A global epidemic of digital extortion known as ransomware is crippling local governments, hospitals, school districts and businesses by scrambling their data files until they pay up. Law enforcement has been largely powerless to stop it.
One big reason: Ransomware rackets are dominated by Russian-speaking cybercriminals who are shielded — and sometimes employed — by Russian intelligence agencies, according to security researchers, US law enforcement and now the administration of US President Joe Biden.
On Thursday last week, as the US slapped sanctions on Russia for malign activities, including state-backed hacking, the US Department of the Treasury said that Russian intelligence has enabled ransomware attacks by cultivating and co-opting criminal hackers, and giving them safe harbor.
Illustration: Mountain People
With ransomware damages well into the tens of billions of dollars, former British Government Communications Headquarters director of cyber Marcus Willett has called the scourge “arguably more strategically damaging than state cyberspying.”
The value of Kremlin protection is not lost on the cybercriminals themselves. Earlier this year, a Russian-language forum on the dark Web lit up with criticism of a ransomware purveyor known only as “Bugatti,” whose gang had been caught in a rare US-Europol sting.
The assembled posters accused him of inviting the crackdown with technical sloppiness and by recruiting non-Russian affiliates, who might have been snitches or undercover law enforcement.
Worst of all, in the view of one long-active forum member, Bugatti had allowed Western authorities to seize ransomware servers that could have been sheltered in Russia.
“Mother Russia will help,” that forum member wrote. “Love your country and nothing will happen to you.”
The conversation was captured by the security firm Advanced Intelligence.
“Like almost any major industry in Russia, [cybercriminals] work kind of with the tacit consent and sometimes explicit consent of the security services,” said Michael van Landingham, a former CIA analyst who runs the consultancy Active Measures.
The Russian authorities have a simple rule, Moscow-based Internet Research Institute CEO Karen Kazaryan said: “Just don’t ever work against your country and businesses in this country. If you steal something from Americans, that’s fine.”
Unlike North Korea, there is no indication that the Russian government benefits directly from ransomware crime, although Russian President Vladimir Putin might consider the resulting havoc a strategic bonus.
In the US alone last year, ransomware struck more than 100 federal, state and municipal agencies; more than 500 hospitals and other healthcare centers; about 1,680 schools, colleges and universities; and hundreds of businesses, the cybersecurity firm Emsisoft said.
Damage in the public sector alone is measured in rerouted ambulances, postponed cancer treatments, interrupted municipal bill collection, canceled classes and rising insurance costs — all during the worst public health crisis in more than a century.
The idea behind these attacks is simple: Criminals infiltrate malicious data-scrambling software into computer networks, use it to “kidnap” an organization’s data files, then demand huge payments — now as high as US$50 million — to restore them.
The latest twist: If victims fail to pay up, the criminals might publish their unscrambled data on the open Internet.
In recent months, US law enforcement has worked with partners, including Ukraine and Bulgaria, to bust these networks, but with the criminal masterminds out of reach, such operations are generally little more than a game of whack-a-mole.
Collusion between criminals and the government is not new in Russia, said US Deputy Assistant Attorney General Adam Hickey, adding that cybercrime can provide good cover for espionage.
Back in the 1990s, Russian intelligence frequently recruited hackers for that purpose, Kazaryan said.
Now, ransomware criminals are just as likely to be moonlighting state-employed hackers, Kazaryan added.
The Kremlin sometimes enlists arrested criminal hackers by offering them a choice of prison or working for the state, former Crowdstrike chief technical officer Dmitri Alperovitch said.
Sometimes the hackers use the same computer systems for state-sanctioned hacking and off-the-clock cybercrime for personal enrichment, he said, adding that they might even mix state business with personal business.
That is what happened in a 2014 hack of Yahoo that compromised more than 500 million user accounts, allegedly including those of Russian journalists, as well as officials of the US and Russia.
A US investigation led to the 2017 indictment of four men, including two officers of Russia’s FSB security service — a successor to the KGB.
One of them, Dmitry Dokuchaev, worked in the same FSB office that cooperates with the FBI on computer crime. Another defendant, Alexsey Belan, allegedly used the hack for personal gain.
A Russian embassy spokesman declined to address questions about his government’s alleged ties to ransomware criminals and state employees’ alleged involvement in cybercrime.
“We do not comment on any indictments or rumors,” Russian embassy in Washington deputy press attache Anton Azizov said.
Proving links between the Russian state and ransomware gangs is not easy. The criminals hide behind pseudonyms and periodically change the names of their malware strains to confuse Western law enforcement.
