First there was Colonial Pipeline. Then the world’s largest meat supplier.
And this weekend, a ransomware group called REvil struck another business, demanding $70 million in payment to unlock the systems of the software company Kaseya. By attacking Kaseya, these hackers exploited all of its clients, meaning dozens and dozens of businesses experienced the cyberattack, from a Swedish grocery store chain to schools in New Zealand.
This isn’t REvil’s first strike (they were reportedly behind the meat processor hack), and it followed a similar playbook as other ransomware attacks: hold systems hostage — maybe a huge business, maybe a hospital system, maybe a local government — and then demand payment to unlock them.
But this REvil ransomware attack is one of the biggest yet. It’s a sign that these cyber extortions are only getting worse.
What to do about ransomware attacks is a big, complex problem. A major challenge is that though the attacks are usually carried out by criminal groups, these organizations often operate, if not at the direction of, then at least with the tacit approval of the governments in the countries they’re based in.
Russia is the big one. While it’s not publicly known exactly where REvil’s hackers are located, the group speaks Russian and is thought to operate out of either Russia or another former Soviet state. Its suspected ties to Russia are bolstered by the fact that REvil reportedly uses code that checks to make sure its targets are not located in a country that’s part of the Commonwealth of Independent States — an organization of former Soviet countries that includes Russia.
But unlike Russian state hackers who, say, interfere in US elections at the behest of Russian President Vladimir Putin, experts say these criminal groups instead just benefit from Putin’s benign indifference. They can do whatever they want to do, as long as they don’t target Russia.
Biden brought this up with Putin during their summit last month. “Responsible countries need to take action against criminals who conduct ransomware activities on their territory,” Biden said after the meeting.
That message may not have gotten through, though, if this weekend’s REvil attack is any indication. To get a better sense of what tools the Biden administration does have, and what needs to happen at a foreign policy level, I spoke to Christopher Painter, a former federal prosecutor of cybercrimes and a former top US cybersecurity diplomat.
Foreign cooperation, Painter said, was a key component to making progress, as both the ransomware groups and their victims exist all over the world. “Cybercrime is almost always an international issue,” he said. “Even if I was a criminal in New York, and I was attacking someone in New York, I’d route my communication through five different countries to make it hard to find me. So with that, international cooperation and commitment is really paramount.”
A transcript of our conversation, lightly edited for length and clarity, follows.
I think a good place to start would be: What are “ransomware attacks”?
It is largely criminal groups who are getting into computers through any number of potential vulnerabilities, and then they essentially lock the systems — they encrypt the data in a way that makes it impossible for you to see your files. And they demand ransom, they demand payment. In exchange for that payment, they will give you — or they claim, they don’t always do it — they claim they’ll give you the decryption keys, or the codes, that allow you to unlock your own files and have access to them again.
That is what traditionally we say is “ransomware.” That’s been going on for some time, but it’s gotten much more acute recently.
There is another half of that, which is that groups don’t just hold your files for ransom, they either leak or threaten to leak or expose your files and your information — your secrets and your emails, whatever you have — publicly, either in an attempt to embarrass you or to extort more money out of you, because you don’t want those things to happen. So it’s split now into two tracks, but they’re a combined method of getting money.
We’ve recently had some high-profile ransomware attacks, including this recent REvil incident. Is it that we’re seeing a lot more of them, or they’re just bigger and bolder? How do you assess that ransomware attacks are becoming more acute?
We’ve seen this going on for some time. I was one of the co-chairs of this Ransomware Task Force that issued a report recently. One of the reasons we did this report was we’re trying to call greater attention to this issue. Although governments and law enforcement were taking it seriously, it wasn’t being given the kind of national-level priority it deserved.
It was being treated as more of an ordinary cybercrime issue. Most governments’ attention is focused on big nation-state activity — like the SolarWinds hack [where suspected Russian government hackers breached US government departments], which are important, and we need to care about those. But we’re very worried about this, too.
It’s especially become more of an issue during the pandemic, when some of the ransomware actors were going after health care systems and health care providers.
That combined with these big infrastructure attacks — the Colonial Pipeline clearly was one of them. Another one was the meat processing plants. Another one was hospital systems in Ireland. You also had the DC Police Department being victimized by ransomware. These things are very high-profile. When you’re lining up for gas because of a ransomware attack, and you can’t get your food because of a ransomware attack, that brings it home as a priority. And then, of course, you have what happened this past weekend. So ransomware has not abated, and it continues to get more serious and hit more organizations.
And so for the REvil attack this weekend, what made this attack unique?
It was what they call a “supply-chain attack.” If you went just after a municipality or business, you only have one entity targeted. This REvil attack allowed the malicious code to spread to all the organizations that the company [Kaseya] serviced, and so that will affect them and make them all targets and victims of this.
What is the advantage, or goal, of a supply-chain attack like this?
