Threat Management, Malware, Ransomware

Post Colonial and JBS, Biden presses Russia to stop harboring ransomware gangs

Press Secretary Jen Psaki takes questions from reporters during a press briefing Monday, Feb. 1, 2021, in the James S. Brady Press Briefing Room of the White House. Psaki told reporters that Biden would bring up Moscow’s inaction against its homegrown ransomware industry during an upcoming summit with Russian President Vladimir Putin (Officia...

At the White House press briefing Wednesday, Press Secretary Jen Psaki told reporters that President Biden would bring up Moscow's inaction against its homegrown ransomware industry during an upcoming summit with Russian President Vladimir Putin. Elsewhere, Secretary of State Antony Blinken said in an on-air interview that Russia needed to take responsibility for the criminals within its borders.

It is the most coordinated and forceful message to come from the White House about Russia's inability or unwillingness to police rampant cybercrime originating from its shores.

"There are lots of other things going on in the world right now. We have COVID, and ships burning off of Sri Lanka; so [for ransomware] to even get into the talking points suggests to me that there's a real recognition of the risk," said Megan Stifel, executive director for the Americas at the international advocacy group, the Global Cyber Alliance and co-chair of the Ransomware Task Force

Cybersecurity experts and government officials believe that Russia allows cybercriminals to operate within its borders so long as they do not orchestrate crime against Russians. That’s believed to be the primary reason malware, including the DarkSide ransomware used in the recent Colonial Pipeline hack, will not install on systems set to use Cyrillic keyboards. The makers of DarkSide were comfortable enough in its safety to issue press releases and grant media interviews. 

On paper, a key part of deterring ransomware attacks against businesses, cities, hospitals and critical infrastructure should be bringing those criminals to justice. Moscow’s passivity leaves international law enforcement to treat Russia as a de facto non-extradition country for cyber criminals. That can become infuriating in cases like Colonial, where ransomware significantly impaired gasoline distribution across the east coast and became a threat to national security. 

“This is an issue that we have discussed with the Russian government — this specific issue — and we’ve discussed it in the past, and delivered the message that responsible states do not harbor ransomware criminals,” said Psaki at the press conference. 

The White House comments come amid an all-hands-on-deck ransomware flurry for the Biden Administration. On Wednesday, the FBI attributed the business interruption at leading meat supplier JBS to REvil and Sodinokibi ransomware. Also on Wednesday, Anne Neuberger, deputy assistant to the president and deputy national security advisor for cyber and emerging technology, sent an open letter to the business community to start using commonly advised security practices to defend against ransomware. And an order from the Transportation Security Administration aimed at curbing attacks like the one against Colonial is only a week old. 

Such acknowledgement of the problem does not necessarily mean the administration will take all the steps needed to have a significant impact. But it is a first step at least, said Stifel. 

“Words are nice but need to be followed up with actions,” she noted. 

One issue with Russia has always been the lack of incentives the United States has to offer to force fair play. The Justice Department currently uses a strategy of indictments and arrests of ransomware operators and other cybercriminals when they holiday in extradition countries. The Ransomware Task Force suggests bolder strategies like increasing sanctions or even refusing visa applications until Russia meets basic responsibilities. 

Stiffel notes that most solutions require international cooperation as a force multiplier to deal with Russia. There is certainly international interest, ranging from a G7 statement in October to an Australian member of parliament Wednesday urging the prime minister to “release the hounds” on ransomware. 

Psaki referred to fostering international partnerships during her press briefing. 

“There are other countries, many of whom we will see when the President is in Europe, who have similar concerns.  So we expect this to be an issue of discussion throughout the President’s trip,” she said.   

What form international cooperation will take remains yet to be seen. There are legitimate criticisms of relying on sanctions or visa restrictions. For example, there a finite amount of sanctions the U.S. can impose on Russia – a limit the U.S. is barreling toward even without ransomware – and the visa suggestion has been described by critics as disproportionate

“This is where we really need to start thinking creatively,” said Stiffel. 

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.