You may recall in June we speculated that ransomware would be on President Biden’s agenda when he met President Putin in Geneva. We suggested that ‘the Biden administration is likely to use the opportunity to put further pressure on the Russian government to assist in closing down the criminal networks benefitting from ransomware attacks’ (Will Ransomware be on the Agenda for the G7 Summit?). As it turned out, President Biden reminded his counterpart that nations have a responsibility not to harbour criminals and warned him that the US’s national infrastructure was “off limits” to cyber crime.
This week’s latest development reminds us of the proverb, actions speak louder than words; REvil’s online infrastructure was taken down shortly after the Advanced Persistent Threat group claimed responsibility for the ransomware attack on Kaseya, the managed software provider. Striking on Independence Day as IT teams across the U.S. set off on holiday, the disruption that resulted is estimated to have reach around 1500 organisations in over 20 countries. The fact that REvil chose to target an MSP, utilising access to its client base as a force multiplier, may well have tipped the balance towards action. Observers have commented that REvil’s activities were somewhat cavalier and they may have inadvertently overstepped a red line, particularly given Biden’s renewed vow to protected critical infrastructure following the Geneva meeting and a year of high profile cyber-attacks against the U.S.
It is not clear (and may never be) whether the criminal group was disrupted by the Russian authorities or US law enforcement agencies or both (or indeed whether REvil decided that discretion was the better part of valour). Biden’s most recent comments to the press on the matter, in which he confirmed Russia would face consequences for the latest round of Russian-based cyber attacks, offers no insight or confirmation of actions actually taken. However, although it would be safe to conclude that this is unlikely to be the last we hear of the group, the US has demonstrated that ransomware attacks carry risk for the attacker too. US law enforcement’s recovery of $2.85million from the DarkSide ransom extorted from Colonial Pipeline is further demonstration of this.
What is not subject to speculation, however, is the improved lines of communication between the White House and the Kremlin, established in the wake of the Geneva meeting. This allowed President Biden to contact President Putin direct after the Kaseya attack, in order to express his deep concern and demand action. Whether Russia responded may be a moot point but that a channel is now open between the two countries specifically to tackle the transnational issue of cybercrime is a welcome development. It may well lead to further disruption of criminal networks in the future or serve to slow the ransomware epidemic in the short term. And ultimately, regardless of the cause, for the time being there appears to be one less threat actor working in the world, which is something of note.