REvil, the group behind the attack, is suspected of operating from Russian territory.
According to a report by cybersecurity firm Trustwave SpiderLabs relayed by NBC, the ransomware that hit IT firm Kaseya on July 2, 2021, contains code to bypass any system that uses Russian or a related language. The group behind the attack, REvil, is known to operate from Russian territory.
The Kremlin is not necessarily involved in the attack, however.
On July 6, 2021, the US administration said it had not yet been able to identify the origin of the ransomware, which has affected between 800 and 1,500 organizations, according to estimates. For some, the number is even higher. The ransom of REVIL reached 70 million. However, eyes quickly turned to Russia.
The Trustwave SpiderLabs report appears to confirm this suspicion. According to information gathered by the researchers, the ransomware is designed to avoid “systems whose default languages come from what used to be the USSR region.” This includes Russian, Ukrainian, Belarusian, Tajik, Armenian, Azerbaijani, Georgian, Kazakh, Kyrgyz, Turkmen, Uzbek, Tatar, Romanian, Moldovan Russian, Syriac and Syriac Arabic”. It is not the only one to have such an option. Ransomware from the DarkSide group, behind the May attack on Colonial Pipeline, appeared to be equipped with a similar system.
Just because viruses are avoiding Russia doesn’t necessarily mean they’re being ordered for the Kremlin. It seems to be more of a protection against local authorities. Ziv Mador, vice president of security research at Trustwave SpiderLabs, told NBC : “They don’t want to annoy the local authorities and know they can go about their business for a lot longer if they do it this way.”
The difficult cooperation between Russia and the United States on ransomware
Traditionally, Russia tends to ignore requests for collaboration on cybercrimes that have not impacted the country. The MIT Technology Review recently returned to an attempted collaboration between Americans, Russians and Ukrainians in 2010, Operation Trident Breach. The operation ended in failure, especially when the FSB, the Russian services, cut off all contact with their associates at the time. Among the targets of the operation at the time, some got into ransomware and would even have occasionally collaborated with the Russian services.
The United States, which made ransomware one of the major threats of the time, stepped up pressure on Russia to cooperate more with foreign authorities. Cybercrime was one of the central questions of the interview between Joe Biden and Vladimir Poutin in Geneva, in June, on the sidelines of the G7. The US national security adviser said at the time that the Americans had “set clear milestones with Russia, clear expectations, and also communicated to it the capabilities we have if it chooses not to act against them. criminals attacking our critical infrastructure from Russian soil”.
The attack on Kaseya may be a test of any Russian goodwill to act against cybercriminals in its territory. Cyberwar reports that the Russian presidency, via the TASS news agency, said it did not receive a request for collaboration from the United States on July 5. This demand could come, accompanied by pressure, if the attribution of the ransomware correctly indicates Russia.