Sanctions Frustrating Russian Ransomware Actors
Russia’s invasion of Ukraine appears to be having an unanticipated impact in cyberspace — a decrease in the number of ransomware attacks.
“We have seen a recent decline since the Ukrainian invasion,” Rob Joyce, the U.S. National Security Agency’s director of cybersecurity, told a virtual forum Wednesday.
Joyce said one reason for the decrease in ransomware attacks since the February 24 invasion is likely improved awareness and defensive measures by U.S. businesses.
He also said some of it is tied to measures the United States and its Western allies have taken against Moscow in response to the war in Ukraine.
“We’ve definitively seen the criminal actors in Russia complain that the functions of sanctions and the distance of their ability to use credit cards and other payment methods to get Western infrastructure to run these [ransomware] attacks have become much more difficult,” Joyce told The Cipher Brief’s Cyber Initiatives Group.
“We’ve seen that have an impact on their [Russia’s] operations,” he added. “It’s driving the trend down a little bit.”
Just days after Russian forces entered Ukraine, U.S. cybersecurity officials renewed their “Shields Up” awareness campaign, encouraging companies to take additional security precautions to protect against potential cyberattacks by Russia itself or by criminal hackers working on Moscow’s behalf.
And those officials caution Russia still has the capability to inflict more damage in cyberspace.
“Russia is continuing to explore options for potential cyberattacks,” the Cybersecurity and Infrastructure Security Agency’s Matthew Hartman told a meeting of the U.S. Chamber of Commerce last week.
“We are seeing glimpses into targeting and into access development,” Hartman said, noting Russia has for now held back from launching any major cyberattacks against the West. “We do not know at what point a calculus may change.”
FBI cyber officials have likewise voiced concern that it could be a matter of time before the Kremlin authorizes cyberattacks targeting U.S. critical infrastructure, including against the energy, finance and telecommunication sectors.
U.S. and NATO officials on Wednesday also cautioned that it would be a mistake to think that just because there have been few signs of “catastrophic effects” that Russia has not tried to leverage its cyber capabilities to its advantage.
“It has been happening and it’s still happening,” said Stefanie Metka, head of the Cyber Threat Analysis Branch at NATO. “There’s a lot of cyber activity that’s happening all the time and probably we won’t know the full extent of it until we turn the computers back on.”
Said the NSA’s Joyce: “If you look at Ukraine, they have been heavily targeted. What we’ve seen are a number of wiper viruses, seven or eight different or unique wiper viruses that have been thrown into the ecosystem of Ukraine and its near abroad.” Wiper viruses are viruses that erase a computer’s memory.
These included a cyberattack against a satellite communications company, which hampered the ability of Ukraine’s military to communicate and had spillover effects across Europe.
But with help from the U.S. and other allies, Ukraine was able to mitigate the impact, Joyce said.
“The Ukrainians have been under threat and under pressure for a number of years, and so they have continued to adapt and improve and develop their tradecraft to the point where they mount a good defense and, equally as important, they mount a great incident response,” he said.
Some cybersecurity experts say that ability to respond might be one of the biggest take-aways, so far, from the invasion.
“Resiliency matters,” said Dmitri Alperovitch, the founder of the Silverado Policy Accelerator and the former chief technology officer of cybersecurity firm CrowdStrike, at Wednesday’s virtual forum. “The Ukrainians have gotten really, really good at rebuilding networks, quickly mitigating damage.”
Another key lesson, he said, is the limitations of cyber.
“If you’ve got kinetic options, if you can create a crater somewhere, take out a substation, take out a communication system, that’s what you’re going to prefer to use,” Alperovitch said. “That’s what’s easiest [to do] to get lasting damage.”