How the Kremlin Provides a Safe Harbor for Ransomware


Boston (AP) — The global epidemic of digital blackmail, known as ransomware, has been devastating by scrambling data files until payments are made by local governments, hospitals, school districts, and businesses. Law enforcement agencies were almost helpless to stop it.

One of the big reasons: Ransomware rackets are dominated by Russian-speaking cyber criminals. Russian intelligenceAccording to security researchers, US law enforcement agencies, and the current Biden administration.

When the U.S. sanctioned Russia for malicious activities, including state-sponsored hacking, on Thursday, the Treasury allowed a ransomware attack by Russian intelligence training and hiring criminal hackers. Said that Give them a safe harbor..Ransomware damages amounted to tens of billions of dollars and Marcus Willett, a former British intelligence cyber chief Recently regarded as a tragedy “Probably more strategically damaging than national cyber-spying.”

The value of the Kremlin protection is not lost to the cybercriminals themselves. Earlier this year, the Russian Dark Web Forum ignited criticism of the ransomware provider known only as “Bugatti.” The gang was involved in a rare US Europol stab. The assembled poster accused him of inviting a crackdown on his technical laziness and recruiting non-Russian affiliates who could be whistleblowers and undercover agents.

Worst of all, in the view of one long-standing forum member, Bugatti allowed Western authorities to seize ransomware servers that may have been protected in Russia instead. It was. “Mother Russia will help,” the individual wrote. “Love your country, and nothing will happen to you.” The conversation was captured by the security company Advanced Intelligence, which shared with the Associated Press.

“Like almost every major industry in Russia, (cybercriminals) work with implicit and sometimes explicit consent for security services,” said the former CIA, which runs consultancy Active Measures LLC. Analyst Michael van Landingham said.

Russian authorities have simple rules, said Karen Kazarian, CEO of the Internet Research Institute for Software Industry in Moscow. If you steal something from an American, that’s fine. “

Unlike North Korea, there are no signs that the Kremlin is directly benefiting from ransomware crime, but Russian President Vladimirputin may see the resulting havoc as a strategic bonus.

In the United States alone last year, ransomware hit more than 100 federal, state, and local governments, more than 500 hospitals and other medical centers, and about 1,680. Schools, colleges, universities And t, hundreds of companies He is a cyber security company Emsisoft..

Damage in the public sector alone is measured at Ambulance rerouted, Postponement of cancer treatment, suspension of municipal bill collection, Canceled class Rising insurance costs – all during the worst public health crisis of over a century.

The idea behind these attacks is simple. Criminals use malicious data scramble software to infiltrate computer networks, use it to “kidnap” data files in organizations, and now demand huge payments of $ 50 million to restore them. Latest Twist: If the victim fails to pay, the criminal may expose the unscrambled data to the open internet.

In recent months, US law enforcement agencies have worked with partners such as Ukraine and Bulgaria to destroy these networks. However, such operations are generally just a whac-a-mole, as the criminal mastermind is out of reach.

The collusion between criminals and the government is nothing new in Russia, said Adam Hicky, US Deputy Prosecutor General.

Back in the 1990s, Russian intelligence agencies frequently hired hackers for that purpose, Kazarian said. Now he said ransomware criminals are likely to be doing a side job to state-owned hackers.

The Kremlin may involve arrested criminal hackers by offering them the option of working in prisons and states, said Dmitri Alperovitch, former chief technology officer of cybersecurity firm Crowdstrike. Hackers may use the same computer system for state-approved hacking and use 24-hour cybercrime for personal enrichment. They may mix state and personal business.

This happened in 2014 when Yahoo was hacked and compromised more than 500 million user accounts, including accounts of Russian journalists and US and Russian government officials. In 2017, four men were indicted in a US investigation. Includes two executives of Russian FSB Security Services – The successor to the KGB. One of them, Dmitry Dokuchaev, I worked in the same FSB office that I’m working with the FBI on computer crime. Another defendant, Alexy Belan, He reportedly used hacks for personal gain.

A spokesman for the Russian embassy answers questions about his government claiming to be associated with ransomware criminals and state officials claiming to be involved in cybercrime. I refused to do that. “We will not comment on prosecutions or rumors,” said Anton Azizov, a deputy spokesman for Washington.

Proving the link between the Russian state and the ransomware gang is not easy. Criminals are hiding behind pseudonyms, renaming malware stocks on a regular basis, confusing Western law enforcement agencies.

However, at least one ransomware provider is linked to the Kremlin. Maksim Yakubets, 33, best known as a co-leader of cyber gangs who cheekyly call themselves villains. Ukrainian-born Yakbets has a flashy lifestyle. He drives a customized Lamborghini supercar with a personalized license plate that translates into a “thief.” According to the National Crime Agency of the United Kingdom..

Yakubets started working at FSB in 2017 and was responsible for projects such as “Getting confidential documents by cyber-enabled means and performing cyber-enabled operations instead.” December 2019 U.S. prosecution..At the same time, the US Treasury Hitting sanctions on Yakubet He provided a $ 5 million reward for the information that led to his capture. He said he was known to be “in the process of obtaining a license from the FSB to handle confidential Russian information.”

The indictment is Evil Corp for the development and distribution of ransomware that has stolen at least $ 100 million in more than 40 countries over the last decade. Was charged. Includes salaries stolen from central American towns.

By the time Yakubets is prosecuted, Evil Corp. Has become a major ransomware player, security researchers say. By May 2020, gangs distributed ransomware stocks used to attack eight Fortune 500 companies, including GPS device maker Garmin, whose network was offline for several days after the attack, according to Advanced Intelligence. was doing.

Yakubetsu is still big. However, another Russian currently imprisoned in France may provide more insight into the deal between cybercriminals and the Russian state. Alexander Binick was convicted of laundering $ 160 million in criminal proceeds through a cryptocurrency exchange called BTC-e. A 2017 US indictment accused “some of the largest known providers of ransomware” actually using it to launder $ 4 billion. However, Vinick cannot be handed over until he completes a five-year French imprisonment in 2024.

Nonetheless, a 2018 survey by a nonpartisan think tank, Thirdway, found that it could successfully prosecute the authors of cyberattacks against US targets — ransomware and online bank robbery are the most expensive — Less than 3/1000.. Experts say those odds are getting longer.

While this week’s sanctions send a strong message, many analysts believe it is unlikely to stop Putin unless financial difficulties approach his home.

That may require a sort of large-scale multinational adjustment following the 9/11 terrorist attacks. For example, the Allies can identify banking institutions known to launder ransomware revenue and separate them from the global financial community.

“If we can track money, confuse it, and remove financial incentives, it will be a great help in stopping ransomware attacks,” said cybersecurity adviser John Rigi. American Hospital Association And a former FBI employee.

The Associated Press writer Angela Charlton of Paris contributed to this report.



Posted on