On Wednesday, as United States president Joe Biden and Russian president Vladimir Putin prepared to meet in Geneva, Ukrainian law enforcement announced the arrest of six suspects allegedly tied to the notorious Cl0p ransomware group. In collaboration with South Korean and US investigators, Ukrainian authorities searched 21 residences in and around Kyiv, seized computers, smartphones, and servers, and recovered the equivalent of $184,000, believed to be ransom money.
The Cl0p arrests constitute an all-too-rare success story as the ransomware crisis continues to spiral. The group has racked up several high-profile victims since 2019, including Stanford University Medical School, the University of California, and the South Korean ecommerce giant E-Land. And the hackers seem to collaborate with or have ties to other cybercriminal organizations, including the financial crimes group FIN11 and the malware distribution organization dubbed TA505. The collaborative law enforcement process that led to the takedown, though, also underscores why stopping the broader ransomware threat remains a distant dream. Ukraine was willing to help this time, but until Russia does the same very little will change.
The majority of ransomware actors who have been wreaking havoc in recent months operate out of Russia, including Ryuk, which went on a massive hospital-hacking spree in the United States last year, DarkSide, which took down the Colonial Pipeline in May, and REvil, which recently hit the global meat supplier JBS and Apple supplier Quanta Computer. The US Department of Justice has indicted Russian ransomware actors but struggles to apprehend them. And Putin has said openly for years—including an oft-cited 2016 interview with NBC—that as long as cybercriminals aren’t breaking Russian laws, he has no interest in prosecuting them.
Photograph: Cyberpolice Department of theNational Police of Ukraine
“If you have any region in any country where you have lax law enforcement, sure enough people who want to do illegal things will show up there,” says Craig Williams, director of outreach at Cisco Talos. “We have these regions not just in Europe but in regions like South America where we have effectively safe havens for cybercriminals to operate. So what we end up with is this pattern of aggression that’s being allowed to be carried out online against private businesses and civilians with really no end in sight.”
Russia’s blind eye toward cybercrime has been a problem for years, but the Kremlin’s brazen state-sponsored hacking, from election meddling to expansive espionage operations, has typically drawn more attention. Over the past 18 months, though, the severity and frequency of ransomware attacks around the world has morphed from a consistent problem to an urgent crisis. Attacks on critical infrastructure and supply chains have painted a dire picture of just how far ransomware attackers will go to make money.
Tracking down the culprits often isn’t as big an obstacle as apprehending them. The US has indicted multiple Russia-based hackers and even managed to seize millions of dollars of the ransom Colonial Pipeline paid. But acting on that information typically requires international cooperation. Russia does not have an extradition treaty with the US and seemingly goes out of its way not to help. In fact, the Department of Justice didn’t bother asking for assistance from Russian law enforcement in tracking the Colonial Pipeline hackers, said John Demers, the assistant attorney general for national security, in a talk recorded June 3 and released Wednesday.