Can Diplomacy Win the Fight against Ransomware?

Published by:
Security Alliance
Published on:
June 15, 2021

The Biden-Putin summit and its implications for the global cyber threat landscape


In recent months, the already fraught US-Russia relationship has been marred by numerous tensions, including Russian military pressure on Ukraine, ongoing cyber-enabled espionage and election interference activity and – most recently – several high-profile attacks against US CNI entities by cybercriminals operating on Russian soil. Despite these tensions, there have been glimpses of cooperation, embodied by the announcement of a summit between Presidents Biden and Putin, scheduled for June 16th 2021. As well as showcasing a public desire to cooperate and repair US-Russia relations, the summit will be an important opportunity to raise and discuss significant issues impacting that relationship.

This blog will discuss some of these issues, exploring potential solutions and likely pitfalls and considering how these issues might affect the cyber threat landscape.

Executive Summary

Impact on ransomware attacks unlikely - Biden is unlikely to be able to pressure or convince Putin to take effective action against limiting the activities of ransomware groups operating from Russian soil. Any agreements reached would also likely necessitate significant US concessions that would be unacceptable to the President. However, strong, coordinated Western action against ransomware personnel and infrastructure may be an effective short-term deterrent and negate the need for Russian cooperation. In the long-term, vulnerable entities will have to take significant steps to bolster their cyber security posture to continue deterring ransomware attacks.

Continued cyber-enabled disinformation likely - US concessions over Nord Stream 2 sanctions provide another axis of Kremlin pressure on Ukraine. Russia is therefore highly likely to continue using cyber-enabled activity in support of its wider objective of reasserting control over Ukraine.

Sanctions alone may be ineffective - It is too early to determine the effects of targeted sanctions and economic pressure in response to the SolarWinds compromise and election interference, and whether such measures will be sufficient in deterring similar behaviour in the future. From a strategic perspective, it is highly likely the Kremlin will continue its espionage and influence efforts against what it perceives to be adversarial states, although public revelations about its activities may incite alterations to its methodologies.  

De-escalation possible - Whatever the outcome of the summit, it is an important opportunity to deescalate tensions between the two nations and publicly affirm at least partial willingness – on both sides – to be seen to cooperate.  

Ransomware – Is Diplomacy Enough?

Thanks to a number of high-profile incidents, ransomware will be a priority topic at the summit. In May 2021, Russia-based cybercriminal groups targeted several entities forming key parts of US critical national infrastructure, including a gas pipeline company supplying almost half of the East Coast with energy and a large-scale meat supplier. Causing a short-term fuel shortage, these incidents also highlighted the burgeoning national security threat that ransomware has become.

In response, the White House ordered a strategic cyber security review, aiming to bolster public and private sector cyber security and threat intelligence and laying out plans for public-private cooperation – both intra- and internationally – to disrupt ransomware infrastructure. The US also pointed the finger at Russia: while acknowledging the Kremlin was not directly involved with the above incidents, Washington’s comments that ‘responsible states do not harbour ransomware criminals’ clearly criticise Moscow’s de facto practice of allowing cybercriminals to operate from within their borders with apparent impunity.

Putin reacted to these comments with predictable scorn, dismissing them as ‘absurd’ and a mere attempt to discredit Russia ahead of the June 16th summit. Putin has since stated that he might be willing to extradite Russian cybercriminals, if – and only if – the US committed to a formal agreement and was willing to extradite US cybercriminals to Russia.  It is unclear whether such an agreement would come about: extradition conditions are likely to be unacceptable for Biden, particularly given Russia’s recent treatment of opposition leader Alexei Navalny and the country’s poor human rights record.

As a side note, Russia’s whataboutism also serves to downplay the activities of Russian cybercriminals by suggesting US-based cybercriminals act on the same scale with the same impunity (Although it is less prominent and less publicly visible, it is highly likely that cybercriminals operate from within the US and target foreign assets, including those belonging to Russia).  The Russian government has also recently criticised Washington’s treatment of those arrested for the Capitol Hill riot on January 6th 2021.  Seeking to create a false equivalence between Russian and US behaviour plays into Russia’s hands at the summit, enabling Moscow to attempt to take the moral high ground where none exists.

Despite Biden’s strong rhetoric, he is therefore unlikely to be able to convince the Russian leader to take definitive and effective action against ransomware groups working within Russia’s borders. From a Western perspective, Moscow largely benefits from the activities of these groups: the general ‘no eating in Russia’ policy ensures most Russian assets are off-limits, while attacks on Western CNI highlight vulnerabilities and weaknesses and serve to embarrass Russia’s adversaries with little effort from or threat to the Russian state itself, while an apparent lack of retaliatory public action from Western-based cybercriminals creates a parallel perception of Russian strength and superiority in the same domain.

Diplomacy alone is therefore unlikely to sufficiently address the ransomware threat. The US has other options to mitigate the ransomware threat, such as the application of national capabilities to disrupt ransomware operators’ infrastructure and revenue collection processes. There is some indication that suspected state action against the group responsible for the Colonial Pipeline attack, DarkSide, has served to deter other groups from similar activity in the short term, with REvil ransomware ordering their affiliates to cease targeting assets in the social and government sector until the situation ‘settles down’.

Figure 1: A screenshot from a leaked REvil admin panel shows the rationale behind new targeting restrictions, citing the need to avoid law enforcement and court action.

