First there was Colonial Pipeline. Then the world's largest meat supplier.
And that weekend, a ransomware group called REvil hit another company asking for a payment of $ 70 million to unlock the systems of the software company Kaseya. By attacking Kaseya, these hackers took advantage of all of its customers, which meant dozens of companies experienced the cyber attack, from a Swedish grocery chain to schools in New Zealand.
This isn't REvil's first attack (they were supposedly behind the meat processors hack), and it followed a similar playbook as other ransomware attacks: Holding Systems Hostage – Maybe a Huge Company, Maybe a Hospital System, Maybe a Local Government – and then request payment to unlock it.
But this REvil ransomware attack is one of the biggest to date. It's a sign that this cyber extortion is only getting worse.
What to do about ransomware attacks is a big, complex problem. One major challenge is that, while attacks are usually carried out by criminal groups, these organizations often act, if not on direction, at least with the tacit consent of the governments of the countries in which they are located.
Russia is the big one. Although it is not known exactly where the REvil hackers are, the group speaks Russian and is said to be operating from either Russia or another former Soviet state. His alleged ties with Russia are supported by the fact that REvil is reportedly using code to verify that its targets are not in a country that is part of the Commonwealth of Independent States – an organization of former Soviet countries that includes Russia.
But unlike Russian state hackers who, for example, interfere in US elections at the behest of Russian President Vladimir Putin, experts say that instead, these criminal groups only benefit from Putin's benevolent indifference. They can do what they want as long as they don't target Russia.
Biden brought this up to Putin at their summit last month. "Responsible countries must take action against criminals who carry out ransomware activities on their territory," said Biden after the meeting.
However, this message may not have got through if this weekend's REvil attack is any indication of it. To get a better sense of what tools the Biden administration has and what needs to happen on a foreign policy level, I spoke to Christopher Painter, a former federal attorney for cybercrime and a former top US diplomat for cybersecurity.
Foreign cooperation, Painter said, is a key component to moving forward, as both the ransomware groups and their victims exist around the world. "Cybercrime is almost always an international issue," he said. “Even if I were a criminal in New York and attacked someone in New York, I would route my communications through five different countries to make it difficult to find me. Therefore, international cooperation and commitment is really of the greatest importance. "
The following is a transcript of our conversation, which has been edited slightly for length and clarity.
I think a good start would be: what are "ransomware attacks"?
It is primarily criminal groups who break into computers through any number of potential vulnerabilities and then essentially lock the systems down – they encrypt the data so that you cannot see your files. And they demand a ransom, they demand payment. In exchange for that payment, they'll give you – or claim they don't always do – they'll give you the decryption keys or the codes to use to unlock and access your own files, which is again.
This is what we traditionally refer to as “ransomware”. It has been like that for a while, but it has gotten a lot more acute lately.
The other half of it is that groups keep your files not just for ransom, but your files and information – your secrets and your emails, whatever you have – publicly, either in an attempt to embarrass you or more Extorting money from you because you don't want these things to happen. So it's split into two tracks now, but they're a combined method of making money.
We've had some high profile ransomware attacks recently, including this recent REvil incident. Do we see a lot more of them or are they just bigger and bolder? How do you rate the increase in ransomware attacks?
We've seen this for a while. I was one of the co-chairs of this ransomware task force that recently issued a report. One of the reasons we created this report was to pay more attention to this issue. While governments and law enforcement took it seriously, it was not given the national priority it deserved.
It was treated more as a common cyber crime topic. Most governments' attention is focused on major nation-state activities – like the SolarWinds hack (where suspected Russian government hackers invaded US government departments) that are important and we need to take care of them. But that also worries us very much.
It has become a bigger problem, especially during the pandemic when some of the ransomware actors stalked healthcare systems and healthcare providers.
That combined with these major infrastructure attacks – the Colonial Pipeline was clearly one of them. Another was the meat processing plants. Another was hospital systems in Ireland. They also had the DC Police Department that was victimized by ransomware. These things are very high profile. If you are waiting in line to refuel because of a ransomware attack and you don't get your food due to a ransomware attack, this is a priority. And then of course you have what happened last weekend. So ransomware has not let up, is becoming more serious and is hitting more and more companies.
So what made this attack unique to the REvil attack this weekend?
It was a so-called “supply chain attack”. If you were looking for a municipality or a company directly, you only have one target unit. This REvil attack allowed the malicious code to spread to all the organizations that the company (Kaseya) served, thereby affecting them and becoming all targets and victims.
What is the benefit or the goal of such a supply chain attack?