However, at least one ransomware purveyor has been linked to the Kremlin. Maksim Yakubets, 33, is best known as coleader of a cybergang that cockily calls itself Evil Corp.
The Ukraine-born Yakubets lives a flashy lifestyle. He drives a Lamborghini supercar with a personalized license plate that translates to “Thief,” the British National Crime Agency said.
Yakubets started working for the FSB in 2017, tasked with projects such as “acquiring confidential documents through cyber-enabled means and conducting cyber-enabled operations on its behalf,” a US indictment in December 2019 said.
At the same time, the US Department of the Treasury slapped sanctions on Yakubets and offered a US$5 million reward for information leading to his capture.
It said that he was known to have been “in the process of obtaining a license to work with Russian classified information from the FSB.”
The indictment charged Evil Corp with developing and distributing ransomware used to steal at least US$100 million in more than 40 countries over the past decade, including payrolls pilfered from towns in the US heartland.
By the time that Yakubets was indicted, Evil Corp had become a major ransomware player, security researchers said.
By May last year, the gang was distributing a ransomware strain that was used to attack eight Fortune 500 companies, including the GPS device maker Garmin, whose network was offline for days after an attack, Advanced Intelligence said.
Yakubets remains at large.
However, a Russian imprisoned in France might offer more insight into the dealings of cybercriminals and the Russian state.
Alexander Vinnick was convicted of laundering US$160 million in criminal proceeds through a cryptocurrency exchange called BTC-e.
A US indictment in 2017 charged that “some of the largest known purveyors of ransomware” actually used it to launder US$4 billion, but Vinnick cannot be extradited until he completes his five-year French prison sentence in 2024.
Still, a 2018 study by the nonpartisan think tank Third Way found that the odds of successfully prosecuting authors of cyberattacks against US targets — ransomware and online bank theft are the costliest — are no better than three in 1,000.
Experts have said that those odds have gotten longer.
This week’s sanctions send a strong message, but are not likely to deter Putin unless the financial sting hits closer to home, many analysts have said.
That might require the kind of massive multinational coordination that followed the Sept. 11, 2001, terror attacks. For example, allied countries could identify banking institutions known to launder ransomware proceeds and cut them off from the global financial community.
“If you’re able to follow the money and disrupt the money — and take the economic incentive out — that’ll go a long way in stopping ransomware attacks,” said John Riggi, cybersecurity adviser for the American Hospital Association and a former FBI official.
In a stark reminder of China’s persistent territorial overreach, Pema Wangjom Thongdok, a woman from Arunachal Pradesh holding an Indian passport, was detained for 18 hours at Shanghai Pudong Airport on Nov. 24 last year. Chinese immigration officials allegedly informed her that her passport was “invalid” because she was “Chinese,” refusing to recognize her Indian citizenship and claiming Arunachal Pradesh as part of South Tibet. Officials had insisted that Thongdok, an Indian-origin UK resident traveling for a conference, was not Indian despite her valid documents. India lodged a strong diplomatic protest, summoning the Chinese charge d’affaires in Delhi and demanding
In the past 72 hours, US Senators Roger Wicker, Dan Sullivan and Ruben Gallego took to social media to publicly rebuke the Chinese Nationalist Party (KMT) over the defense budget. I understand that Taiwan’s head is on the chopping block, and the urgency of its security situation cannot be overstated. However, the comments from Wicker, Sullivan and Gallego suggest they have fallen victim to a sophisticated disinformation campaign orchestrated by an administration in Taipei that treats national security as a partisan weapon. The narrative fed to our allies claims the opposition is slashing the defense budget to kowtow to the Chinese
Immediately after the Chinese People’s Liberation Army’s (PLA) “Justice Mission” exercise at the end of last year, a question was posed to Indian Ministry of External Affairs spokesperson Randhir Jaiswal regarding recent developments involving the exercises around Taiwan, and how he viewed their impact on regional peace and stability. His answer was somewhat perplexing to me as a curious student of Taiwanese affairs. “India closely follows developments across the Indo-Pacific region,” he said, adding: “We have an abiding interest in peace and stability in the region, in view of our significant trade, economic, people-to-people, and maritime interests. We urge all concerned
In a Taipei Times editorial published almost three years ago (“Macron goes off-piste,” April 13, 2023, page 8), French President Emmanuel Macron was criticized for comments he made immediately after meeting Chinese President Xi Jinping (習近平) in Beijing. Macron had spoken of the need for his country to find a path on Chinese foreign policy no longer aligned with that of the US, saying that continuing to follow the US agenda would sacrifice the EU’s strategic autonomy. At the time, Macron was criticized for gifting Xi a PR coup, and the editorial said that he had been “persuaded to run
RSS