Ransomware, Governance, Risk and Compliance

New research solidifies case for symbiotic relationship between Russia and its ransomware ecosystem

Share
GENEVA, SWITZERLAND – JUNE 16: (L-R) U.S. Secretary of State Antony Blinken, U.S. President Joe Biden, Russian President Vladimir Putin and Russian Foreign Minister Sergei Lavrov meet during the U.S.-Russia summit at Villa La Grange on June 16, 2021 in Geneva, Switzerland. A new report finds signs that efforts from the U.S. and allies to call...

A new report from threat intelligence firm Recorded Future reinforces what many in the cybersecurity, threat intelligence and national security spaces have been saying for years: that while the Russian government almost certainly doesn’t exert direct control over ransomware groups inside its borders or guide them to individual operations or targets, there is strong evidence that these two parties do enjoy a symbiotic relationship that incentivizes Moscow to look the other way as these groups wreak havoc overseas.

These relationships between the Russian government and the ransomware criminal ecosystem are, the report notes, indirect, amorphous and “based on spoken and unspoken agreements” as well as “fluid associations.” While President Vladimir Putin has dismissed claims that such a relationship exists, the Russian government’s robust surveillance system gives it visibility over ransomware operations taking place within their borders, and they are also able to exercise a substantial amount of control over the resources – like local servers, hosting and other infrastructure – that these cybercriminal groups rely on to survive.

That these groups are permitted to operate more or less autonomously (while often studiously avoiding Russian targets) points to deliberate tolerance, if not “tacit approval” on the part of the Russian government.

These relationships tend to come in three different flavors: direct, a “see no evil” posture towards cybercriminal groups whose work overlaps with or is beneficial to Russian state interests, and demonstrable associations – such as recruitment – between Russian intelligence or law enforcement operatives and the cybercriminal underworld. the latter often involves operations where such associations are not visible, but where the two entities are clearly sharing tools or personnel. For example, ransomware groups disrupting the IT ecosystem of geopolitical rivals like the U.S. and its critical infrastructure, or serving as a proving ground for Russian intelligence agencies to recruit talent into their own ranks, are just some of the benefits this position creates.

However, despite the widespread idea that Putin simply doesn’t care or is immune to international pressure on this issue, Recorded Future believes there are signs that he is starting to feel more pressure on the international stage. Attacks on Colonial Pipeline, JBS and Kaseya all conducted by ransomware groups believed to be based in Russian, as well as the Biden administration’s renewed public emphasis and efforts to specifically call out the Russian government and Putin for their role protecting these cybercriminal groups on the world stage – may be putting increased pressure for a response. Some of the groups behind these attacks have gone underground or claimed to have disbanded.

While “new” (or more likely rebranded) groups have emerged to take their place, it is notable that a number have explicitly pledged to avoid attacking targeted viewed as critical infrastructure.

“It is widely known that the groups behind these attacks are located in Russia; the lack of action by the Russian government only highlights the apparent complicity of the Kremlin in these efforts,” according to the report. “This pressure already appears to have yielded statements that indicate a potential change in relation to ransomware operations, such as the recent BlackMatter ransomware gang’s pronouncements that it will not target critical infrastructure.”

This week, when asked directly whether the U.S. government had noticed any changes in behavior from ransomware groups following the summit with Putin, U.S. National Cyber Director Inglis said the jury is still out on whether those discussions have moved the needle.

“With respect to whether there’s still a permissive atmosphere in the places that essentially have been responsible for the ransomware attacks we’ve seen in the last year or two, and whether there’s been a material change in what the future of that may hold, I think it’s too soon to tell,” said Inglis. “We have…observed in the public domain seeing that those attacks have fallen off, we’ve seen that those kind of syndicates have to some degree deconstructed, but I think it’s a fair bet that they’ve essentially self-deconstructed, that is they’ve essentially gone cold and quiet, to see whether the storm will blow over and whether they can come back.”

Utlimately, he said, combining public and private resources to create ironclad attribution to link these attacks inside Russian borders, break the plausible deniability that the Russian government uses as a shield and rallying international pressure is key to the U.S. long-term strategy.

“There’s got to be some kind of strong intelligence that comes to both public and private sources, and hopefully like-minded nations can assist in that regard, maybe Vladimir Putin can help in that regard. We then need to align actions to consequences,” said Inglis. “There are bad actors we need to bring them to justice in whatever ways are appropriate, using all the legal means before us. What the President has asked [Putin] to do is to assist in that, to essentially clean up the mess on his aisle nine, but it remains to be seen if he will.”  

An In-Depth Guide to Ransomware

Get essential knowledge and practical strategies to protect your organization from ransomware attacks.
Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.