Russian President Vladimir Putin and US President Joe Biden have agreed to develop a cyber-security arrangement between the two countries after discussing the issue of ransomware at their summit in Geneva.
Mr Biden says he and Mr Putin will start consultations “to begin to bring some order” after recent high-profile attacks by criminal gangs on critical US companies.
But talks are likely to be complex after both sides disagreed about who was to blame for the growing problem of ransomware.
President Biden says he raised a recent attack which took a major US fuel pipeline offline with Mr Putin.
The attack was carried out by hacker group Darkside, which is suspected to be Russian.
Mr Biden says he gave Mr Putin a list of 16 specific critical entities that should be considered “off-limits” from future cyber-attacks.
However President Putin told reporters that the Colonial Pipeline attack and others have “nothing to do with Russian authorities”.
Mr Putin also claimed he had been told by US sources that most cyber-attacks originate from the US, and that Russian attempts to get information about attacks originating from the US are being ignored.
What evidence is there that many ransomware gangs are based in Russia?
The anonymous nature of the cyber world means it is often hard to know exactly who is doing the attacking and from where.
However, over the last few years an undeniable pattern has been observed by experts that points in one distinct direction.
“The intelligence and research community believes that the attacks are coming from former Soviet block countries, namely Russia, Ukraine, and others”, says former Russian hacker and now cyber-security expert Dmitry Smilyanets.
“There are multiple indications proving that point.”
Dmitry Smilyanets and other experts point towards four distinct pieces of evidence:
- Most of the major groups advertise their malicious software products exclusively on Russian-speaking hacker forums on the dark web.
- Hacker groups predominately operate in Moscow business hours and generally go quiet during Russian public holidays.
- In many cases the code of the ransomware software also has specific instructions baked into it that automatically prevent attacks on computer systems that use Russian keyboard configurations.
- There are very few known victims of ransomware in Russia, or former Soviet states, in comparison to western countries.
“Covert engagement and clandestine operations aimed at ransomware operators and affiliates are also providing extraordinary intelligence,” Mr Smilyanets who works for cyber-defenders Recorded Future says.
“Their knowledge and attribution are very accurate and support the findings of cyber-researchers also looking into this area”.
In 2019 two Russian individuals were indicted by US and UK authorities accused of running the Evil Corp ransomware gang but both men remain free in Russia.
Putin claims Russia also facing ransomware attacks
In his press conference, President Putin told reporters that Russia regularly faces ransomware attacks and cited the example of a Russian healthcare service being hit by hackers, which he claimed was carried out by US hackers.
However, Dmitry Smilyanets says he thinks it’s unlikely this incident would have been ransomware or news of any resulting disruption would have been public.
The reason there are so few ransomware attacks on Russia and the former Soviet states is often put down to the much discussed ‘One Rule’ of Russian hacking – which means you can go after anyone as long as they are not on friendly soil.
Ransomware is a global business
There’s no doubt that ransomware gangs are operating in many other countries.
Hackers in North Korea for example were responsible for the most serious ransomware attack in history that impacted hundreds of NHS hospitals in the UK in 2017.
On the same day as the Geneva summit, six suspected criminals were arrested in Ukraine for alleged links to a ransomware group called Clop.
The individuals are being accused of being involved with attacks against organisations in the US and South Korea.
Another suspected hacker was arrested in Canada in January for his alleged involvement with another ransomware group called Netwalker.
However, none of these recent arrests are thought to have seriously harmed the core criminal enterprises of these well-funded and lucrative ransomware hacking networks.
Most experts agree that the epicentre of this destructive and lucrative criminal industry which is currently ripping through the world originates from Russia and its former Soviet neighbours.