Russian cooperation in ransomware could ‘fully cease’ amid Ukraine row

Pro-Ukrainian activists gather for demonstration against Russian aggression in front of the White House on Feb. 6, 2022, in Washington. Russia has amassed tens of thousands of troops on its border with Ukraine. Cyber experts warn that sanctions resulting from the row could squash any progress in cooperation on ransomware counter measures. (Photo by...

Just a few month ago, before Russia began positioning troops for a potential invasion of Ukraine, the major geopolitical friction between the West and Moscow was Russia's harboring of cybercriminals. Some of that tension began to dissipate when Russia started to make impactful arrests of ransomware gangs in January.

But with the emerging showdown with NATO, Russia's assistance in last year's biggest threat may be tenuous at best.

"If the U.S. responds with severe sanctions against the Russian economy for invading Ukraine, as is expected, I fully expect Russian newly found cooperation on ransomware to fully cease," said Dmitri Alperovich, head of the Silverado Policy Institute, who made his name as the founder of CrowdStrike. "In fact, it's quite possible they will release the criminals they have arrested this year, which would send a signal to the criminal underground that it's open season on Western organizations."

For years, Russia's leniency toward domestic cybercriminal groups targeting victims outside the Russia-lead Commonwealth of Independent States has been a driver of those groups' success. Many of the most prominent strains of ransomware are hardcoded not to deploy on systems with Russian-language keyboards installed. After the Colonial Pipeline and JBS ransomware attacks rattled the United States in early 2021, the public/private collaborative Ransomware Task Force listed incentivizing Russia to govern its own citizenry as an irreplaceable component of an anti-ransomware strategy.

The ransomware issue was front and center leading up to a summit between presidents Joe Biden and Vladimir Putin over the summer, and the head of Russia's FSB intelligence agency said Russia would cooperate on ransomware after the meeting. In January, Russia arrested members of the REvil and InFraud cybercrime groups. Last week, Russia announced it had disrupted a third group of cybercriminals.

Even as all of this occurred, there was widespread skepticism that Russia was making a full-throated statement that crime would be unacceptable.

"The Russians are always trying to game the U.S., so they're not turning over a new leaf. It's calculating how much it will take to pacify the Americans," James Lewis, director of the Strategic Technologies program at the Center for Strategic and International Studies and a former cyber-diplomat for the United States told SC Media in January.

REvil, for example, was no longer an active group when Russia made its arrests.

But the cooperation the West has seen, whether or not it is Russia's best effort, is not a given as Moscow turns its attentions toward Ukraine.

Russia positioned 100,000 troops along the Ukrainian border for an invasion that the United States has said could begin at "any time." Markets have begun to bake-in the effect of retaliatory sanctions the U.S. will likely levy against Russia in response to an invasion, and the U.S. has warned manufacturers that Russia may hinder raw materials critical for semiconductors that ship from Ukraine.

Among Russia's counterstrikes against U.S. sanction may be the recent enforcement efforts against cybercriminals.

"If Russia physically attacks Ukraine using conventional military forces, it will have little incentive to continue whatever limited cooperation it is currently providing on ransomware. And whether it is really cooperating at the moment is the subject of some debate)," said Michael Daniel, former White House cybersecurity coordinator and current president and chief executive of the industry threat sharing group, the Cyber Threat Alliance. "I would not expect any further arrests or actions against ransomware operators physically located in Russia for the duration of the conflict."

Though there have been government actions to try to improve baseline security, ransomware remains a threat to American businesses and infrastructure. According to a Chainalysis report issued Monday, $400 million in ransom — 74% of all ransom paid — went to groups associated with Russia in 2021.

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.