By Masood Farivar
WASHINGTON – As President Joe Biden prepares for his first meeting with Russia’s Vladimir Putin on Wednesday in Geneva, the White House says the threat of ransomware will be a “significant topic” of conversation between the two leaders.
Until just a couple of years ago, ransomware was viewed largely as a financial crime, hardly an issue that would dominate the first face-to-face meeting between the Russian and American leaders.
But the issue was catapulted to the forefront of geopolitics last month after cybercriminals believed to be operating in Russia breached the networks of a major U.S. pipeline operator and a meat processor, demanding and receiving millions of dollars in ransom.
Although U.S. officials have not accused the Russian government of direct involvement in the latest attacks, some lawmakers say Russia-based cybercriminals often work with the knowledge, if not the complicity, of the Kremlin. They are demanding that Biden deliver a tough message to Putin to end the practice.
In a ransomware attack, cybercriminals encrypt a company’s or institution’s data and then demand a ransom in exchange for a decryption key and a promise not to release the data. Ransomware groups often offer their services to other hackers in exchange for a share of the ransom. Experts say this has helped lure a growing number of otherwise novice cybercriminals into the lucrative ransomware business.
Following are the answers to three key questions about Russia’s role in ransomware attacks:
What do we know about Russian-speaking ransomware groups?
Cybersecurity firms track several dozen ransomware groups around the world. Most are believed to operate in Russia and former Soviet republics such as Belarus, Ukraine, Kazakhstan and Latvia, according to the cybersecurity firm Recorded Future.
Their precise number is unknown, though it has steadily grown in the past couple of years. Recorded Future tracks about 15 Russian-speaking ransomware groups. Check Point, an American-Israeli security firm, monitors seven, including several responsible for major ransomware attacks in recent years.
Among them are DarkSide and REvil, the two groups behind the attacks on Colonial Pipeline and JBS, a major beef producer, respectively. REvil was behind some of the biggest ransomware attacks in the U.S. in 2020, according to Lotem Finkelstein, Check Point’s threat intelligence group manager.
“Maybe there are more, but we can only speculate,” Finkelstein said in an interview with VOA.
Babuk, another Russian-speaking ransomware family discovered early this year, has attacked at least five big entities, with one victim already paying the attackers $85,000 in ransom, according to the cybersecurity firm McAfee. The Metropolitan Police Department of Washington, D.C., reportedly was another victim.
The Russian-speaking ransomware groups follow an unwritten rule: As long as they avoid targets in Russia and other former Soviet republics, “they’re left to operate in peace by local authorities,” Recorded Future says.
Another rule of the game: Ransomware gangs work only with Russian-speaking partners.
What is known about ties between ransomware gangs and the Kremlin?
The Russian government has denied any involvement in the recent ransomware attacks on the U.S., and the precise ties between the ransomware groups and the Kremlin remain uncertain. While U.S. officials have accused Russian spy services of co-opting criminal hackers, they’ve been careful not to directly blame the Russian government for the recent attacks on Colonial Pipeline and JBS.
In the wake of the attack on the Colonial Pipeline, which sparked panic purchasing of gasoline and traffic congestion along the East Coast, President Biden has said that so far, there has been “no evidence based on, from our intelligence people, that Russia is involved, though there is evidence that the actors, ransomware, is in Russia.”
During a recent congressional hearing, FBI Director Christopher Wray said he could not publicly discuss the nexus between cybercriminals and the Russian actors. Nevertheless, he noted that the “most recent” ransomware attackers “are individuals who, perhaps not coincidentally, specifically target English-speaking victims.”
U.S. lawmakers go further, however, insisting that the attacks emanating from Russia could not take place without at least the Russian government’s tactic approval. Senator Mark Warner, the Democratic chairman of the Senate Intelligence Committee and co-chair of the bipartisan Senate Cybersecurity Caucus, said the cybercriminals operate “with the indirect acquiescence of the Russian government.”
“And don’t think for a moment that the Russia spy services, the Russian government isn’t watching and learning from the techniques of these cybercriminals,” Warner said during an interview on Washington Post Live on Monday.
The line between cybercriminals and state actors has blurred. Many Russia-based cybercriminals may be working for Russian spy services during the day and “moonlighting” as cybercriminals in the evening, Warner said.
How is the U.S. responding to the threat of ransomware?
With ransomware emerging as a national security threat, some lawmakers and cybersecurity experts are calling for a more aggressive U.S. response. The Justice Department’s recently formed ransomware task force recovered most of the $5 million of cryptocurrency paid by Colonial Pipeline. The effort to recover the ransom is important, experts say, but lawmakers warn it’s not enough to halt the larger problem.
“I believe we need to start thinking about going on the offense and hitting them back,” Republican Representative Michael McCaul said during a House Homeland Security hearing on the Colonial Pipeline cyberattack. “There should be consequences.”
Cybersecurity experts agree that a more vigorous government response is needed.
“I certainly think that there is a way and an opportunity to disrupt the aggressive threat actors that continue to cause havoc in the United States,” said Charles Carmakal, chief technology officer at the cybersecurity firm FireEye.
Ahead of Wednesday’s summit, Putin has suggested that one approach might be a mutual agreement to extradite cybercriminals between the U.S. and Russia. Biden said at the G-7 meeting that he was “open” to Putin’s idea, calling the offer “potentially a good sign of progress.”
National security adviser Jake Sullivan later clarified Biden’s statement, saying the president is “not saying he’s going to exchange cybercriminals with Russia” but that he agrees cybercriminals should be held accountable in both countries.