Ransomware, Governance, Risk and Compliance

Russia makes more arrests, but cybercrime-harboring reputation hard to shake

The Kremlin seen from Park Zaryad’ye in central Moscow on Dec. 3, 2019. (Photo by Misha Friedman/Getty Images)

Russian authorities announced the arrests of four members of the Infraud group over the weekend, according to state media outlet TASS. It is the second such series of arrests in recent weeks for a country that, until recently, had been widely considered a sanctuary for cybercriminals. But experts say it's too soon to consider Russia's harboring days over.

"The Russians are always trying to game the U.S., so they're  not turning over a new leaf, it's calculating how much it will take to pacify the Americans," said James Lewis, director of the Strategic Technologies program at the Center for Strategic and International Studies, and a former cyber-diplomat for the United States.

For years, cybercriminals living in Russia operated with the tacit understanding that Moscow would not investigate anyone targeting foreign victims. That understanding even changed how ransomware is designed — major varieties of ransomware will typically not deploy on a system if Russian-language keyboards are installed. At the same time, Russia used cybercrime as a component of its espionage operations, like in the wiper-disguised-as-ransomware NotPetya.

But the surprise arrests of members of the REvil ransomware group two weeks ago by Russian intelligence threw that reputation into question, a shakeup furthered by the weekend arrests of the Infraud group. Neither group was active at the time of arrest. REvil had been a major affiliate ransomware organization until global law enforcement crackdowns on its servers earlier this year. Infraud, which existed until 2018, was a carding and bank account theft ring.

Pressuring Russia to take on harboring has been a key component of U.S. strategies toward cybercrime. President Joe Biden made it a central issue of his first summit with Russian President Vladimir Putin earlier this year, with several proposals proposing everything from sanctions to visa restrictions if Russia did not comply.

"Russia could have many reasons for taking these actions, which may have nothing to do with wanting to crack down on cybercrime emanating from Russian territory. Thus, it’s too soon to tell what’s going on and why Russia has chosen to arrest these individuals," said Michael Daniel, president and CEO of the industry threat-sharing group the Cyber Threat Alliance and former White House cybersecurity coordinator under President Obama.  

"If they remain in custody and face trial, then that would be a big step forward in indicating a turn towards more responsible behavior. On the other hand, if these individuals are quietly released in a few days, with no further action, then the actions might be for show." 

Daniel said he would be pleased to welcome a Russia to the global community fighting against cybercrime, even if he is not entirely sold if that is their current intent. But even if Russia is not fully on board, Lewis said, a half-measure is still far more than no measure.

"[It's] not necessarily bad if it gets a good outcome and it's probably the best we can hope for," he said. "I still count it as a success for the U.S. as it put the Kremlin on notice."

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.