This text is an automatic translation from Русский. It was generated by AI and may contain inaccuracies.
Read original →
This text is an automatic translation from Русский. It was generated by AI and may contain inaccuracies.
Read original →Russia faces 14% of global cyberattacks despite accounting for just 3% of the world economy. We examine the scale of threats, economic damage from ransomware and APT attacks, major business vulnerabilities, and state-level defense measures.
Russia has become one of the main targets of cybercriminals: the country accounts for 14% of successful cyberattacks worldwide while representing 3% of the global economy. Cybersecurity has transformed from a technical problem into a macroeconomic factor affecting business resilience, infrastructure, and social stability. Experts urge viewing investments in information security not as costs, but as a condition for business survival in the context of hybrid warfare.
In 2025, the total damage from cybercrime worldwide is estimated at $10.5 trillion per year—more than three times higher than in 2015. And Russia is among the key victims. According to Positive Technologies, between July 1, 2024, and September 26, 2025, 14% of successful cyberattacks worldwide targeted Russia. For a country accounting for roughly 3% of the global economy, this scale is a consequence of geopolitical confrontation that affects the economic sphere through the lens of IT.
This is no longer "abstract information security," but a factor directly impacting economic activity, business costs, infrastructure resilience, employment, and social stability. State Duma deputy Marina Kimshares this view:
"Today this is a full-fledged front in a hybrid war, whose goal is not simply to steal data, but to sow chaos and destabilize society."
In popular imagination, a cyberattack means "hackers broke into a website." In practice, the spectrum is much broader:
A modern cyberattack is less and less often a "one-off breach" and increasingly a multi-stage operation: penetration, establishing persistence, reconnaissance, encryption, extortion, and parallel sale of access and stolen data on shadow markets.
According to data from the cyber threat research center of Solar, in just the first ten months of 2025, 18 persistent hacker groups were identified in cyberspace, seven of them new—at least double the number from a year earlier.
Approximately 61% of attacks by professional groups in 2025 were espionage-related (up 7 percentage points year-over-year); financially motivated attacks accounted for 17% (down 3 p.p.); and hacktivist attacks with loud political statements made up 11% (down 11 p.p.). In other words, threat actors are shifting from noisy campaigns to quiet but systematic espionage and preparation for infrastructure strikes.
By sector, the most frequently targeted are:
"I would highlight a triad: energy, transport, and the financial sector. Attacks on them have an immediate social impact — from rolling blackouts to paralysis of transport hubs. This is precisely the multiplier effect of panic that our geopolitical adversaries are seeking," emphasizes Marina Kim.
For example, the summer cyberattack on Aeroflot became an example of when a cyberattack literally "landed" on departure boards. On the peak day, according to industry experts' estimates, up to 42% of flights were canceled: the IT system failure instantly transformed into actual aircraft downtime, logistics disruption, and financial losses for passengers and the company's partners.
For a major airline, this is no longer about "cyber risks," but about falling revenue, regulatory fines, rising costs, and subsequent increases in ticket prices. On a broader scale — a blow to business activity and tourism.
Solar 4RAYS is recording a sharp increase in the use of RAT malware (Remote Access Trojan) — tools for remote covert control of victim infrastructure. In the second quarter of 2025, they already accounted for 24% of all infections in Russian organizations, up from 18% in the first quarter of 2025.
The reason is simple: stealers (data theft software) steal individual logins and files, while RATs give the attacker a control panel for the IT system:
Hackers no longer waste effort creating unique viruses for each target. Today's attack market operates like an assembly line: mass-produced tools, slightly tweaked for the task at hand, are used against "ordinary" companies, while unique and expensive malware is reserved only for truly large and well-protected victims. As Solar explains, custom-built software is now deployed selectively—only where "precision work" and manual control are required.
In 2025, cyberattacks are becoming not just a technological threat, but a factor of direct economic pressure on business. According to the Allianz Risk Barometer 2025, cyber incidents have ranked first among global business risks for the fourth consecutive year, surpassing supply chain disruptions and macroeconomic instability. In the Russian context, the structure of losses is increasingly shaped by ransomware attacks. These have become the most costly and destructive scenario for companies.
Ransomware—the Main Driver of Losses
According to Verizon, in 2025, 37% of all cybersecurity breaches worldwide involved ransomware. This explains why this type of attack leads in financial damage. Independent information security expert Denis Makrushin emphasizes the systemic nature of the problem:
"Criminals simultaneously encrypt data, steal it, and threaten to publish it. Business operations halt, resources are spent on recovery, and trust from clients and partners is lost. Even if a company pays the ransom, there's no guarantee of full data recovery or that the incident won't happen again."
A separate economic risk is the duration of downtime. According to the Ponemon Institute, an hour of downtime for critical systems in 2025 costs companies an average of $347,000 globally. Russian cases confirm these estimates: here, direct losses are lower than in the West, but the relative impact on revenue is higher due to smaller reserves. Independent expert Vladimir Lyubitsky explains:
"Ransomware destroys data and IT infrastructure. Often a company is forced to rebuild everything from scratch. For a firm with a hundred employees, such recovery can cost tens of millions of rubles over two weeks of work."
