In recent years, ransomware has become a global cybercrime “epidemic”. Ransomware gangs use encryption to lock data or threaten to leak data, extorting huge ransoms from local governments, hospitals, schools and enterprises. Basically helpless.
The Associated Press recently wrote that, according to security researchers, U.S. law enforcement and now the Biden administration, one of the reasons ransomware is so unbridled and unhindered around the world is that ransomware cybercriminals are protected by Russian intelligence agencies. , and sometimes even employed by Russian intelligence agencies.
Last week, the U.S. imposed sanctions on Russia for malicious activity, including state hacking. Companies on the U.S. Treasury Department’s sanctions list include:
ERA Technopolis. A research center and technology park funded and operated by the Russian Ministry of Defense. ERA Technopolis has units supporting Russia’s Main Intelligence Service (GRU), responsible for offensive cyber and information operations, and utilizes the personnel and expertise of Russia’s technology sector to develop military and dual-use technologies.
Pasit. A Russia-based information technology (IT) company engaged in research and development to support malicious cyber operations by the Russian Foreign Intelligence Service (SVR).
SVA. Russian state-owned research institution specializing in advanced information security systems. SVA provides R&D services for SVR’s malicious network operations.
Neobit. An IT security company based in St. Petersburg, Russia, whose clients include the Russian Ministry of Defense, SVR and the Russian Federal Security Service (FSB). Neobit engages in research and development to support cyber operations implemented by the FSB, GRU and SVR.
AST. A Russian IT security company whose clients include the Russian Ministry of Defense, SVR and FSB. AST provides technical support for cyber operations conducted by FSB, GRU and SVR. AST is also designated to provide support for FSB under EO13694, EO13382 and CAATSA.
Positive Technologie. A Russian IT security company supporting Russian government clients including FSB.
Russian intelligence also enables ransomware attacks by nurturing and selecting criminal hackers and providing them with safe haven, the Treasury Department said. Ransomware now costs tens of billions of dollars.
Marcus Willett, the former head of the UK intelligence network, recently argued that the scourge of ransomware is “strategically more damaging than state cyber espionage”.
Earlier this year, criticism of the ransomware vendor, codenamed “Bugatti”, emerged on a Russian-language darknet forum, whose gang was snared by the US-Europol. Numerous posts in the forum accuse Bugatti of being technically sloppy leading to “heads-off” and recruiting non-Russian members who may be whistleblowers or secret police.
A long-time active forum member’s remarks leaked ransomware gangs’ reliance on Russia. The member pointed out that Bugatti should not have kept servers outside of Russia, leading to seizures by Western law enforcement. “Mother Russia can help. Love your country and nothing will happen to you,” the member wrote. The conversation was intercepted by security firm Advanced Intelligence and provided to The Associated Press.
“Like almost every major industry in Russia, cybercriminals work with the tacit approval of security services, sometimes with explicit consent.” Former CIA analyst Michael van Landingham said.
Karen Kazaryan, chief executive of the Moscow Internet Research Institute, said Russian authorities have a simple rule: “(Ransomware gangs) never go against your country (Russia) and businesses in this country. . If you stole from the Americans, well done.”
Unlike North Korea, there is no indication that the Russian government will directly benefit from the ransomware crime, although Putin may view the resulting damage as strategic.
In the U.S. alone, ransomware hit more than a hundred federal, state and municipal agencies, more than 500 hospitals and other medical centers, about 1,680 schools and hundreds of businesses last year, according to an investigation by cybersecurity firm Emsisoft.
The damage and impact on the public sector include: ambulances forced to take detours, delayed cancer treatment, interrupted municipal bill collection, school closures and increased insurance costs, all of which have been disrupted for more than a century during the worst public health crisis (coronavirus pandemic).
The idea behind these attacks is simple: Criminals infiltrate computer networks with malware, “kidnap” (encrypt) an organization’s data files, and then demand that victims pay a hefty ransom (up to $50 million on record) to recover the data , or avoid data being publicly leaked by criminals on the Internet.
U.S. Deputy Attorney General Adam Hickey accused the collusion between cybercriminal gangs and the government is nothing new in Russia, noting that cybercrime can provide a good cover for espionage.
Kazaryan claimed that in the 1990s, Russian intelligence regularly recruited hackers for this purpose. Now, many of the ransomware criminals are state hackers, he said.
Dmitri Alperovitch, the former chief technology officer of cybersecurity firm Crowdstrike, said the Kremlin sometimes recruits arrested criminal hackers by choosing between prison and working for the state. Hackers sometimes use the same computer systems to conduct state hacking and accumulate personal wealth by engaging in for-profit cybercrime “in their spare time”, he said, and they may even mix “state missions” with personal business.
The 2014 Yahoo hack is a case in point, when more than 500 million Yahoo user accounts were compromised, allegedly including accounts of Russian journalists and U.S. and Russian government officials. The United States stepped in and indicted four men in 2017, including two officials from Russia’s FSB security service. One of them, Dmitry Dokuchaev, works in the FSB office that works with the FBI on computer crimes. The other defendant, Alexsey Belan, “fakes the public and private” and seeks personal gain in the hacking attack.
A spokesman for the Russian embassy declined to answer questions about the Russian government’s alleged ties to ransomware criminals and the alleged involvement of government employees in cybercrime, The Associated Press reported.
Proving links between the Russian government and ransomware gangs isn’t easy. Criminals hide anonymously in the web and regularly change the names of their malware variants, confusing Western law enforcement agencies.
However, at least one ransomware vendor has been confirmed to have ties to the Kremlin, according to the UK’s National Crime Agency. Maksim Yakubets, 33, is the co-head of a cybercrime gang calling itself Evil Corp. Born in Yakubets, Ukraine, this man has a lavish personal life and drives a bespoke Lamborghini supercar with a coquettishly personalised number plate.
According to the U.S. indictment in December 2019, Jakubes began working for the FSB in 2017 with the task of “obtaining classified documents through cyber means and conducting cyber operations on behalf of the FSB.” Meanwhile, the U.S. Treasury Department sanctioned Yakubets and offered a $5 million reward for anyone who provided clues to his arrest. He is said to be in the process of obtaining a license from the FSB to use Russian classified information.
The indictment charges Evil Corp. with developing and distributing ransomware for the theft of at least $100 million in more than 40 countries over the past decade.
By the time Yakubes was indicted, Evil Corp. had become one of the major players in ransomware, security researchers revealed. In May 2020, the gang distributed a variant of ransomware used to attack eight Fortune 500 companies, including GPS device maker Garmin, whose networks were compromised days after the attack, according to a report by Advanced Intelligence. is offline.
Jakubet himself remains at large. But another Russian, currently imprisoned in France, may offer more insight into cybercriminals and the Russian state’s dealings. Alexander Vinnick was convicted of “laundering” $160 million in criminal proceeds through a cryptocurrency exchange called BTC-e. In a 2017 indictment, the U.S. alleges that “some of the largest known ransomware vendors” actually laundered as much as $4 billion through the exchange.
Ransomware and online bank theft remain a “high-yield, low-risk” business, and a 2018 study by the nonpartisan think tank Third Way found that successful prosecutions of cyber attackers targeting U.S. targets (ransomware and online banking The risk of burglary criminals causing the highest losses is no more than 3 in 1,000.
Many analysts believe last week’s sanctions send a strong message, but won’t deter Putin unless the financial turmoil reaches a certain level.