The advantage of this system is by going after this one point of vulnerability, they’re able to access and victimize lots of victims all over the place. They have lots of different targets they can go after. They’ll still go after high-value targets and ones that can maybe pay a lot. But this certainly gave them, it looks like, many, many victims.
There are reports that REvil is based in Russia or another Eastern European country allied with Russia. What kind of relationships do these ransomware attackers have with nation-states?
They’re all over the map. There are countries that provide safe havens to them. Some of them do it because they didn’t have the capability to go after them or the resources. And for those countries, you want to build better capacity. You want to do joint investigations, you want to help them.
There are others — and Russia falls in this category — where, at best, they’re turning a blind eye to these groups. They’re providing safe havens more wittingly. They may not track what these groups are doing that closely, but at the same time, they don’t seem to care about it or take action, as long as those groups aren’t going after targets in Russia. That’s somewhat in line with Putin’s larger international view, which is causing disruption and chaos in the West.
Now, there is this range of state responsibility where sometimes groups are acting at the behest of the countries, of the states, so they’re proxy actors. Sometimes, there’s corruption involved — so even though states are not sanctioning groups, individuals are being paid off.
So Putin is basically like, “You’re cool as long as you’re not bothering me”?
Biden said there’s no evidence that the Colonial Pipeline group was acting on the Kremlin’s behalf. That doesn’t mean that the state doesn’t have responsibility when they’re essentially allowing these groups to operate with impunity.
There’s been all these international processes on cyber for years now, particularly at the United Nations. Back in 2015, there were a number of cyberspace voluntary norms adopted. But there’s some language in those reports that really validates that if malicious conduct is coming from a country, there’s an expectation to take steps to try to control it. That just reinforces this idea that you can’t just say, “Hey, not me,” and wash your hands. There are reasonable expectations — and certainly Biden drove that home with Putin.
Is terrorism a good analogue for these ransomware attackers?
To some extent. Countries shouldn’t allow terrorists to operate in their territory, particularly when we’re having these infrastructure attacks that can be really debilitating. Those are things where it’s perfectly fair to say to a state, “You have a responsibility to do something about this.”
What tools are available to get somebody like Putin to take action?
Now, the harder part of that issue is that getting Russia to do anything is not that easy. We traditionally haven’t been very good at getting Russia to change its calculus. But that’s one thing we have to do. If they’re going to continue to provide safe haven, we’ve got to use every tool we have and work with our allies and partners. It’s not just us, because other countries are victims, too.
On the positive side, Putin is more likely to do something about this because it’s not him. If you tell him to do something about SolarWinds or election interference, that’s one thing. If you tell him to do something about some rogue criminal groups if they’re not helping him? He might say, “Fine.” There’s at least a glimmer of hope.
Is Russia these attackers’ main affiliation or home base, or are there other countries that are letting these groups operate with impunity?
I think Russia is one of the main ones. There’s some other countries they operate in that we’ve seen in the past — other actors in Eastern Europe and other places. But Russia has certainly been one of the primary ones.
As you suggested, it’s not like Putin is the most responsible global actor. But what are some steps that Biden could take to really put that pressure on Putin?
We haven’t been that good at it. In the last administration, President Donald Trump questioned whether Russia was even responsible for stuff, so whatever people in that administration were doing — whether it was sanctions or anything else — was undercut by the president saying, “I don’t know if Putin’s responsible.” At least we now have strong, clear messaging.
That obviously makes a big difference if you’re trying to change the calculus of another country to get them to act. When the Obama administration did intellectual property negotiations with China, it took about two years to get them to come to the table. We indicted some of their People’s Liberation Army officers, we threatened sanctions. Right on the eve of the summit, [President Xi Jinping] sent a delegation to negotiate with us. We were able to reach a deal, which actually had some effects for a couple of years before things fell apart with China more generally, because we used all the tools we had.
We didn’t make it a cyber issue; we made it an issue with the overall relationship between the US and China. President Barack Obama said back then, “Look, this is a big enough issue that it’s a core issue in our relationship, and we’re willing to take friction in the overall US-China relationship.” We need to do the same with other countries, including Russia.
Now, there are not as many levers to pull with Russia as there are with China. China cares more — at least they used to — about their global reputation. But we haven’t really gone after the things that Putin cares about, like his own money flows. We can look at other areas outside the cyber area that Putin wants; you’re only going to change his behavior if it’s something that appeals or it’s something he wants to avoid. We haven’t used all the tools we can.
What you need is a sustained, strategic effort. And not just by us but [also] working with others to ratchet up the pressure — Germany, Europe, the UK. The G7 has a very strong statement on this, NATO had strong statements on this, which I think were good.
You can think even about other capabilities, potentially using US Cyber Command tools to disrupt these groups, similar to what was done with the Internet Research Agency [the Russian troll farm that spread political propaganda] in the 2018 election, apparently from documents that were “leaked.”
You’ve got to be very, very careful about this. You don’t want to violate international law. You have to be worried about escalation. But if you said to Russia, “Look, take action, and maybe we have to take action if you don’t.” It’s something that has to at least be on the table.