The advantage of this system is that by tracking this one vulnerability it is able to access and victimize many victims anywhere. They have many different goals to pursue. You will still have high quality goals and goals that might pay a lot. But it looks like that made many, many sacrifices for them.
REvil is reportedly based in Russia or another Russian-allied Eastern European country. What relationships do these ransomware attackers have with nation states?
They're all over the map. There are countries that offer them safe havens. Some of them do it because they haven't had the opportunity to track them or the resources. And for these countries you want to build better capacities. You want to conduct joint investigations, you want to help them.
There are others – and Russia falls into that category – who at best turn a blind eye to these groups. They offer safe havens more consciously. They may not be closely following what these groups are doing, but at the same time they don't seem to care or take action unless these groups have goals in Russia. This is in some ways in line with Putin's broader international view that is causing disruption and chaos in the West.
Now there is this range of state responsibility in which groups sometimes act at the behest of the countries, the states, that is, they act as substitutes. Sometimes corruption is involved – while states don't sanction groups, individuals are paid.
So Putin is basically saying, "You're cool as long as you don't bother me"?
Biden said there was no evidence that the Colonial Pipeline group acted on behalf of the Kremlin. This does not mean that the state bears no responsibility for essentially allowing these groups to operate with impunity.
All of these international cyber processes have been around for years, especially at the United Nations. A number of voluntary cyberspace standards were adopted in 2015. But there are some wordings in these reports that truly affirm that malicious behavior is expected from a country to take steps to control it. That just reinforces the idea that you can't just say "Hey, not me" and wash your hands. There are legitimate expectations – and Biden certainly brought that home with Putin.
Is terrorism a good analog for these ransomware attackers?
To a certain degree. Countries shouldn't allow terrorists to operate on their territory, especially when we have these infrastructure attacks that can be really debilitating. These are things about which it is perfectly fair to tell a state, "You have a responsibility to do something about it."
What tools are there to get someone like Putin to act?
The harder part of this problem is that getting Russia to do something is not that easy. We have traditionally not been very good at getting Russia to change its calculations. But that's one thing we have to do. If they are to continue to provide a safe haven, we must use every tool we have and work with our allies and partners. It's not just us, because other countries are victims too.
On the positive side, Putin is more likely to do something about it because he isn't. If you tell him to do something about SolarWinds or election interference, that's one thing. When you tell him to do something about some renegade criminal groups if they don't help him? He could say, "Good." There is at least a glimmer of hope.
Is Russia the main link or home of these attackers or are there other countries that allow these groups to operate with impunity?
I think Russia is one of the most important. There are some other countries they operate in that we have seen in the past – other actors in Eastern Europe and other places. But Russia was certainly one of the most important.
As you suggested, Putin is not the most responsible global actor. But what steps could Biden take to really put pressure on Putin?
We weren't that good at it. In the last administration, President Donald Trump asked whether Russia was responsible for things at all. Whatever the people in this administration did – be it sanctions or anything else – was undermined by the president, saying, "I don't know if Putin is responsible." At least we now have a strong, clear message.
Obviously, that makes a huge difference when you're trying to change another country's calculation to get it to act. When the Obama administration was negotiating intellectual property with China, it took them about two years to come to the table. We have indicted some of their officers in the People's Liberation Army and threatened them with sanctions. On the eve of the summit, (President Xi Jinping) sent a delegation to negotiate with us. We were able to reach an agreement that actually had some impact for a number of years before things fell apart with China in general because we were using all the tools we had.
We didn't make it a cyber problem; We made it a problem with general US-China relations. President Barack Obama said at the time, "Look, this is a problem large enough to be a core issue in our relations, and we are ready to accept friction in the entire US-China relationship." We must do the same with other countries, including Russia.
Now there are not as many levers to pull in Russia as there are in China. China cares – at least earlier – more about its global reputation. But we didn't really care about the things that Putin interested in, like his own cash flows. We can look at other areas outside of the cyber realm that Putin wants; You will only change his behavior if he likes it or wants to avoid it. We haven't used all the tools we can.
What you need is a sustained, strategic effort. And not only through us, but (also) together with others to increase the pressure – Germany, Europe, Great Britain. The G7 made a very strong statement about this, and NATO had strong statements about it, which I think are good.
You can even think about other skills that U.S. Cyber Command tools might use to disrupt these groups, much like what was done to the Internet Research Agency (the Russian troll farm that spreads political propaganda) in the 2018 election , apparently from documents that "leaked."
You have to be very, very careful. You don't want to violate international law. You have to fear escalation. But if you said to Russia: "Look, act, and maybe we have to take action if you don't." That must at least be on the table.
