Link drawn between Kremlin, ransomware
US sanctions accuse Russia of sponsorship
BOSTON – A global epidemic of digital extortion known as ransomware is crippling local governments, hospitals, school districts and businesses by scrambling their data files until they pay up. Law enforcement has been largely powerless to stop it.
One big reason: Ransomware rackets are dominated by Russian-speaking cybercriminals who are shielded, and sometimes employed, by Russian intelligence agencies, according to security researchers, U.S. law enforcement, and now the Biden administration.
On Thursday, as the U.S. slapped sanctions on Russia for malign activities, including state-backed hacking, the Treasury Department said Russian intelligence enabled ransomware attacks by cultivating and co-opting criminal hackers and giving them safe harbor. With ransomware damages now well into the tens of billions of dollars, former British intelligence cyber chief Marcus Willett recently deemed the scourge “arguably more strategically damaging than state cyber-spying.”
The value of Kremlin protection isn’t lost on the cybercriminals. Earlier this year, a Russian-language dark-web forum lit up with criticism of a ransomware purveyor known only as “Bugatti,” whose gang had been caught in a rare U.S.-Europol sting.
The posters accused him of inviting the crackdown with technical sloppiness and by recruiting non-Russian affiliates who might be snitches or undercover cops.
Worst of all, in the view of one longactive forum member, Bugatti had allowed Western authorities to seize ransomware servers that could have been sheltered in Russia instead.
“Mother Russia will help,” that individual wrote. “Love your country and nothing will happen to you.”
Unlike North Korea, there is no indication that Russia’s government benefits directly from ransomware crime, although Russian President Vladimir Putin may consider the resulting havoc a strategic bonus.
In the U.S. last year, ransomware hit more than a hundred federal, state and municipal agencies, over 500 hospitals and other health centers, about 1,680 schools, colleges and universities and hundreds of businesses, according to cybersecurity firm Emsisoft.
Damage in the public sector is measured in rerouted ambulances, postponed cancer treatments, interrupted municipal bill collection, canceled classes and rising insurance costs – all during the worst public health crisis in more than a century.
The idea behind these attacks is simple: Criminals infiltrate malicious data-scrambling software into computer networks, use it to “kidnap” an organization’s data files, then demand huge payments, now as high as $50 million, to restore them. The latest twist: if victims fail to pay up, the criminals may publish their unscrambled data on the open internet.
In recent months, U.S. law enforcement has worked with partners including Ukraine and Bulgaria to bust up these networks. But with the criminal masterminds out of reach, such operations are generally little more than whac-a-mole.
Collusion between criminals and the government is nothing new in Russia, said Adam Hickey, a U.S. deputy assistant attorney general, who noted that cybercrime can provide good cover for espionage.
The Kremlin sometimes enlists arrested criminal hackers by offering them a choice between prison and working for the state, said Dmitri Alperovitch, former chief technical officer of the cybersecurity firm Crowdstrike. Sometimes the hackers use the same computer systems for state-sanctioned hacking and off-theclock cybercrime for personal enrichment, he said.
They may even mix state with personal business.
That’s what happened in a 2014 hack of Yahoo that compromised more than 500 million user accounts, allegedly including those of Russian journalists and U.S. and Russian government officials. A U.S. investigation led to the 2017 indictment of four men, including two officers of Russia’s FSB security service – a successor to the KGB.
One of them, Dmitry Dokuchaev, worked in the same FSB office that cooperates with the FBI on computer crime. Another defendant, Alexsey Belan, allegedly used the hack for personal gain.
A Russian Embassy spokesman declined to address questions about his government’s alleged ties to ransomware criminals and state employees’ alleged involvement in cybercrime. “We do not comment on any indictments or rumors,” said Anton Azizov, the deputy press attache in Washington.
At least one ransomware purveyor has been linked to the Kremlin. Maksim Yakubets, 33, is best known as co-leader of a cybergang that calls itself Evil Corp.