A global epidemic of digital extortion known as ransomware is crippling local governments, hospitals, school districts and businesses by scrambling their data files until they pay up. Law enforcement has been largely powerless to stop it.
One big reason: Ransomware rackets are dominated by Russian-speaking cybercriminals who are shielded — and sometimes employed — by Russian intelligence agencies, according to security researchers, US law enforcement and now the administration of US President Joe Biden.
On Thursday last week, as the US slapped sanctions on Russia for malign activities, including state-backed hacking, the US Department of the Treasury said that Russian intelligence has enabled ransomware attacks by cultivating and co-opting criminal hackers, and giving them safe harbor.
Illustration: Mountain People
With ransomware damages well into the tens of billions of dollars, former British Government Communications Headquarters director of cyber Marcus Willett has called the scourge “arguably more strategically damaging than state cyberspying.”
The value of Kremlin protection is not lost on the cybercriminals themselves. Earlier this year, a Russian-language forum on the dark Web lit up with criticism of a ransomware purveyor known only as “Bugatti,” whose gang had been caught in a rare US-Europol sting.
The assembled posters accused him of inviting the crackdown with technical sloppiness and by recruiting non-Russian affiliates, who might have been snitches or undercover law enforcement.
Worst of all, in the view of one long-active forum member, Bugatti had allowed Western authorities to seize ransomware servers that could have been sheltered in Russia.
“Mother Russia will help,” that forum member wrote. “Love your country and nothing will happen to you.”
The conversation was captured by the security firm Advanced Intelligence.
“Like almost any major industry in Russia, [cybercriminals] work kind of with the tacit consent and sometimes explicit consent of the security services,” said Michael van Landingham, a former CIA analyst who runs the consultancy Active Measures.
The Russian authorities have a simple rule, Moscow-based Internet Research Institute CEO Karen Kazaryan said: “Just don’t ever work against your country and businesses in this country. If you steal something from Americans, that’s fine.”
Unlike North Korea, there is no indication that the Russian government benefits directly from ransomware crime, although Russian President Vladimir Putin might consider the resulting havoc a strategic bonus.
In the US alone last year, ransomware struck more than 100 federal, state and municipal agencies; more than 500 hospitals and other healthcare centers; about 1,680 schools, colleges and universities; and hundreds of businesses, the cybersecurity firm Emsisoft said.
Damage in the public sector alone is measured in rerouted ambulances, postponed cancer treatments, interrupted municipal bill collection, canceled classes and rising insurance costs — all during the worst public health crisis in more than a century.
The idea behind these attacks is simple: Criminals infiltrate malicious data-scrambling software into computer networks, use it to “kidnap” an organization’s data files, then demand huge payments — now as high as US$50 million — to restore them.
The latest twist: If victims fail to pay up, the criminals might publish their unscrambled data on the open Internet.
In recent months, US law enforcement has worked with partners, including Ukraine and Bulgaria, to bust these networks, but with the criminal masterminds out of reach, such operations are generally little more than a game of whack-a-mole.
Collusion between criminals and the government is not new in Russia, said US Deputy Assistant Attorney General Adam Hickey, adding that cybercrime can provide good cover for espionage.
Back in the 1990s, Russian intelligence frequently recruited hackers for that purpose, Kazaryan said.
Now, ransomware criminals are just as likely to be moonlighting state-employed hackers, Kazaryan added.
The Kremlin sometimes enlists arrested criminal hackers by offering them a choice of prison or working for the state, former Crowdstrike chief technical officer Dmitri Alperovitch said.
Sometimes the hackers use the same computer systems for state-sanctioned hacking and off-the-clock cybercrime for personal enrichment, he said, adding that they might even mix state business with personal business.
That is what happened in a 2014 hack of Yahoo that compromised more than 500 million user accounts, allegedly including those of Russian journalists, as well as officials of the US and Russia.
A US investigation led to the 2017 indictment of four men, including two officers of Russia’s FSB security service — a successor to the KGB.
One of them, Dmitry Dokuchaev, worked in the same FSB office that cooperates with the FBI on computer crime. Another defendant, Alexsey Belan, allegedly used the hack for personal gain.
A Russian embassy spokesman declined to address questions about his government’s alleged ties to ransomware criminals and state employees’ alleged involvement in cybercrime.
“We do not comment on any indictments or rumors,” Russian embassy in Washington deputy press attache Anton Azizov said.
Proving links between the Russian state and ransomware gangs is not easy. The criminals hide behind pseudonyms and periodically change the names of their malware strains to confuse Western law enforcement.
