10 July 2021 — Moon of Alabama

Ransomware attacks continue to disrupt many businesses. Earlier this month an attack through Kaseya VSA, a remote managing software, disabled several managed service provider and some 1,500 of their customers. Their data was encrypted and will only be restored if they pay the demanded ransom.

Such attacks are increasing because they are easy to do and carry little risk. The basic platforms for specific attacks can simply be rented from underground providers:

“I think what most people think about when they think of a stereotypical hacker is somebody that’s in-depth into coding,” the officer said. “It has changed now in that it used to be that you had to be very technically adept to be a hacker, but the way the cyber market or cyber underground has evolved is a lot of those things have become services now.”

The industry has diversified, he said.

“Those network attackers, instead of profiting themselves, are now renting out their services and their expertise to others and that’s where we see this amplification,” the officer said. “It’s others renting out the services now. It unlocks another class of folks that can be opportunistic and take advantage of bad cyber hygiene.”

Some of the rentable ransomware services, like REvil, are run by Russian speaking groups. But that does not mean that the people who use it are from Russia or that the attacks take place from Russian grounds. The last big bust that hit the command and control severs of the alleged ‘Russian’ Emotet cyber crime service took place in the Ukrainian capital Kiev. While those criminals spoke Russian they neither were Russians nor was Russia involved at all.

Despite that U.S. media blame all recent attacks on Russia and use them to incite the Biden administration to respond by attacking the Russian nation.

Setting the tone in this is the New York Times and its warmongeringWhite House and national security correspondent David Sanger. On Wednesday he wrote Biden Weighs a Response to Ransomware Attacks which he topped by Friday with Biden Warns Putin to Act Against Ransomware Groups, or U.S. Will Strike Back.

Those headlines and pieces are misleading in that they set expectations which the Biden administration is for good reasons unwilling or unable to deliver on.

The first piece, for example, says:

Mr. Biden is under growing pressure to take some kind of visible action — perhaps a strike on the Russian servers or banks that keep them running — after delivering several stark warnings to Moscow that he would respond to cyberattacks on the United States with what he has called “in-kind” action against Russia.

The ‘growing pressure’ are Sanger’s writeups all by themselves. The piece then quotes a number of anti-Russian hawks who suggest some very unreasonable ‘retaliation options’:

Dmitri Alperovitch, a founder of the cybersecurity firm CrowdStrike, and now the founder of the Silverado Policy Accelerator think tank, has argued that until Mr. Biden moves to cut significantly into Russia’s oil revenue, he will not get Mr. Putin’s attention.

 

…

 

In recent days, however, a growing number of experts have argued that the United States is now facing such a barrage of attacks that it needs to strike back more forcefully, even if it cannot control the response.

“You don’t want escalation to get out of control, but we can’t be so afraid of that that we bind our own hands,” Mr. Painter said.

William Evanina, who recently left a top counterintelligence post in the U.S. government and now advises companies, said he would advise Mr. Biden “to be bold.”
…
If Moscow wanted to stop Russia’s cybercriminals from hacking American targets, experts say, it would. That is why, some Russia experts argue, the United States needs take aim at Russia’s kleptocracy, either by leaking details of Mr. Putin’s financials or by freezing oligarchs’ bank accounts.

“The only language that Putin understands is power, and his power is his money,” said Garry Kasparov, the Russian chess grandmaster and a Putin critic. “It’s not about tanks; it’s about banks. The U.S. should wipe out oligarchs’ accounts, one by one, until the message is delivered.”

Sure, lets blow up the international banking system by manipulating accounts of private Russian people even though we do not even know if the criminal cyberattacks are run by Russians or from Russia.

The lede to Sanger’s most recent piece is likewise dripping with belligerence:

President Biden warned President Vladimir V. Putin of Russia on Friday that time was running out for him to rein in the ransomware groups striking the United States, telegraphing that this could be Mr. Putin’s final chance to take action on Russia’s harboring of cybercriminals before the United States moved to dismantle the threat.

In Mr. Biden’s starkest warning yet, he conveyed in a phone call to Mr. Putin that the attacks would no longer be treated only as criminal acts, but as national security threats — and thus may provoke a far more severe response, administration officials said. It is a rationale that has echoes of the legal justification used by the United States and other nations when they cross inside another country’s borders to rout terrorist groups or drug cartels.

Sure, U.S. special forces will parachute into Moscow to nab some cybercriminals who may or may not be there.

The warning that Sanger implies Biden allegedly made was never given. Biden himself is quoted in the next paragraph (emph. add.):

“I made it very clear to him that the United States expects, when a ransomware operation is coming from his soil, even though it’s not sponsored by the state, we expect them to act

if we give them enough information to act on who that is

,” Mr. Biden told reporters.

