U.S. Cyber Czar: Too soon to tell if Russia ransomware has stopped
Martin Matishak September 9, 2021

U.S. Cyber Czar: Too soon to tell if Russia ransomware has stopped

U.S. Cyber Czar: Too soon to tell if Russia ransomware has stopped

A top U.S. cybersecurity official said on Thursday that it was too soon to tell whether Russian ransomware gangs have let up their assault on U.S. targets.

“We have… seen that those attacks have fallen off. We’ve seen that those kinds of syndicates had, to some degree, deconstructed,” National Cyber Director Chris Inglis said during a panel discussion at the Ronald Reagan Institute in Washington, DC. “But I think it’s a fair bet that they have self-deconstructed, essentially gone cold and quiet, to see whether the storm will blow over and whether they can then come back.”

“I think it’s too soon to say that we’re out of the woods,” he added.

Inglis’ comments come days after the notorious digital group called “REvil” — which is widely believed to operate out of Russia and was responsible for the ransomware attack on meat processor JBS — reappeared online, months after it launched an attack against software company Kaseya that affected thousands of businesses worldwide.

Chris Inglis

The website, called the Happy Blog, was one of the many servers that REvil members utilized but it shut down on July 13. Many interpreted the move to mean the group had broken up or might be readying to unveil a new ransomware operation under a different moniker to confuse U.S. and international law enforcement.

On Thursday, cybersecurity firm Recorded Future, which owns The Record, issued a report that found a cozy relationship between the Russian military and intelligence officials and ransomware gangs operating in the country. Unlike China and North Korea, which exert tight control over some of the cybercriminal gangs that operate within their borders, Russian officials allow hackers to direct their own operations to a degree, the report found.

In June, President Joe Biden presented Russian President Vladimir Putin with a list of critical infrastructure and said such entities were “off-limits” to cyberattacks. He publicly vowed that if they were struck by Russian-based cybercriminals, the U.S. would respond.

Inglis said Biden was “crystal clear” with Putin that Washington would hold the Kremlin “accountable, not simply for what the government does directly, but for a permissive attitude that allows actors within their spaces to hold this nation at risk and it’s critical infrastructure at risk.”

Biden pressed his Russian counterpart to “essentially clean up the mess on his aisle nine. It remains to be seen whether they will.” 

Deputy national security adviser Anne Neuberger made similar remarks last week during a White House press briefing where she stressed that Biden is “looking for action, with regard to addressing cyber activity, and we continue to look for that.”

Inglis cautioned that in cyber deterrence — against foreign election interference or ransomware — “you’re not going to simply shoot your way out of it. You’re not going to simply try to find a cyber bullet and shoot down the other side that is aiming their cyber gun at you.”

He added that successful deterrence involves a combination of steps, including increased resilience at home and consequences against online hacks.

“There’s all sorts of ways that we can concurrently apply pressure to make their life more difficult, make it such that even if they still aspire to do that work, they’ll fail in the bargain,” according to Inglis. 

Martin is a cybersecurity reporter for The Record. He spent the last five years at Politico, where he covered Congress, the Pentagon and the U.S. intelligence community and was a driving force behind the publication's cybersecurity newsletter.