Listen Now

Biden Tells Putin To Crack Down On Ransomware. What Are The Odds He Will?

Jun 17, 2021
Originally published on June 19, 2021 6:30 am

If you want to extort millions of dollars from a large U.S. company, you can't do it alone. It takes a village. A village of hackers with advanced computer skills, who hang out on the Dark Web, and most likely live in Russia.

"Ransomware has become a huge business, and as in any business, in order to scale it, they're coming up with innovative models." said Dmitri Alperovitch, head of the technology group Silverado Policy Accelerator in Washington.

At Wednesday's summit in Geneva, President Biden called on Russian President Vladimir Putin to crackdown on cyber crimes. But the Russian leader has shown little interest in combatting an emerging criminal industry in his country that's called ransomware-as-a-service.

Three key actors in ransomware

Alperovitch said this model is its own ecosystem that includes three key players. The top tier is made up of small gangs that make the sophisticated malware that locks up the computer systems and encrypts the data at targeted companies.

More than a hundred such groups are believed to be active, though Alperovitch estimates about a dozen are doing this on a large scale. Russia and neighboring countries account for many of the gangs, he said. The best known include DarkSide, blamed for the attack on Colonial Pipeline, and REvil, accused in the hack of the meat supplier JBS.

But, he added, "The people that are building the software are not actually the ones, most of the time, that are going to use it. They're going to recruit others."

Wendi Whitmore, a senior vice president at the cybersecurity firm Palo Alto Networks, said these malware makers figured out it's more lucrative to disseminate their crippling software through a second key group, known as "affiliates."

"What they're doing is outsourcing parts of the supply chain, and then giving these (affiliates) that they work with a cut of the profits," she said.

"Affiliates" carry out the attack

The affiliates do much of the actual work. They launch the malware attack, demand the ransom, negotiate with the victimized company, and collect the money, almost always in a cryptocurrency like Bitcoin.

As a result, the affiliates usually keep most of the money, often 75 percent or more.

Still, the affiliates can't unleash these strikes until they first gain access to a company's computer network.

This brings us to the third key group — the old-fashioned hackers, or access brokers, who find a way in. If you need these guys, you'll find them on the Dark Web.

"You go into the underground forums and there's this whole category of threat actors we call an access broker," said Adam Meyers, senior vice president for intelligence at the cyberdefense firm CrowdStrike. "And what they do all day is hacking into different businesses. And then they advertise that access. You want say, company X, it's four thousand dollars."

A small price to pay if that access then leads to a multi-million dollar ransom.

Criminals trusting criminals

Of course, all these relationships require a lot of trust among criminals hiding behind online pseudonyms.

"How do you trust someone who is fundamentally untrustworthy, who is fundamentally a thief?" said Alperovitch.

"It's very difficult to get into these criminal forums. You kind of have to prove that you're a criminal by committing some act of cybercrime," he added. "They validate that you're not law enforcement. That's been a huge problem for them in the past."

Another potential pitfall is success — or more precisely — too much of it.

Ransomware groups that repeatedly pull off big heists quickly develop a reputation. While the hackers may be protected by living in a country like Russia, they still draw attention from Western cybersecurity companies and law enforcement.

These successful groups sometimes disband temporarily and lay low — only to later resurface later under a different name.

"It may be a new group, and a new team with a new coach, but they've got very capable team members," said Wendi Whitmore.

In a new report on the costs of ransomware, the firm Cybereason found that the costs of recovering from an attack often far exceed the ransom payment itself.

A survey found that even when the hackers provided a "key" to unlock data following a ransom payment, information was corrupted in nearly nearly half the cases. Also, about two-thirds of companies reported significant drops in revenue following an attack.

Biden's warning

At Wednesday's summit, Biden said he would respond if the U.S. continues to be hit, especially in a critical industry, like energy supplies of the water system.

"Responsible countries need to take action against criminals who conduct ransomware activities on their territory," Biden said at a news conference immediately following the summit.

Russian hackers already take precautions not to hit organizations in their homeland or in friendly countries. Putin could tell Russian hackers to cut out the attacks on the U.S. if he wants to, said Alperovitch.

