Ransomware, Critical Infrastructure Security

Russia nixes US charges against REvil defendants as cooperation fizzles

Crimeans wave Russian flags as they celebrate the first anniversary of the referendum on March 16, 2015, in Sevastopol, Crimea. (Photo by Alexander Aksakov/Getty Images)

Blaming the United States for a lack of cooperation, Russian will not charge the defendants in the REvil case with any attacks on Americans or American businesses, according to Russian media reports last week. Whatever progress the United States had made under the Biden administration in encouraging Moscow to address its harboring of cybercriminals appears to be at a standstill.

"America doesn't care about Russian hackers" read the headline of the Russian newspaper Kommersant.

Russia arrested eight members of the REvil group in January based on tips from U.S. intelligence. According to Kommersant, the U.S. has not continued to engage with Russia. The Department of Justice declined to comment on the matter. The REvil defendants, linked to attacks on major corporations and supply chain nodes, will now only be charged with credit card fraud against two Mexican citizens living in America.

Curbing ransomware and cybercrime requires several levels of action, according to the multistakeholder Ransomware Task Force, of which network defense is only one aspect. A single enterprise blocking a single attack protects the organization but does not impact the longterm viability of crime — criminals will move on to the next target, and will live to develop new attacks and try again. Hampering the criminal ecosystem, the task force suggested, will require collective action across nations, particularly breaking up crime in nations reluctant to prosecute it.

"[Russian cooperation] is essential because most of these actors are operating from in Russia’s jurisdiction and our leadership is not yet willing to exercise extraterritorial action in order to gain custody of these actors," said Megan Stifel, co-chair of the Task Force and chief strategy officer of the Institute for Security and Technology.

The REvil arrests came after months of the United States and international pressure for Russia to handle the cybercriminal gangs inside the country. REvil ransomware was used in attacks on meat producer JBS, the supply chain attack on Kaseya, and other big-ticket targets. While the group briefly shut down before the arrests, potentially due to law enforcement risks, REvil has recently reemerged.

Russian cooperation on ransomware has always been tenuous, with many onlookers immediately assuming Russia was at best trying to provide the minimum effort to avoid sanctions, and at worst trying to make a case to allow it to attack Ukraine without international interference that would jeopardize the ransomware crackdown.

"I have had low expectations regarding Russian cooperation on cybercrime ever since the Crimean invasion in 2014.  From the Russian perspective, it has not been in their interest to clamp down on this kind of criminal activity; it served too many valuable purposes," said Michael Daniel, president and chief executive of the Cyber Threat Alliance and former White House Cybersecurity Coordinator. Allowing external attacks prevents groups from attacking internally, establishes technical might, needles western nations, incentivizes capitulation to Russia, and provides cover for attacks like NotPetya that are designed to look like ransomware.

The war in Ukraine may have strained relationships between Russia and the West to a point where cooperation is impossible, said Stifel, who was optimistic about the growing relationship until then.

"At this point, though, relations have deteriorated to the point that Russia likely does not see any benefit to maintaining whatever minimal cooperation was occurring. Until the war ends, I don’t see the situation changing, nor do I see any real levers left to pull," Daniel said.

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.