime’s Commercialization.” Accessed April 30, 2023.

[23] CIS Center for Internet Security. “The Conti Leaks: A Case of Cybercrime’s Commercialization.” Accessed April 30, 2023.

[24] Newman, Lily H. 2022. “Russia’s Sway Over Criminal Ransomware Gangs Is Coming Into Focus.” WIRED.

[25] Lee, Micah. 2022. “What Russian Hackers Thought as Putin Invaded Ukraine.” The Intercept.

[26] Lee, Micah. 2022. “What Russian Hackers Thought as Putin Invaded Ukraine.” The Intercept.

[27] Poulsen, Kevin. 2013. “Russia Issues International Travel Advisory to Its Hackers.” WIRED.

[28] Krauss, Clifford. 2021. “Colonial Pipeline Paid Roughly $5 Million in Ransom to Hackers” The New York Times.

[29] Lerman, Rachel, Ellen Nakashima, and Drew Harwell. 2021. “DarkSide hackers of Colonial Pipeline say they’re shutting down.” The Washington Post, May 14, 2021.

[30] Biden, Joe. 2021. “Remarks by President Biden on the Colonial Pipeline Incident.” The White House.

[31] Burgess, Matt, and Lily Newman. 2022. “Russia Takes Down REvil Hackers—as Ukraine Tensions Mount.” WIRED.