"They're not part of his inner circle. They're not generating any significant revenue for the Russian state," Alperovitch noted. "So this is the one issue that, if pressed on, Putin can actually give on, and and we can get some concessions."

So will he? Biden said he expects the answer to be clear within a few months.

Greg Myre is an NPR national security correspondent. Follow him @gregmyre1.

Copyright 2021 NPR. To see more, visit https://www.npr.org.

AUDIE CORNISH, HOST:

President Biden called for a crackdown on cyberattacks at his summit yesterday with Vladimir Putin, but the Russian leader has shown little interest in combating an emerging criminal industry in his country that's called ransomware as a service. You can think of it as an ecosystem comprised of small groups of hackers with a range of specialized skills who find each other in the dark corners of the internet. NPR's Greg Myre breaks it down for us.

GREG MYRE, BYLINE: If you want to extort millions of dollars from a large U.S. company, you can't do it alone. It takes a village, a village of hackers with advanced computer skills who hang out on the dark web and most likely live in Russia.

DMITRI ALPEROVITCH: Ransomware has become a huge business. And as any business, in order to scale it, they're coming up with innovative models.

MYRE: Dmitri Alperovitch is head of the technology group Silverado Policy Accelerator. He says this model is ransomware as a service and includes three key players. The top tier is made up of small gangs. They make the sophisticated malware that locks up the computer systems that targeted companies. He estimates a dozen or so of these groups are doing this on a large scale. The best-known include DarkSide, blamed for the attack on Colonial Pipeline, and REvil, accused in the hack of the meat supplier JBS. But he adds...

ALPEROVITCH: The people that are building the software are not actually the ones, most of the time, that are going to use it. They're going to recruit others.

MYRE: Wendi Whitmore of the cybersecurity firm Palo Alto Networks says these malware-makers figured out it's more lucrative to disseminate their crippling software more widely through a second key group known as affiliates.

WENDI WHITMORE: What they're doing is outsourcing parts of the supply chain, essentially, and then giving these organizations that they work with a cut of the profits.

MYRE: The affiliates do much of the actual work. They launch the malware attack, demand the ransom, negotiate with the victim company and collect the money - almost always in a cryptocurrency like Bitcoin. As a result, the affiliates usually keep most of the money - often 75% or more. Still, the affiliates can't unleash these strikes unless they first gain access to a company's computer network. This brings us to the third key group - the old-fashioned hackers or access brokers who find a way in. If you need these guys, you'll find them on the dark web.

ADAM MEYERS: You go into the underground forums and there's this whole category of threat actor we call an access broker.

MYRE: Adam Meyers is with the cybersecurity company CrowdStrike.

MEYERS: And what they do all day is hack into different businesses. And then they advertise that access. You want into company X? It's $4,000.

MYRE: A small price to pay if that access leads to a multimillion-dollar ransom - of course, all these relationships require a lot of trust among criminals hiding behind online pseudonyms.

ALPEROVITCH: How do you trust someone who is fundamentally untrustworthy, who is fundamentally a thief?

MYRE: Again, Dmitri Alperovitch.

ALPEROVITCH: It's very difficult to get into these criminal forms. You kind of have to prove that you're a criminal by committing some act of cybercrime and validate that you're not law enforcement. That's been a huge problem for them in the past.

MYRE: At Wednesday's summit between Biden and Putin in Geneva, the American president said he would respond if the U.S. continues to be hit, especially in a critical industry like energy supplies or the water system.

(SOUNDBITE OF ARCHIVED RECORDING)

PRESIDENT JOE BIDEN: Responsible countries need to take action against criminals who conduct ransomware activities on their territory.

MYRE: Putin could tell the Russian hackers to cut it out, says Alperovitch.

ALPEROVITCH: They're not part of his inner circle. They're not, you know, generating any significant revenue for the Russian state. So this is the one issue that, if pressed on, Putin can actually give on.

MYRE: So will he? Biden says he expects the answer to be clear within a few months. Greg Myre, NPR News.

(SOUNDBITE OF THE FLAMING LIPS SONG, "ARE YOU A HYPNOTIST??") Transcript provided by NPR, Copyright NPR.