Why Russia Isn’t at Risk of Ransomware Crackdown

Text size

There’s not much the rest of the world can do about cybercriminals in Russia without Vladimir Putin’s help. And with prices for Russia’s natural gas at record highs, Putin sees no need to be helpful.

That’s the upshot of a 32-nation “ransomware summit” the Biden administration convened last week, and a U.S. Treasury Department report that followed.

Attacks like the one that initially cost Colonial Pipeline $4.4 million last spring aren’t carried out by the Russian government per se, which sticks to election meddling and traditional espionage. But the Kremlin sees an advantage in its criminal hackers, not to mention a likely cut of the proceeds for security officials.

“For Russia ransomware is a show of strength and source of intelligence,” says Josephine Wolff, who teaches cybersecurity policy at Tufts University’s Fletcher School. “They have the upper hand in this right now.”

The good news is that the free world may have more leverage over how cybercriminals get paid—cryptocurrency. Cracking down on ransomware is one more reason a global wave of crypto-regulation is probably in the offing. Something to think about as the market frenzy builds around the first U.S.-listed exchange-traded fund for Bitcoin.

Ransomware, which refers to attackers “hijacking” a remote computer system and demanding payment to give it back, has taken hacking to a whole new level of damage and profitability. Colonial was the tip of a rapidly expanding iceberg.

U.S. companies alone reported 635 cases of ransomware, costing $590 million, during the first half of 2021, according to the Oct. 15 report from Treasury’s Financial Crimes Enforcement Network, or FinCEN. Both those figures outstripped the whole of 2020. Hospitals, where a network shutdown risks patients’ lives, have been a favorite mark, enduring hundreds of cyber-shakedowns.

It’s no secret where most ransomware actors live, nor how they get paid. Iran and North Korea are happy to host ransomware gangs, but have a limited talent pool. China has started dabbling in cybercrime, but concentrates on more traditional espionage. “Most hacking out of China has a more patriotic focus,” says Allan Liska, an analyst at cybersecurity firm Recorded Future.

That leaves Putin’s domain. “The kingpins in this area are based in Russia,” says Dmitri Alperovitch, a co-founder and former chief technology officer of cybersecurity provider CrowdStrike. The Kremlin’s blind eye to cybercrime stands in contrast to neighboring Ukraine, which has made two very public busts of ransomware cells this year.

All the criminal hackers’ evil genius would produce limited gains without cryptocurrency, which so far evades the monitoring governments impose on conventional banking systems. “Attackers used to take payment in gift cards and other anonymous instruments,” Liska says. “But you can’t demand a million dollar ransom in

Amazon

gift cards.”

Bitcoin, incidentally, is becoming a bit passe for the most advanced ransomware actors, FinCEN finds. They increasingly prefer payment in a cyber instrument called Monero, and charge extra to accept Bitcoin.

The FinCEN report, and a communiqué issued from the ransomware summit, indicate what the rest of the world intends to do about Russia: nothing. The word “Russia” isn’t mentioned in either document, rather a triumph of ignoring the proverbial elephant in the room.

“If actions matched rhetoric on ransomware, we should be willing to inflict massive sanctions on Russia’s oil-and-gas industry,” Alperovitch says. That is highly unlikely as Europe faces a potentially freezing winter and is clamoring for more Russian gas.

“This 32-nation meeting will not constrain any actors who are enabling ransomware,” concludes Matthew Rojansky, director of the Wilson Center’s Kennan Institute on post-Soviet affairs.

Cryptocurrency is a different story. FinCEN served notice that fiat authorities know a good deal about who does what on extragovernmental digital money networks. Its report identified the top 10 ransomware “variants”—trade names used by extortionists like Revil/Sodinokibi or DarkSide—and 177 digital wallet addresses that have received $5.2 billion on their behalf globally since 2019. “This analysis allowed FinCEN to identify which exchanges and services ransomware actors used to launder their proceeds,” the report states.

The history of fiat money laundering shows that flagging illegal flows is much easier than stopping them. But criminals have to convert their huge crypto gains into usable currency in some real-world jurisdiction. Few will energetically defend secrecy for funds extorted from oil pipelines or hospitals. “There will always be one exchange in the Cayman Islands that will perform these operations,” Liska says. “But authorities can make all the others around the world think hard.”

Constraining those billions in ransomware flows could even reduce demand for cryptocurrency. Something for investors jumping on it to think about.