Why the Belarus Railways Hack Marks a First for Ransomware

The politically motivated attack represents a new frontier for hacktivists—and won’t be the last of its kind.
A view of a railway station in Belarus at dusk
Using reversible encryption rather than merely wiping targeted machines would represent a new evolution in hacktivist tactics.Photograph: Valery Sharifulin/Getty Images

For years, idealistic hacktivists have disrupted corporate and government IT systems in acts of protest. Cybercriminal gangs, meanwhile, have increasingly held hostage the same sort of enterprise networks with ransomware, encrypting their data and extorting them for profit. Now, in the geopolitically charged case of a hacktivist attack on the Belarusian railway system, those two veins of coercive hacking appear to be merging.

On Monday, a group of Belarusian politically motivated hackers known as the Belarusian Cyber Partisans announced on Twitter and Telegram that they had breached the computer systems of Belarusian Railways, the country's national train system, as part of a hacktivist effort the attackers call Scorching Heat. The hackers have since posted screenshots that appeared to show their access to the railway’s backend systems and claimed to have encrypted its network with malware, for which they would only provide decryption keys if the Belarus government met a list of demands. They’ve called for the release of 50 political prisoners detained in the midst of the country’s protests against dictator Alexander Lukashenko, as well as a commitment from Belarusian Railways to not transport Russian troops as the Kremlin prepares for a possible invasion of Ukraine on multiple fronts.

The hackers appear to have successfully made at least some of Belarusian Railways' databases inaccessible on Monday, according to Franak Viačorka, a technical advisor to Belarusian opposition leader Sviatlana Tsikhanouskaya. Viačorka says he confirmed the database outages with Belarusian Railway workers. The railway's online ticketing system was also taken down Monday; on Tuesday it displayed a message that “work is underway to restore the performance of the system” but remained offline. 

“At the command of the terrorist Lukashenka, #Belarusian Railway allows the occupying troops to enter our land. We encrypted some of BR's servers, databases, and workstations to disrupt its operations,” the Cyber Partisan hackers wrote on Twitter Monday, noting that the hackers were careful not to affect “automation and security systems” that could cause dangerous railway conditions.

Cybersecurity researchers have yet to independently confirm what sort of ransomware was used to encrypt Belarusian Railways' systems. But a spokesperson for Cyber Partisans, Yuliana Shemetovets, wrote to WIRED that while the hackers’ permanently deleted some backup systems, others were merely encrypted and could be decrypted if the hackers provide the keys. Shemetovets added that the ransomware the hackers used “was specially created but based on common practice in this field.”

Using reversible encryption rather than merely wiping targeted machines would represent a new evolution in hacktivist tactics, says Brett Callow, a ransomware-focused researcher at security firm Emsisoft. “This is the first time I can recall non-state actors having deployed ransomware purely for political objectives,” says Callow. “I find this absolutely fascinating, and I’m surprised it didn’t happen a long, long time ago. It’s far more effective than waving placards outside a puppy testing lab.”

Ransomware—and destructive malware purporting to be ransomware—has certainly been used for political coercion in the past. North Korean hackers, for instance, planted destructive malware on machines across the network of Sony Pictures in 2014. Posing as hacktivists going by the name Guardians of Peace, they appear to have sent an email demanding payment prior to the attack, then pressured the company not to release the Kim Jong-un assassination comedy The Interview. In 2016 and 2017 the Russian hackers known as Sandworm, part of the country's GRU military intelligence agency, used fake ransomware as a means to destroy computers across Ukraine—and ultimately hundreds of other networks around the world—while posing as profit-seeking cybercriminals. (Unidentified hackers appear to have targeted systems in Ukraine with the same tricks, on a much smaller scale, earlier this month.)

Even if the Cyber Partisans' ransomware turns out to be a thin disguise for irreversibly destructive malware, as in those earlier cases, the incident still seems to represent a new phenomenon. The group appears to be actual, bona fide hacktivists rather than state-sponsored hackers posing as such. “At the risk of maybe eating crow in a few years, the Cyber Partisans seem like a more authentic effort,” says Juan Andres Guerrero-Saade, a researcher at security firm SentinelOne who gave a talk at last year's CyberwarCon conference about the state of modern hacktivism. “We've seen fake ransomware being used by fake hacktivism, but I don't think we've ever seen this tactic being used by real hacktivism in any way that I can recall.”

The Cyber Partisans are genuine grassroots hacktivists, says Viačorka, the technical advisor to Belarus' opposition party. Since last summer, the group has rampaged through Belarusian state systems, breaching government and police databases and leaking their contents to show the inner workings of the government’s crackdown on protestors and cover-up of Covid-19 infection rates. Viačorka points out the group is a part of the Belarusian “Supraciu,” or “solidarity,” movement of political dissident activists calling for the overthrow of the dictatorial Lukashenko regime, and that Belarus designated that larger network as terrorists in November of last year

He adds that while he and Belarus' opposition party have no connection to the Cyber Partisans, he fully supports their work. “Cyberspace has become the domain of battle in our fight for freedom,” Viačorka says. “This is not only their revenge on the regime but how we keep the regime accountable. [The Lukashenko regime] understands that everything they do, the decisions they make, the crimes they commit will be accounted.”

Whether the Cyber Partisans' ransomware attack on Belarusian Railways will be a tactical success remains far from clear. Security researchers like Guerrero-Saade and Callow point out that hackers who create their own custom ransomware—as the Cyber Partisans claim to have done in this case—often make mistakes that allow their targets to decrypt their systems. Even Viačorka argues that the ransomware is unlikely to affect Belarusian Railways' movement of troops to the Ukrainian border. “The problem of such actions is that they’re very powerful, very disruptive, but they’re one-time, and when you make such an attack it’s very difficult to repeat,” Viačorka says.

Specific policy impacts, though, may only have been part of the broader objective. “It’s too early to say if it was fully successful,” writes Shemetovets, the Cyber Partisans spokesperson. “The goals that CPs set are hard to achieve, but it created a very serious pressure on the regime, disrupted the system, and showed that the dictator is not in control. It’s too early to say if Russia troops were affected, but we hope that it will indirectly make an impact on their movements.”

In the larger view of hacktivism and ransomware, however, Guerrero-Saade argues that the Cyber Partisans' tactics could soon bleed out to other groups who see the power of ransomware to achieve political coercion—for good and for ill—and raise the stakes of Belarus' own political conflicts. “The looming horror of ransomware is precisely just how many systems are out there about whose criticality we don't understand until they're unavailable,” Guerrero-Saade says. “So if this is a continued tactic of theirs, I think we'll definitely see a ratcheting up of the pressure on both sides.”

Additional reporting by Lily Hay Newman.


More Great WIRED Stories