Ransomware hackers remain largely out of reach behind Russia’s cybercurtain

A close-up of the inside of a computer
Cybersecurity experts say a worldwide pressure campaign would be needed to curtail the ransomware attacks.
(Associated Press)

U.S. authorities are running into a major obstacle in holding hackers responsible for an onslaught of ransomware attacks: The extortionists remain out of reach in Russia, safely ensconced behind a cybercurtain as difficult to penetrate as the iron one that defined the Cold War.

Recent high-profile ransomware assaults have added urgency to U.S. government efforts to combat Russia-linked hackers who have disrupted East Coast U.S. fuel supplies, raised fears about nationwide meat shortages and exposed sensitive files from a Southern California police force. The problem, Justice Department officials say, is that the Kremlin believes it benefits from allowing such hackers to target U.S. interests, gathering valuable intelligence in the process.

“The criminal hacking the Russian government is willing to tolerate and take advantage of is beyond what we see in virtually every other country,” said John Demers, the Justice Department’s top national security prosecutor who has battled ransomware since 2017. “It is very difficult to stop hacking when it is occurring in a country that is more than just tolerating it, but is quite happy with it.”


President Biden is expected to discuss Russian ransomware attacks with allies during his European trip, hoping to find common ground in confronting the Kremlin. Advisors say he will also seek to pressure Russian President Vladimir Putin during a June 16 meeting in Geneva to rein in hackers.

Biden issued an executive order last month that White House officials say will enhance cybersecurity of federal government networks and enhance security standards for commercial software.

The Justice Department is also seeking new ways to combat what a top agency official called an “epidemic” and Atty. Gen. Merrick Garland told Congress was a “very, very serious threat” that is “getting worse and worse.” The FBI on Monday managed to recover $2.3 million in difficult-to-trace cryptocurrency that a pipeline company paid in ransom to Russia-linked hackers to unlock its systems, a move that Monaco said showed the Justice Department will use “all available tools to make these attacks more costly and less profitable for criminal enterprises.”

Cybersecurity and foreign policy experts are less than sanguine the Biden administration efforts will put a real dent in ransomware assaults launched from Russia. Curtailing the attacks, they say, will require a worldwide pressure campaign that has yet to materialize because previous U.S. administrations and foreign governments didn’t take the threat seriously enough or feared intensifying tensions with Putin.

“The Russians have to be afraid of us,” said James Lewis, a senior vice president at the Strategic Technologies Program at the Center for Strategic and International Studies.

The Russian government, for its part, has denied it directs cybercriminals to attack U.S. interests, or protects them from U.S. prosecution. Putin told Russian state TV Channel One last week that accusing his government of involvement was ridiculous.

“It’s just nonsense, it’s funny,” Putin said. “It’s absurd to accuse Russia of this.”

U.S. officials allege Russians have long garnered support from a government that encourages their work because it generates intelligence for spy services and sows chaos and confusion in the West.

Experts pointed to the case of Maksim Yakubets, 34, as an example of a hacker seeking to profit from his crimes while helping out Moscow. In late 2019, the U.S. government indicted the flamboyant Ukrainian-born and Russia-based hacker, a leader of a cybergang called Evil Corp, on charges he helped develop malware that was used to steal tens of millions of dollars from banks and other financial institutions. Some of the malware created by Yakubets assists in the installation of ransomware, authorities say.


The Treasury Department went further when it announced sanctions on Yakubets, alleging he worked for a Russian intelligence organization and “provided direct assistance to the Russian government.” Starting in 2017, he was tasked by the Kremlin, the Treasury Department alleged, to acquire “confidential documents through cyber-enabled means and conducting cyber-enabled operations on its behalf.”

Yakubets, who resides in Russia, could not be reached for comment.

Hackers in Russia have spent decades penetrating computer networks of retailers, banks, hospitals, and other businesses to steal sensitive personal information to sell on the black market, cybersecurity experts say. About 10 years ago, hackers began turning to ransomware, a shift that cybersecurity experts likened to a U.S. crime wave in the 1920s and 1930s in which gangsters turned from robbing banks to more profitable and easier kidnappings.

It’s a fairly simple scheme. Hackers trick people into clicking on an attachment or a link in an email that contains malware. The malware infects the servers and encrypts the data, locking out legitimate users, and hackers then demand a ransom payment in exchange for a key that reopens the networks.

Thanks to the popularity in difficult-to-trace cryptocurrencies, the crime has steadily proliferated. In 2015, the FBI reported, U.S. victims paid about $25 million in cyber ransom. By 2020, such victims paid at least $350 million in ransom to hackers, a 300% increase over the previous year, according to a report issued by the Institute for Security and Technology.

Hospitals, school systems and police departments are frequent victims because they either rely heavily on digital records or have relatively lackluster defenses. Cybersecurity experts say hackers also target companies that operate critical U.S. infrastructure, which often have deep pockets and face immense pressure to limit disruption of their services.

“Russia loves this kind of hack because it disrupts everyday life for Americans,” said Frank Montoya, a former FBI counter-intelligence agent.

Colonial Pipeline, which supplies about 45% of the jet fuel, gasoline and heating oil consumed on the East Coast, last month paid $4.4 million in bitcoin to hackers to unlock its networks after it was taken over by ransomware.

The FBI said the hackers relied on malware provided by DarkSide, a Russia-based cybercrime group that sells hackers malware in exchange for a cut of ransom proceeds; Biden said the hackers were also believed to be located in Russia.

On June 2, the bureau attributed a ransomware attack on the U.S. and Australian computer servers of JBS, the world’s largest meat supplier, to a notorious Russia-linked cybergang that goes by the name REvil or Sodinokibi. The hack forced the company to idle plants, raising concerns about potential surges in meat price and shortages. JBS issued a statement on Wednesday saying it paid $11 million in ransom.

Identifying such hackers is not easy, former federal agents say. Capturing them is even tougher. Moscow refuses to extradite cybercriminals, and it alerts them when U.S. authorities file arrest warrants with international police agencies, former law enforcement officials said.

The Justice Department has successfully extradited 18 Russian hackers of the dozens wanted on computer crime charges — when they slipped up and visited other countries on vacation or business, officials said.

Yet even when such hackers are arrested outside Russia, they don’t always end up in U.S. courtrooms. Russia exerts enormous political pressure on foreign governments to block extradition to the U.S., and it has lodged competing charges in the hopes of convincing judges to send citizens home, where prosecutions are quickly dropped, according to former federal law enforcement officials.

Alexsey Belan, a Russian national, was arrested in Greece in 2013 on U.S. hacking charges but managed to make bail and slipped back to Russia, with Moscow’s assistance, federal law enforcement officials say.

Back home, Belan allegedly wasted no time getting back to his computer terminal. He was was indicted in the U.S. in 2017 on charges of orchestrating the massive security breach of Yahoo. Information from more than 500 million accounts were stolen in the cyberattack, which an indictment alleged was directed by two Russian government agents.

Robert Anderson, a former top FBI official, said that combating Russian hackers was among his most challenging jobs at the bureau.

“It is difficult to address this when the line between state and criminal is so blurry,” he said.