Petya ransomware attack analysis decryption tool, detected pre reboot

The Kremlin's position in providing a safe haven for ransomware.

Local governments, hospitals, school districts, and companies are being crippled by a global epidemic of digital blackmail known as ransomware, which scrambles their data files before they pay up. Law enforcement has essentially been unable to put an end to it.

One significant explanation is that ransomware rackets are dominated by Russian-speaking cybercriminals who, according to security experts, US law enforcement, and now the Biden administration, are protected — and sometimes hired — by Russian intelligence agencies.

On Thursday, as the US imposed sanctions on Russia for malign activities such as state-sponsored hacking, the Treasury Department said that Russian intelligence facilitated ransomware attacks by nurturing and co-opting criminal hackers and providing them with safe harbor. With ransomware losses now well into the tens of billions of dollars, former British intelligence cyber chief Marcus Willett recently declared the scourge "arguably more strategic than state cyberspying."

Cybercriminals are well aware of the importance of Kremlin security. Earlier this year, a Russian-language dark-web forum erupted with criticism of a ransomware purveyor known only as "Bugatti," whose gang was apprehended in a rare US-Europol joint operation. He was accused by the gathered posters of inviting the crackdown by technological sloppiness and by hiring non-Russian affiliates who might be snitches or undercover cops.

Russian President Vladimir Putin pays a visit to the Russian Government's Coordination Center in Moscow.
Russian President Vladimir Putin pays a visit to the Russian Government's Coordination Center in Moscow.

Worse still, according to one long-active forum member, Bugatti allowed Western authorities to seize ransomware servers that could have been hid in Russia. "Mother Russia will assist," that individual wrote.

"Love your country, and you will never face adversity."

"Like almost every other significant industry in Russia, (cybercriminals) operate with the implicit and often explicit consent of the security services," said Michael van Landingham, a former CIA analyst and founder of the consultancy Active Measures LLC.

Russian authorities follow a simple law, according to Karen Kazaryan, CEO of the Moscow-based Internet Research Institute, which is funded by the tech industry: "Simply put, never operate against your country or its businesses. It is acceptable to steal from Americans."

Unlike North Korea, there is no indication that Russia's government directly profits from ransomware crime, while Russian President Vladimir Putin can view the resulting havoc as a strategic advantage.

Ransomware infected more than a hundred federal, state, and local agencies, upward of 500 hospitals and other health care facilities, approximately 1680 schools, colleges, and universities, and hundreds of companies in the United States alone last year, according to cybersecurity firm Emsisoft.

The cost to the public sector alone is calculated in rerouted ambulances, delayed cancer services, disrupted municipal bill collection, canceled classes, and increasing insurance premiums – all occurring during the worst public health crisis in over a century.

The concept behind these attacks is straightforward: Criminals hack computer networks with malicious data-scrambling software, use it to "kidnap" an organization's data files, and then demand massive fees, now up to A$60 million, to recover them. The most recent twist: if victims do not make restitution, the offenders can post their unscrambled data on the open internet.

Recently, US law enforcement has been collaborating with partners such as Ukraine and Bulgaria to dismantle these networks. However, since the criminal masterminds are out of control, such operations are often reduced to a game of whac-a-mole.

At a concert, Russian President Vladimir Putin.
At a concert, Russian President Vladimir Putin.

Collusion between criminals and the government is not novel in Russia, according to Adam Hickey, a US deputy assistant attorney general who noted that cybercrime can serve as an excellent cover for espionage.

In the 1990s, Kazaryan said, Russian intelligence frequently recruited hackers for this reason. Now, he said, ransomware criminals are just as likely to be state-employed hackers moonlighting as ransomware criminals.

According to Dmitri Alperovitch, a former chief technical officer of the cybersecurity company Crowdstrike, the Kremlin sometimes recruits convicted criminal hackers by giving them an option between jail and working for the state. Occasionally, he said, hackers use the same computer networks for both state-sponsored hacking and off-the-clock cybercrime for personal gain. They can also combine state and private sector.

That is what happened in a 2014 Yahoo hack that compromised over 500 million user accounts, including those of Russian journalists and US and Russian government officials, according to reports. Four men, including two officers of Russia's FSB security service – the successor to the KGB – were indicted in 2017 as a result of a US investigation. Dmitry Dokuchaev was one of them. He worked in the same FSB office that collaborates with the FBI on cyber crime. Alexsey Belan, another defendant, is accused of using the hack for personal gain.

A spokesman for the Russian Embassy refused to respond to questions about his government's alleged links to ransomware criminals and the alleged involvement of state employees in cybercrime. "We make no comment on indictments or speculation," said Anton Azizov, Washington's deputy press attache.

It is not easy to establish ties between the Russian state and ransomware gangs. To confuse Western law enforcement, the criminals use pseudonyms and sometimes alter the names of their malware strains.

However, at least one purveyor of ransomware has been connected to the Kremlin. Maksim Yakubets, 33, is best known as the co-leader of a cybergang dubbed Evil Corp. of arrogance. Yakubets, who was born in Ukraine, leads a flamboyant lifestyle. He drives a customized Lamborghini supercar with a personalised number plate that translates as 'Thief,' according to the National Crime Agency of the United Kingdom.

Yakubets began working for the FSB in 2017, where he was charged with "acquiring sensitive documents by cyber-enabled means and performing cyber-enabled operations on its behalf," according to a US indictment filed in December 2019. Simultaneously, the United States Treasury Department approved Yakubets and provided a $5 million reward for information leading to his arrest. It stated that he was "in the process of obtaining a license from the FSB to work with Russian classified information."

The indictment accused Evil Corp. of creating and spreading ransomware that was used to steal at least A$120 million in over 40 countries over the previous decade, including payrolls stolen from towns in the heartland of the United States.

By the time Yakubets was charged, Evil Corp. had established itself as a major ransomware player, according to security researchers. By May 2020, the gang had distributed a ransomware strain that had been used to target eight Fortune 500 firms, including GPS computer maker Garmin, according to Advanced Intelligence.

President Vladimir Putin of Russia in the Kremlin.
President Vladimir Putin of Russia in the Kremlin.

Yakubets has not been apprehended. However, another Russian currently imprisoned in France could provide additional insight into cybercriminals' dealings with the Russian state. Alexander Vinnick was found guilty of laundering A$207 million in illegal proceeds via the BTC-e cryptocurrency exchange. According to a 2017 US indictment, "several of the largest recognized purveyors of ransomware" used it to launder A$5 billion. However, Vinnick cannot be extradited until he finishes a five-year jail term in France in 2024.

Nonetheless, a 2018 report by the nonpartisan think tank Third Way determined that the chances of successfully prosecuting cyberattackers against US targets — ransomware and online bank fraud being the most costly — are less than three in a thousand. According to experts, those chances have increased.

Though this week's sanctions send a clear message, many experts say they are unlikely to discourage Putin unless the financial sting is felt closer to home.

This which necessitate the kind of huge global cooperation that occurred in the aftermath of the 9/11 terrorist attacks. For example, allied countries could recognize banking institutions that have a history of laundering ransomware proceeds and isolate them from the global financial system.

"If you can track the money, interrupt it, and remove the economic motivation, you can significantly reduce ransomware attacks," said John Riggi, a cybersecurity advisor for the American Hospital Association and a former FBI official.