BOSTON – A global digital extortion epidemic known as ransomware is disrupting local governments, hospitals, schools and businesses by shuffling their data files until they die. Law enforcement was largely powerless to stop it.
A big reason. Ransomware’s missiles are dominated by Russian-speaking cybercriminals who sometimes defend and work with Russian intelligence agencies, according to security researchers, US law enforcement and now the Biden administration.
On Thursday, when the United States imposed sanctions on Russia for malicious actions, including a hacker attack by the state, the Ministry of Finance said that Russian intelligence had made it possible to carry out ransom programs by developing criminal hackers, cooperatively and giving them a safe haven. When Marcus Willett, the former head of the British intelligence service, estimated the damage to the tens of billions of dollars, recently estimated that the plague was “strategically more harmful than the state cyber-spy”.
The value of the Kremlin’s protection is not lost on cybercriminals. Earlier this year, a Russian-language dark web forum covered an ransomware provider known only as Bugatti, whose gang was bitten by a rare US-Europol bite. The collected posters accused him of exerting pressure due to technical insufficiency, as well as recruiting non-Russian subsidiaries, which could be executioners or secret police.
Worst of all, according to one active member of the forum, Bugatti allowed the Western authorities to seize ransomware servers that could instead take refuge in Russia. “Mother Russia will help,” the man wrote. “Love your country, nothing will happen to you.” The conversation was captured by the security company Advanced Intelligence, which shared it with the Associated Press.
“Like almost every major industry in Russia, cybercriminals operate with the tacit consent of the security services, sometimes openly,” said Michael van Landingham, a former CIA analyst at Active Measures.
The Russian authorities have a simple rule, said Karen Kaz Azaryan, executive director of the Moscow Institute for Internet Research, which is supported by the software industry. “Just never work against your country’s business. “If you steal something from the Americans, that’s fine.”
Unlike North Korea, there is no indication that the Russian government directly benefits from the crime of ransom, although Russian President Vladimir Putin may see the devastation as a strategic bonus.
In the United States alone, lifeboats hit more than a hundred federal, state and municipal agencies, more than 500 hospitals, other health centers, about 1,680 schools, colleges, universities and hundreds of businesses last year, according to cybersecurity company Emsisoft.
In the public sector alone, the damage is measured by rising costs of ambulances, delayed cancer treatment, interruption of city bills, cancellation of classes, and insurance costs, all during more than a century of public health crisis.
The idea of these attacks is simple. Criminals infiltrate malware into computer networks, use it to “steal” corporate data files, and then demand huge payments, now $ 50 million, to recover them. The last turn. If victims are unable to pay, criminals may publish their error-free information online.
In recent months, US law enforcement has worked with partners, including Ukraine and Bulgaria, to promote these networks. But if they are not available to criminal organizations, such actions are generally less than fraud.
The cooperation of the criminal government is not new in Russia, says Adam Hick, Deputy Assistant Attorney General, noting that cybercrime can provide a good cover for espionage.
Back in the 1990s, Russian intelligence often recruited hackers for that purpose, Kazaryan said. Now, he said, rescue criminals are just as likely to have the moonlight as state-sponsored hackers.
The Kremlin sometimes lists arrested criminal hackers, offering to select them to work for the prison state, says Dmitry Alperovich, former chief technical officer of the cyber security company CrowdStrike. Sometimes hackers use the same computer systems for state-sanctioned hacking and cybercrime for personal gain. They can even confuse the state with private business.
That’s what happened to Yahoo in 2014, which endangered the accounts of more than 500 million users, including Russian journalists, կառավարության US և Russian government officials. As a result of the US investigation, in 2017 An indictment has been filed against four men, including two officers of the Russian Security Service B, the KGB legal successor. One of them, Dmitry Dokucha, worked in the same AD S office, which cooperates with the FBI in the field of computer crimes. Another defendant, Alexei Belan, allegedly used the hack for personal gain.
A spokesman for the Russian embassy declined to comment on allegations that his government had linked criminals and government employees involved in cybercrime programs. “We do not blame the indictment or the allegations,” said Anton Azizov, Washington’s deputy spokesman.
Establishing ties between the Russian state’s “rescue groups” is not easy. Criminals hide behind pseudonyms, regularly changing the names of their malicious strains to confuse Western law enforcement.
But at least one ransomer has been linked to the Kremlin. Maxim Yakubets, 33, is best known as the co-chair of the cyber-gang, which shamelessly calls himself Evil Corp. Born in Ukraine, Yakubets lives a brilliant lifestyle. He drives a customized Lamborghini supercar with a personalized license plate, which means “Thief”, according to the British National Criminal Agency.
Yakubets began operating at AD B in 2017 with the goal of drafting, including “obtaining confidential documents through the cyber system, carrying out cyber operations on its behalf,” according to the December 2019 indictment of the United States. At the same time, the US Treasury Department slapped sanctions on Yakubets and “offered a $ 5 million reward” for information leading to its capture. It said he was “in the process of obtaining a license from AD S to work with Russian intelligence.”
The indictment accused Evil Corp of stealing at least $ 100 million in more than 40 countries over the past decade, including salaries stolen from downtown cities, and developing and distributing ransom programs to steal $ 100 million.
By the time the Yakubets were charged, Evil Corp. had become a major spy player, security experts said. Until May 2020, the gang was spreading a ransomware strain used to attack eight Fortune 500 companies, including GPS maker Garmin, whose network was offline days after the attack, according to Advanced Intelligence.
Yakubets remains at large. In France, where another Russian is currently imprisoned, however, he may have more insight into cybercriminals և Russian state deals. Alexander Vinnik has been convicted of embezzling $ 160 million in proceeds of a cryptocurrency exchange called BTC-e. In 2017, the US indictment accused it of “using some of the largest known ransom suppliers” to actually launder $ 4 billion. But Vinnik cannot be extradited until he has completed his five-year French prison sentence in 2024.
Still, a study by a non-partisan Third Way Research Center in 2018 found that ransomware և online banking theft is the most expensive, no more than three thousand, the probability of successfully prosecuting the perpetrators of cyberattacks against US targets. Experts say that these coefficients have been extended.
Many analysts believe that this week’s sanctions send a strong message, but are unlikely to deter Putin if the financial sting gets closer to home.
This may require a multinational agreement that followed the 9/11 terrorist attacks. Allies, for example, could identify banking institutions known for laundering ransom proceeds and cut them off from the global financial community.
“If you can get back the money, save the money, boost the economy, it will go a long way in stopping ransomware attacks,” said Hospital on Riggie, a former FBI official with the Cyber Security Advisor. ,
Associated Press Paris writer Angela Charlton contributed to this report.