Is part of the challenge that this is a bit of a gray area when it comes to international or even national laws?
These ransomware attacks are violations of US law. If we can get our hands on these guys, we could clearly prosecute them. There are gaps where countries don’t have good cybercrime laws. We’ve been pressing that for a long time. But that’s not really what’s happening here. In this case, it’s more a safe-haven issue.
You also mentioned the United Nations and its norms, but are they just a step behind all of these ransomware groups?
The United Nations is mostly focused on nation-state activity. It’s things like, “Don’t attack the critical infrastructure of a country in peacetime, don’t go after the emergency response teams, or, like, ambulances or hospitals, supply-chain issues.” To the extent the state is complicit in these activities and are using them as proxies, those kinds of rules of the road would apply.
There’s still work to be done at that UN level on what is international law in this space, what are the rules of the road with nation-state activity. But these ransomware attacks are criminal activities. And it’s illegal when they do this.
So one way to disincentivize these ransomware attackers is to put that systematic and strategic international pressure on their hosts, like Russia. But are there other ways to punish these groups?
The reason these groups are doing this is [that] they’re getting money easily. And the risk is very small. Why wouldn’t criminals do this? And when other criminals see how successful these groups are, more will come.
If we made it much harder for them to get money, then they’re likely to turn to something else and away from this. But we haven’t done that.
Now, there are complications in that. That was one area where our Ransomware Task Force — which had, like, 60 people, including former government officials, people from the insurance industry, people from security companies — couldn’t reach a consensus. There were some who said, “Cut off the money and you’re going to cut off the groups.” There are others who said that would victimize the victims more if we did that. It puts a hardship — maybe not on the big companies that can afford it, but the small- to medium-sized businesses.
So what we suggest in the report is sort of a glide path, including making resources available for companies to help them not pay the ransom but restore their systems.
We also said there are certain things that should be in place. For instance, we think there should be a mandatory obligation to report ransomware payments. There is not [one] now, and we don’t even know of a lot of ransomware events that happen. That also helps governments, law enforcement agencies, and others to trace these down, because you have to give details of what you’ve been asked for, how you sent the money, things that they took, things that will help law enforcement efforts, either in hunting these people or disrupting their operations.
Victims should consider alternatives before paying. I think one of the problems now [is that] companies aren’t ready for this, but there are resources out there. There’s something called the No More Ransom Project that Europol [the EU’s law enforcement agency] operates. One of the things they do is, they can sometimes provide keys to help decrypt without paying the ransom. So making those resources more accessible to folks is important.
And then going after cryptocurrency — not going after cryptocurrency as a thing, because whatever you think of cryptocurrency, it’s here to stay — but forcing existing obligations like know-your-customer rules so it’s harder for those payments made to these criminals to be used. You have to have different points of attack.
You mentioned some resources like No More Ransom. Are there any good examples of government or private entities working together to disrupt these ransomware attacks?
There’s been some good multinational operations — like one Europol was involved in, the US was involved in — in taking down some of the ransomware infrastructure, called Emotet. That was a pretty big operation that had an effect for a short period of time. Other big security firms have been working on this, but I don’t think there’s been a huge breakthrough.
What is the global impact of these ransom payments? In other words, when we’re paying these ransoms, do we know if they are they flooding into longstanding international criminal networks, such as drugs or arms traffickers, that already cause global chaos?
We need a better sense of that. It’s very possible this is flowing into all kinds of other illegal enterprises. The Office of Foreign Assets Control at the US Treasury has warned of exactly this, saying, “Be careful, because you might be violating the OFAC rules if you’re paying ransom, because it could go to some of these foreign groups that have sponsored terrorism and other things.”
That’s caused some stir, because some potential victims were like, “Well, how do we know?” But that’s exactly the problem.
What do you think will be the tipping point that will force sustained international action?
I think we’ve kind of reached a tipping point. I think the tipping point happened when we had the Colonial Pipeline attack, once it started focusing on things everyday people understand. It was critical infrastructure that could have resulted in death and injury. That, I think, changed the game and got people’s attention.
You had ransomware rush to the top of the agenda of the G7. I used to be involved in G7, and you know how those groups work — usually, to get something on the agenda you have to work on it for six or eight months. For it to appear suddenly, when you had climate change and Covid as the main topics, is pretty remarkable. And then the NATO and the Putin summits, where it jumped to the top of the agenda.
And then in the US, the Department of Justice has been doing work on this. The Department of Homeland Security has launched a 60-day “sprint” focusing on this. I think the White House is really focused on this. You had those commitments made in those forums like the G7 and NATO, which talked about national plans going forward. I think the US and other countries are now thinking of this as a national security issue.
But we’re not set up to respond fully yet. That started the wheels; they’re moving relatively quickly to get there. It’s still going to take time. This is not something we’re going to be able to solve overnight. It’s going to take some sustained work and pressure.