Is it part of the challenge that this is a certain gray area when it comes to international or even national laws?
These ransomware attacks are against US law. If we can get our hands on these guys we could clearly prosecute them. There are loopholes where countries don't have good cybercrime laws. We have been pushing for this for a long time. But that doesn't really happen here. In this case, it's more of a safe-haven problem.
You also mentioned the United Nations and its norms, but are they just one step behind all of these ransomware groups?
The United Nations mainly focus on nation-state activities. It is about things like: "Do not attack the critical infrastructure of a country in peacetime, do not follow up the emergency teams, or like ambulances or hospitals, problems with the supply chain." As far as the state is complicit in these activities and you as a deputy uses, such traffic rules apply.
At this UN level there is still to be done what international law is in this area, what are the rules for dealing with national activities. But these ransomware attacks are criminal activity. And it's illegal for them to do this.
So one way to stop these ransomware attackers from doing so is to put this systematic and strategic international pressure on their hosts like Russia. But are there other ways to punish these groups?
The reason these groups do this is because they can get money easily. And the risk is very low. Why shouldn't criminals do this? And when other criminals see how successful these groups are, more will come.
If we've made it much harder for them to get money, they will likely move on to something else and move away from it. But we didn't do that.
Now there are complications. This was one area where our Ransomware Task Force – which consisted of around 60 people including former government officials, people in the insurance industry, and people in security companies – was unable to reach consensus. There were some who said, "Cut the money and you will cut the groups." There are others who have said that if we did that, it would bully the victims more. It is a hardship – perhaps not for the large companies that can afford it, but for the small and medium-sized companies.
So what we are proposing in the report is some kind of glide path, including providing resources to businesses to help them not pay the ransom but get their systems back on track.
We also said that there are certain things that should be there. For example, we believe that there should be an obligation to report ransomware payments. There is none now and we are not even aware of many ransomware events that are happening. This also helps governments, law enforcement and others track them down, as you need to provide details of what you were asked for, how you transferred the money, what they took away, things that will aid law enforcement efforts, either in the hunt for these people or in disrupting their operations.
Victims should consider alternatives before paying. I think one of the problems is that companies aren't ready for it, but there are resources. There is such a thing as the No More Ransom Project run by Europol (the EU law enforcement agency). One of the things they do is they can sometimes provide keys for decryption without paying the ransom. So it is important to make these resources more accessible to people.
And then it's about cryptocurrency – not cryptocurrency as a thing, because whatever you think of cryptocurrency, it's here to stay – but enforcing existing obligations like know-your-customer rules so that those are being served on these criminals Payments can be more difficult to use. You have to have different points of attack.
You mentioned some resources like No More Ransomware. Are there good examples of government or private agencies working together to stop these ransomware attacks?
There have been some good multinational operations – like one that Europol was involved in that the US was involved in – in destroying part of the ransomware infrastructure called Emotet. It was a pretty big operation that worked for a short time. Other big security firms have been working on it, but I don't think there has been a major breakthrough.
What is the global impact of these ransom payments? In other words, when we pay these ransoms, do we know whether they are flooding into longstanding international criminal networks like drug or arms traffickers that are already wreaking havoc worldwide?
We need a better feel for this. It is very possible that this will flow into all sorts of other illegal businesses. The Treasury Department's Office of Foreign Assets Control has warned precisely: “Be careful, you could break OFAC rules by paying ransom because it could go to some of these foreign groups that have sponsored terrorism and other things."
That got quite a stir because some potential victims said, "Well, how do we know?" But that is exactly the problem.
What do you think will be the turning point that will force sustainable international action?
I think we have reached a turning point. I think the turning point happened when we had the attack on the Colonial Pipeline, when it focused on things that normal people understand. It was critical infrastructure that could have resulted in death and injury. I think that changed the game and got people's attention.
They had ransomware high on the G7 agenda. I've been on the G7 before, and you know how these groups work – it usually takes six or eight months to get something on the agenda. That it suddenly pops up when you have climate change and Covid as your main themes is quite remarkable. And then the NATO and Putin summits, where it is high on the agenda.
And then in the United States the Department of Justice worked on it. The Department of Homeland Security has started a 60-day “sprint” that focuses on this. I think the White House is really focused on that. They made these commitments in forums like the G7 and NATO, which were discussing national plans for the future. I think the US and other countries are now viewing this as a national security issue.
But we are not yet ready to fully respond. With that the wheels began; they move relatively quickly to get there. It will take a while. We won't be able to solve that overnight. It will take some continued work and pressure.