"But ransomware gangs are overwhelmingly Russian, and overwhelmingly use crypto as their payment channel"

Would it not be a little bit strange for Russian ransomware to provide an IBAN or a Money Wire to a bank? And Russian ransomware actors are, in contrast to North Korean and as far as I know, not state actors. (Russian Troll factories are not ransom ware)

Russian ransomware actors are not state actors, but couldn't operate in the way that they do without the sanction of the state. This is why the phrase "Russian ransomware actors" makes sense.

So, for example, they take some interesting actions to avoid accidentally making the state unhappy. https://krebsonsecurity.com/2021/05/try-this-one-weird-trick... shows an amusing consequence of this.

But they also wind up with the same kinds of relationships with the state that the Wagner group did. And so we get things like https://www.cisa.gov/news-events/cybersecurity-advisories/aa.... Russian military activity comes backed up with Russian cyberattacks that use all the same techniques, and presumably some of the same people, that Russian cybercriminals do.

And these attacks were not necessarily trivial. For example https://www.reuters.com/world/europe/russia-behind-cyberatta... verifies that KA-SAT was taken offline. Starlink was also under constant cyberattack. I strongly suspect that Musk's unwillingness to allow Starlink in areas under Russian control, and unwillingness to allow Starlink to be used in offensive military attacks, are exactly to reduce how much he is a direct target of Russian activity.