Washington may also consider additional action, such as banning ransomware payments – a hotly contested topic that works in theory but is complex to implement in practice. Better regulation and KYC (‘know your customer’) practices for cryptocurrency may also help disrupt the cybercriminal financing chain: ultimately, however, such measures need to be underpinned by a nationwide improvement of cyber security practices.

To summarise, Biden’s attempts to use the summit to push the Russian state to deal with ransomware criminals are unlikely to be successful, and will consequently continue to be another source of animosity in the US-Russia relationship. Nevertheless, the DarkSide and REvil examples indicate that aggressive, coordinated and public-private disruptive and potential legal action against ransomware groups and their infrastructure may be an effective, if only short-term, deterrent against the ransomware threat.

Ukraine, Energy Security and Spheres of Influence

Another key area of discussion at the summit will be Russia’s ongoing kinetic and cyber-enabled activity against Ukraine, in particular the large-scale military build-up and numerous border and ceasefire violations conducted by Russian-backed separatists observed earlier this year. Western leaders, including Biden, strongly criticised these incursions while emphasising their commitment to defending Ukraine’s sovereignty.

Washington’s stance on Ukraine is however complicated by the decision to drop sanctions against Nord Stream 2 AG, the corporate entity involved in the construction of the controversial Nord Stream 2 pipeline. The decision arguably strengthens relations with Germany, where the majority of political and business leaders support the pipeline, while also giving the US a greater degree of leverage when dealing with Germany in areas such as economic recovery and countering the increasingly united challenged presented to the West by China and Russia.

On the flip side, waiving sanctions is a ‘serious geopolitical victory’ for Russia.  When completed, Nord Stream 2 will carry Russian gas directly into Germany under the Baltic Sea, bypassing current routes which direct gas through Ukraine and therefore depriving Kiev of lucrative transit fees. Furthermore, Kiev considers its status as a transit country and the leverage over Russia that status provides to be a core part of Ukraine’s national security.

Russia clearly plans to use the pipeline as an opportunity to increase its pressure on Ukraine: indeed, despite an existing inter-governmental agreement due to remain in place until at least 2024 committing Russia to send gas via Ukraine, Putin this month stated that transit via Ukraine would depend on Kiev showing ‘goodwill’ towards Moscow.  In May 2021 Russia also announced it would bolster its military capability along the western border, amplifying the potential threat to Ukraine’s territorial integrity.

Despite the West’s numerous verbal commitments to protecting Ukraine’s sovereignty and imposition of sanctions in response to Russian aggression, the Nord Stream 2 concessions realistically give Russia more opportunities to pressure Ukraine. It is highly likely that Russian propaganda and cyber-enabled disinformation campaigns will blame seek to delegitimise the Ukrainian government and pull Ukrainian public opinion away from the West by blaming Kiev and the Western powers for any future poverty potentially occurring as a result of Nord Stream 2. It is also highly likely that Russia will continue targeting Ukraine with cyber-enabled disruptive and espionage operations in support of this wider objective of establishing firm control of the former Soviet republic, with the green light on Nord Stream 2 adding yet another avenue for Kremlin leverage over Ukraine.

Spies Gonna Spy (and meddle in elections)

Among other issues, the two leaders are almost certain to discuss Russia’s cyber-enabled espionage efforts against the US and other Western powers.

The revelations about the SolarWinds breach last year, which Russian threat actors leveraged to covertly access numerous government networks, are just one example of such activity, not to mention the high-profile evidence of attempted interference in Western democratic elections.

The US has already responded to SolarWinds and election interference with far-reaching, targeted sanctions against Russian individuals and assets. The retaliation also placed restrictions on Russia’s sovereign debt. It is too early to tell what effect these sanctions will have on Russian behaviour. From a geopolitical perspective, it is highly unlikely that Russia will be deterred from conducting espionage against states and entities Moscow perceives as strategic adversaries. For example, Russia has already been linked to cyber-enabled espionage against German federal MPs and an online smear campaign targeting Germany’s Green Party candidate, who is openly opposed to Nord Stream 2 and supports sanctions against both Russia and China.  

Recent revelations about a joint US-Denmark intelligence operation to spy on allies such as Angela Merkel and other senior German politicians also add fuel to the fire, with Moscow likely to use this incident to engage in whataboutism and downplay the seriousness of its own espionage efforts. Indeed an RT article on the topic emphasised comments blaming Biden and calling the operation ‘grotesque’.

Consequently, the summit and a potential future warming of relations between Russia and the US are unlikely to deter espionage activity – from either state, and in both the cyber and physical realm – in the near- to long-term future. Similarly, Russian influence efforts against democratic elections are highly likely to continue, although detailed public discussion over Russia’s methodology, such as the two-volume Mueller Report into interference in the 2016 US election, may prompt Russian state actors to alter their tactics.

So What Can Diplomacy Achieve?

It is questionable how much this summit alone will achieve. The issues described above, not to mention others such as Russia’s support of autocratic and corrupt regimes like Belarus or increasing strategic and geopolitical coordination with China, certainly complicate the US-Russia relationship and make cooperation complex. Furthermore, real progress and real cooperation remain elusive as long as Putin’s political raison d'être relies on maintaining an all-source, multi-domain conflict with the West. The summit itself is therefore unlikely to significantly impact the cyber threat landscape, with Russia highly likely to continue its cyber-enabled espionage and disruptive activity against strategic adversaries and relatively unlikely to commit to effective action against Russia-based cybercriminals. Nevertheless, the high-profile meeting represents an important opportunity to publicly normalise relations between the two states as much as possible.