Russia’s promise to tackle ransomware hackers operating within its borders has yet to result in concrete action, according to one of the US’s top cyber security officials.
Anne Neuberger, deputy national security adviser to the White House on cyber threats, said the US was “looking to see near-term progress in actions” after sharing information with Moscow on ransomware gangs operating in Russia.
Ransomware attacks, in which hackers lock up the computers of their targets until a ransom is paid, have risen dramatically in recent years, and US organisations are now paying an average of $102.3m a month in reported ransoms, according to a US Treasury report on Friday.
After an attack on Colonial Pipeline, a major conduit of refined oil products on the US east coast, President Joe Biden warned his Russian counterpart Vladimir Putin against any cyber attacks on critical US infrastructure in June.
Neuberger said there had been a “lull over the summer” in attacks and that Russia had taken “some steps”, but that it was “too early to really tell” how much had changed. Neuberger, who previously headed the cyber directorate at the National Security Agency, is involved in what she said were “direct, candid” discussions with the Kremlin over ransomware.
“We shared information with Russia regarding criminal ransomware activity being conducted from their territory, and that they have committed to act against that.
“A larger government system then has to take those steps and ensure that that occurs and that’s where we’re looking to see those actions,” she said, adding that the US would continue to monitor “the most significant Russian groups” and that cyber security companies had reported some changes in the ranks and make-up of those groups over the summer.
She declined to comment “at this time” on Ilya Sachkov, the head of a Russian cyber security company who has repeatedly urged Moscow to take a harder line on hackers and who was arrested for treason last month.
Experts said Russian ransomware would continue expanding at pace, given the proliferation of both cyber hacking tools and cryptocurrency payment channels that facilitate hard-to-detect ransom payments. Paul Nakasone, commander of US Cyber Command, told a conference earlier this month he expected such attacks to occur “every single day” in five years’ time.
But John Hultquist, of cyber security company Mandiant, told a conference last week his company had seen “a lull in activity from several high-profile actors” and a reduction in activity from some ransomware groups that had previously had the most impact.
In the meantime, the US is attempting to spearhead a new international coalition of more than 30 countries to tackle the ransomware threat emanating largely from Russia as well as China and elsewhere. Neither Russia nor China was invited to join the coalition.
In two days of virtual meetings, India, Australia, the UK and Germany agreed to lead working groups designed to co-ordinate and tighten the global response to ransomware. Other participants included Ukraine, Estonia, Nigeria, Kenya, Brazil, Mexico, Switzerland and the EU.
“This meeting was really the first time ever we took that domestic strategy international,” said Neuberger, adding that the coalition aimed “to fight what is essentially a transnational criminal organisation”. She said that connecting “the dots around the world” would help disrupt money laundering networks in part by linking those who track cryptocurrency transfers with law enforcement efforts.
The group also wanted to establish a real-time, automated joint warning mechanism that would be faster than existing ad hoc methods, she said.
“Because ransomware criminals repeat their activities, more robust and real-time communication across governments can not only enhance banking capacities to mitigate the impacts of a ransomware incident, it can potentially be useful to warn countries who may then have enough time to prevent some of them,” said Neuberger.
One participant, the Czech Republic, said it had received a warning about a potential attack against 30 hospitals, following a previous attack against the country’s second-largest hospital, that had enabled it to take preventive measures.
She said participants had also wanted to know more about the process that led the US last month to identify virtual currency exchange Suex as a target for sanctions.