There is the crucial point. The U.S. does not know who made those attacks or where they were actually controlled from. It has not given Russia any names or evidence that Russia could act on. The Kremlin readout of Biden’s call with Putin explicitly makes that point:

In the context of recent reports on a series of cyberattacks ostensibly made from Russian territory, Vladimir Putin noted that

despite Russia’s willingness to curb criminal manifestations in the information space through a concerted effort, no inquiries on these issues have been received from US agencies in the last month.

At the same time, considering the scale and seriousness of the challenges in this area, Russia and the US must maintain permanent, professional and non-politicised cooperation. This must be conducted through specialised information exchange channels between the authorised government agencies, through bilateral judicial mechanisms and while observing the provisions of international law.

The leaders emphasised the need for detailed and constructive cooperation in cybersecurity and for the continuation of such contacts.

Russia has long suggested to set up deeper talks and a treaty about cybersecurity issues. In a short interlude with the media President Biden said that meetings about these will now take place:

Q: Sir, what are the consequences for Putin if he does not step up against cyberattacks?

THE PRESIDENT: Well, we set up a committee — joint committee. They’re meeting on, I think, the 16th. And I believe we’re going to get some cooperation. Thank you.

Q: Mr. President, what do you expect President Putin (inaudible) — what do you expect him to do? What are those actions?

THE PRESIDENT: It’s not appropriate for me to say what I expect him to do now. But we’ll see.

Those responses seemsfar from the belligerence the NYT’s Sanger tries to convey.

The problem of crippling ransomware attacks will only increase and blaming Russia for them will not change that fact. The most basic tool that enables such criminal cyberattacks is the exchange medium through which ransom payments are made:

Let me paint a picture of a bleak future, that seems to be racing towards us much faster than the public may know about. It’s a future in which ransomware and mass data theft are so ubiquitous they’ve worked their way into our daily lives.

 

…

 

[W]hat is new is that the level of these attacks has gone parabolic in the last few years because of one simple fact.

With the addition of bitcoin to the problem it’s insanely profitable, low-risk, and almost the perfect crime.

It’s also a very real economic tool that nation states can use to disrupt each other’s infrastructure.

The singular reason why these attacks are even possible is due entirely to rise of cryptocurrency. Consider the same situation on top of the existing international banking system. Go to your local bank branch and try to wire transfer $200,000 to an anonymous stranger in Russia and see how that works out. Modern ransomware could not exist without Bitcoin, it has poured gasoline on a fire we may not be able to put out.

It is not only bitcoin but also a number of other cryptocurrencies which have no real justification to exist. But there are transition points from real money to cryptocurrencies and back where the problem can be tackled:

Cryptocurrency exchanges are the channel by which all the illicit funds in this epidemic flow. And it is the one channel that the US government has complete power to rein in and regulate.

The free flow of money from US banks to cryptocurrency exchanges is the root cause of this pandemic and needs to halt.

Through sanctions, control of the SWIFT network, and our allies in NATO the federal government has all the tools to put a stop to these illicit flows. Nothing of value would be lost by shutting off the spigot of dark money and darknet trade.

Cryptocurrencies are almost entirely used for illicit activity, gambling and investment frauds, and on the whole have no upside for society at large while also having unbounded downside and massive negative externalities.

A shut down of cryptocurrencies would disable the safe payment media that criminal ransomware attackers currently use. All other payment methods require some physical interaction or in person verification. Using those would increase the risk for cyberattackers immensely.

The good news is that the Biden administration has caught on to this. Last week the Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger remarked on it:

Neuberger described the Administration’s ransomware strategy which includes several lines of effort: disruption of ransomware infrastructure and actors by working closely with the private sector; international cooperation to hold countries who harbor ransom actors accountable;

expanding cryptocurrency analysis to find and pursue criminal transactions

; and the federal government’s review to build a cohesive and consistent approach towards ransom payments.

A background briefing about yesterday’s Biden-Putin call also touched on this:

This is more than just a conversation that’s taking place between the two leaders, President Biden and President Putin. This is really about our own resilience, as a nation, in the face of these attacks, and strengthening that. That’s what the cybersecurity executive order was largely about.

It’s about addressing the challenges posed by cryptocurrency, which provides fuel for these sorts of transactions.

A ransomware attacker may sit in Kyrgyzstan, use a Swiss proxy network to access rented servers in Canada from which a ransomware cyberattack is launched by using tools that were developed in Estonia but are managed from Spain. There are ways and means to hide such routes and to fake the involved nationalities. To then blame Russia or any other country for such attacks or to threaten a response against nation state assets is warmongering nonsense.

The Kaseya VSA attack shut down 800 local food shop of the Swedish chain Coop for over a week. Millions of people were affected by that in their daily life. With more and more information technology involved in our daily lives we no longer have the ability to avoid ransomware attacks and their consequences.

What can be done is to disable the cryptocurrency payment channel that is used by attackers with little to no risk. While this may not completely solve the problem of widespread ransomware attacks it will at least make it more manageable.