The sudden move by Russia’s top law enforcement agency to conduct a very public takedown of the REvil ransomware operation has set tongues wagging about how diplomacy may hold the key to slowing big-game ransomware attacks.
The sting operation, which was followed by a carefully crafted announcement that it was done “at the request of the United States,” comes amidst a larger Russia-Ukraine geo-political conflict that is already being linked to data-wiping malware attacks and targeted web-site defacements.
The U.S. government has publicly blamed Russia for ignoring multiple high-profile ransomware attacks that cripped gas pipelines and disrupted food and beverage operations and the White House last year insisted on “follow-up actions” after sharing data on Russian ransomware wealth transfer activity.
Now, it appears the Russians are signaling a solitary follow-up action in a very deliberate manner, a move no doubt tied to larger diplomatic negotiations surrounding military conflict and economic sanctions.
It’s worth closely examining the five major signals being sent to understand how the ransomware ecosystem shakes out the rest of this year:
1. Ransomware can be (partially) solved with diplomacy:
Everything about this operation screams .gov diplomacy at work. The Russians put on a show, posting raid videos alongside a carefully orchestrated announcement that the crackdown was a gift to the Americans.
The FSB press release made it very clear that it was a response to a request from the U.S., an obvious signal it was willing to use its law enforcement reach to cooperate on cybersecurity issues.
While many remain skeptical (more on the REvil takedown choice later), this is confirmation that a willing government can effectively thwart major cybercriminal activity, especially those with geo-political and national security implications. A few meetings by politicians could lead to a sudden law enforcement directive and the eventual knee-capping of cybercriminals.
It shows that an all-hands global law enforcement initiative can provide comfort to network defenders struggling to pry ransomware from corporate networks.
2. REvil was low-hanging fruit:
It’s interesting that the Russians chose REvil to be the target for this operation. The truth is that REvil’s malware operation was already compromised by U.S. government and law enforcement allies in the west.
As I wrote last October, a U.S.-led law enforcement hack-back operation led to the seizure of Tor servers and effectively crippled REvil after the gang was blamed for the Colonial Pipeline hack and the Kaseya supply chain compromise.
Since REvil was already disrupted and its operators known by U.S. authorities, it was pretty easy for Russia’s negotiators to publicly signal it may be cooperative on other bigger fish if the Americans are willing to make bigger deals.
I asked someone deep in the nation-state malware tracking space for his take and his response makes total sense: “It’s obvious what the signal is. It’s also important that the signal is correctly understood by everyone. You asked us to do something about ransomware and we did. Now what will you do for us?”
3. Driving fear into criminal gangs:
A big side-effect of this takedown will be deterrence. Regardless of the charges — those arrested face lighter money-laundering charges because cybercrime laws require Russian victims — there is nothing fun about being incarcerated in Russia, especially in January.
While most of those arrested are believed to be low-level REvil affiliates in the ransomware ecosystem, it is a direct lesson to the masterminds and gang leaders that they are expendable assets in diplomatic negotiations.
This deterrence will likely lead to a noticeable decline in bold-face attacks and more attempts by cybercriminals to cover tracks or shut down entire operations, much like we saw with DarkSide after the Colonial Pipeline hack
4. The Iran-North Korea ransomware connection:
While the REvil takedown is being viewed within the lens of the U.S.-Russia relationship, there are at least two nation-states — North Korea and Iran — using ransomware attacks and crypto-bank heists to get around economic sanctions.
If the Russians can use ransomware damages as leverage in negotiations, it sets a precedent for other nations to pursue the same strategy. North Korean hackers stole a whopping $400 million worth of cryptocurrencies in 2021 and there are documented ransomware attacks coming from nation state-backed actors in Iran.
Expect to see these .gov threat actors outsourcing sanctions-busting ransomware operations to mercenary private sector actors in attempts to dodge attribution or set up future diplomatic negotiations.
5. The value of (good) attribution
One of the more interesting things to watch is the U.S. government’s use of a high-quality attribution in the new “sand-and-friction” strategy being used to disrupt apex predators, including actors in the ransomware ecosystem.
The strategy includes multi-agency advisories with specific warnings about targeted APT activity and the use of direct attribution on social media to expose tools and IOCs to help defenders. This high-quality attribution is crucial for the level of .gov information sharing that leads to REvil gang arrests.
Attribution can be a tricky discipline but its value has never been more urgent.
It’s important for the cybersecurity industry to understand the twists and turns of the ransomware ecosystem, even when governments and diplomats take control of the conversations.