Thus, Russian companies pay a triple price: downtime, recovery, and loss of market share.
RaaS, breaches, and the regulatory 'tail'
An international trend over the past two years has been the rise of the Ransomware-as-a-Service (RaaS) model, where cybercriminals band together in groups and sell encryption tools as a service. In the first half of 2025, 96 unique groups were identified—a 41.18% increase over the same period in 2024—intensifying pressure on small and medium-sized businesses. This matters because for SMEs, a ransom demand of 40 million rubles or more, which many RaaS groups require, can effectively mean shutting down operations.
Yet even when funds are available, a company's attempt to pay the ransom often fails to decrypt the data and frequently results in repeat attacks within one or two quarters. Keeping part of the infrastructure after an incident without a complete audit is a direct path to repeating the scenario.
The cyberattacks of 2024–2025 have shown that the problem for most companies isn't that "hackers have gotten stronger," but that internal security organization hasn't kept pace with threats. In other words, it's not about employees—it's about the absence of proper risk management architecture. This trend is also reflected in recovery speed. IBM X-Force research indicates that globally, the average recovery time after a serious incident is 22 days, while in Russia it's often longer due to a lack of well-honed recovery plans. This structural flaw is what experts highlight.
Processes matter more than technology
Anton Bochkarev, founder of 3side/4sec, emphasizes that the root of most incidents isn't the incompetence of specific specialists, but the absence of a coherent system of action. According to him, chaos and confusion in risk management lead to many companies being unable even to identify the moment of attack, while "only a handful can recover within 48 hours—only those who have established processes in advance and conducted regular drills."
This assessment is confirmed by international data: according to analysts, companies with a well-rehearsed response plan reduce losses by 37–42%.
Incident readiness: reality is worse than expectations
Egor Bogomolov, CEO of white-hat hacking agency Singleton Security and educational center CyberED, takes an even harsher view of the situation. According to him, most Russian organizations have neither comprehensive recovery scenarios nor clear response protocols. He notes that the actual recovery time after a serious attack at Russian companies ranges from a week to a month, and the main vulnerabilities lie at the periphery: email, CRM, applications, and remote access systems. These areas are often weakened precisely because they lack supporting security infrastructure.
The technology exists — the culture doesn't
As Denis Makrushin observes, modern threat detection tools, corporate SOCs, and monitoring systems have emerged in Russia in recent years. However, without processes for access management, vendor oversight, staff training, and incident protocols, even the best technology won't work. He clarifies that "only those who have invested in advance in backup systems and recovery drills can recover within 48 hours," and such companies remain in the minority.
Attacks through contractors and "noise" as cover for real breaches
In 2025, one of the most dangerous trends has been the rise in attacks through contractors. Solar is documenting a systemic increase in cases where criminals don't target the protected corporation itself, but rather its less-protected partner. This also explains the growing share of IT companies among victims — now up to 16%, significantly higher than two years ago.
Many large companies mistakenly focus on unproductive metrics — for instance, "fighting brute force attacks" (a set of measures that help stop or at least slow down hacking attempts when hackers try to guess passwords by running through thousands of combinations) and flashy dashboards displaying hundreds of incidents. This creates an illusion of control. Meanwhile, attackers increasingly create noise attacks deliberately to mask their real activities. Our independent expert emphasizes: it's far more effective to monitor a few key Active Directory takeover points than to "chase after every suspicious login."
The most dangerous thing: management's false beliefs
In the SMB market, the situation is exacerbated by two extremes of thinking. The first is the belief that "if they want to hack us, they will." The second, that "we're too small to be interesting." Both are dangerous. Most attacks today are automated, and according to Positive Technologies, in the first half of 2025, 36% of all attacks followed the "random target" principle — attackers simply scanned the internet for vulnerable services.
Expert Makrushin identifies three of the most dangerous misconceptions:
The defense model must shift from the illusion of "preventing everything" to cyber resilience.
"It's impossible to completely prevent all attacks. The concept of cyber resilience is more business-oriented: protecting against unacceptable events and being prepared for recovery—that's what modern effective cybersecurity looks like," says Anton Bochkarev.
State Duma deputy Marina Kim proposes viewing cybersecurity not as an IT line item in the budget, but as an element of sovereignty:
"In the past, businesses calculated ROI from installing antivirus software. Today the question is different: either you invest in information security, or you simply won't exist tomorrow. Information security isn't a 'fear tax'—it's a license to keep your business operating in Russian jurisdiction."
In her view, without systemic incentives and accountability, the situation won't change:
Investments in cybersecurity today are investments in the right to be a sovereign state. And there can be no half-measures here. While people live peacefully, unaware of how many attacks occur each day, Russia has been at the top of global cyberattack rankings for many months now. The only question is who will adapt faster—us or those firing at us.