White House Has Been Identifying Top Suspects and Sharing Intelligence With Moscow
Senior U.S. officials say that, so far, there are no signs that Moscow has begun to crack down on ransomware-wielding criminals operating from inside Russia’s borders.
See Also: Top 50 Security Threats
“Based on what we’ve seen, I would say there is no indication that the Russian government has taken action to crack down on ransomware actors that are operating in the permissive environment that they have created there,” FBI Deputy Director Paul Abbate said during a panel at this week’s Intelligence and National Security Summit in National Harbor, Maryland, The Hill reports.
“We’ve asked for help and cooperation with those who we know are in Russia who we have indictments against, and we’ve seen no action, so I would say that nothing’s changed in that regard,” he added.
Abbate’s assessment arrives three months after President Joe Biden’s June summit in Geneva with Russian President Vladimir Putin. Biden said that during the summit, he detailed a number of critical infrastructure sectors that must remain off-limits to criminal hackers and other types of online attacks, and said he warned Putin that if Russia failed to act, the U.S. reserved the right to do so.
“Responsible countries need to take action against criminals who conduct ransomware activities on their territory,” Biden said after his meeting with Putin. “So we agreed to task experts in … both our countries to work on specific understandings about what’s off-limits and to follow up on specific cases that originate in other countries – either of our countries.”
In a Tuesday interview with The Associated Press, Gen Paul Nakasone, who heads the National Security Agency and U.S. Cyber Command, said efforts to identify and expose the individuals involved in ransomware attacks, as well as their tactics, remain ongoing.
“Even six months ago, we probably would have said, ‘Ransomware, that’s criminal activity,'” Nakasone told the AP. “But if it has an impact on a nation, like we’ve seen, then it becomes a national security issue. If it’s a national security issue, then certainly we’re going to surge toward it.”
Multiple Disruptive Efforts Underway
Biden’s move to disrupt ransomware attacks followed a string of devastating attacks that began in May, all involving Russian-language groups. Conti hit Ireland’s national health service; DarkSide disrupted U.S.-based Colonial Pipeline, causing consumers to panic-buy fuel; and REvil – aka Sodinokibi – attacked meat processing giant JBS as well as remote management software firm Kaseya. That latter attack alone resulted in more than 1,500 organizations’ systems being forcibly encrypted and held to ransom.
At the time of Biden’s summit, cybersecurity and foreign policy experts said it might take six months or more to tell if Moscow was doing anything to further those supposed understandings.
The summit has been part of a more widespread push by the White House to blunt the effectiveness of the ransomware business model. Efforts include the launch of a ransomware task force, to focus more Department of Justice resources and information sharing on the problem. Meanwhile, Anne Neuberger, the deputy national security adviser for cyber and emerging technology, is leading the administration’s diplomatic efforts to combat cybercrime, including ransomware.
In addition, the country’s first-ever national cyber director, John “Chris” Inglis, is leading the administration’s effort to improve the cyber resilience of American organizations and government agencies, to make it more difficult and costly for ransomware-wielding criminals to hit them.
Biden Continues to Press Putin
Biden has continued to try and pressure Putin into addressing the ransomware problem, including in a post-summit, July 9 phone call. “I made it very clear to him that the United States expects when a ransomware operation is coming from his soil even though it’s not sponsored by the state, we expect them to act if we give them enough information to act on who that is,” Biden told reporters (see: REvil’s Infrastructure Goes Offline).
Last week, National Cyber Director Chris Inglis said it was “too soon to tell” if the Russian government was getting tough. With the supposed exit or silence from groups such as Avaddon, DarkSide and LockBit, however, there did appear to have been some attrition, although the causes largely remained unclear.
“We’ve seen that those kinds of syndicates had, to some degree, deconstructed, but I think it’s a fair bet that they have self-destructed – essentially gone cold and quiet,” Inglis said in a discussion at the Reagan Institute in Washington, D.C., on Sept. 9. “Let’s see whether the storm will blow over – whether they can then come back. And what I think will make the difference is whether Vladimir Putin and others who have the ability to enforce the law – international law as we know it – and ensure that they don’t come back.”
Dormant Groups Resuming Operations
Unfortunately, there are multiple signs that potentially dormant groups have simply been temporarily laying low, following the Biden administration turning up the heat. Security experts say that DarkSide has apparently rebranded as BlackMatter, Babuk appears to have spun off Groove, while REvil now seems to be back in business. That’s a concern not least because ransomware incident response firm Coveware says that of the thousands of cases it investigated from April through June, REvil was the most prevalent strain of crypto-locking malware tied to attacks.
In an interview with Moscow-based Russian newspaper Lenta.ru published Wednesday, a self-described Russian hacker who has allegedly worked with REvil reported that its administrators backed up all of their data and powered down servers on July 13, intending to lay low for a while to let the heat die down.
But after two months, he said, the operation was ready to return. He does note, however, that one of the core members remains AWOL, leading the other administrators to wonder if he’s been arrested.
REvil, however, remains one of many criminal operations seeking to capitalize on ransomware. Since last week, Israeli threat intelligence firm Kela reports that it’s seen fresh attacks and threats to leak stolen data not just tied to REvil, but these 12 ransomware groups too: BlackMatter, Clop, Conti, Cuba, Everest, Grief, Groove, LockBit, Marketo, Pysa, Ragnar Locker and Vice Society.