However, at least one ransomware purveyor has been linked to the Kremlin. Maksim Yakubets, 33, is best known as coleader of a cybergang that cockily calls itself Evil Corp.
The Ukraine-born Yakubets lives a flashy lifestyle. He drives a Lamborghini supercar with a personalized license plate that translates to “Thief,” the British National Crime Agency said.
Yakubets started working for the FSB in 2017, tasked with projects such as “acquiring confidential documents through cyber-enabled means and conducting cyber-enabled operations on its behalf,” a US indictment in December 2019 said.
At the same time, the US Department of the Treasury slapped sanctions on Yakubets and offered a US$5 million reward for information leading to his capture.
It said that he was known to have been “in the process of obtaining a license to work with Russian classified information from the FSB.”
The indictment charged Evil Corp with developing and distributing ransomware used to steal at least US$100 million in more than 40 countries over the past decade, including payrolls pilfered from towns in the US heartland.
By the time that Yakubets was indicted, Evil Corp had become a major ransomware player, security researchers said.
By May last year, the gang was distributing a ransomware strain that was used to attack eight Fortune 500 companies, including the GPS device maker Garmin, whose network was offline for days after an attack, Advanced Intelligence said.
Yakubets remains at large.
However, a Russian imprisoned in France might offer more insight into the dealings of cybercriminals and the Russian state.
Alexander Vinnick was convicted of laundering US$160 million in criminal proceeds through a cryptocurrency exchange called BTC-e.
A US indictment in 2017 charged that “some of the largest known purveyors of ransomware” actually used it to launder US$4 billion, but Vinnick cannot be extradited until he completes his five-year French prison sentence in 2024.
Still, a 2018 study by the nonpartisan think tank Third Way found that the odds of successfully prosecuting authors of cyberattacks against US targets — ransomware and online bank theft are the costliest — are no better than three in 1,000.
Experts have said that those odds have gotten longer.
This week’s sanctions send a strong message, but are not likely to deter Putin unless the financial sting hits closer to home, many analysts have said.
That might require the kind of massive multinational coordination that followed the Sept. 11, 2001, terror attacks. For example, allied countries could identify banking institutions known to launder ransomware proceeds and cut them off from the global financial community.
“If you’re able to follow the money and disrupt the money — and take the economic incentive out — that’ll go a long way in stopping ransomware attacks,” said John Riggi, cybersecurity adviser for the American Hospital Association and a former FBI official.
Could Asia be on the verge of a new wave of nuclear proliferation? A look back at the early history of the North Atlantic Treaty Organization (NATO), which recently celebrated its 75th anniversary, illuminates some reasons for concern in the Indo-Pacific today. US Secretary of Defense Lloyd Austin recently described NATO as “the most powerful and successful alliance in history,” but the organization’s early years were not without challenges. At its inception, the signing of the North Atlantic Treaty marked a sea change in American strategic thinking. The United States had been intent on withdrawing from Europe in the years following
My wife and I spent the week in the interior of Taiwan where Shuyuan spent her childhood. In that town there is a street that functions as an open farmer’s market. Walk along that street, as Shuyuan did yesterday, and it is next to impossible to come home empty-handed. Some mangoes that looked vaguely like others we had seen around here ended up on our table. Shuyuan told how she had bought them from a little old farmer woman from the countryside who said the mangoes were from a very old tree she had on her property. The big surprise
The issue of China’s overcapacity has drawn greater global attention recently, with US Secretary of the Treasury Janet Yellen urging Beijing to address its excess production in key industries during her visit to China last week. Meanwhile in Brussels, European Commission President Ursula von der Leyen last week said that Europe must have a tough talk with China on its perceived overcapacity and unfair trade practices. The remarks by Yellen and Von der Leyen come as China’s economy is undergoing a painful transition. Beijing is trying to steer the world’s second-largest economy out of a COVID-19 slump, the property crisis and
Former president Ma Ying-jeou’s (馬英九) trip to China provides a pertinent reminder of why Taiwanese protested so vociferously against attempts to force through the cross-strait service trade agreement in 2014 and why, since Ma’s presidential election win in 2012, they have not voted in another Chinese Nationalist Party (KMT) candidate. While the nation narrowly avoided tragedy — the treaty would have put Taiwan on the path toward the demobilization of its democracy, which Courtney Donovan Smith wrote about in the Taipei Times in “With the Sunflower movement Taiwan dodged a bullet” — Ma’s political swansong in China, which included fawning dithyrambs