Biden To Putin: ‘Take Action To Disrupt Ransomware Groups’

‘The United States expects when a ransomware operation is coming from his [Putin’s] soil, even though it’s not sponsored by the state, we expect them to act if we give them enough information,’ says President Joe Biden.


President Joe Biden urged Russian leader Vladimir Putin to “take action to disrupt ransomware groups operating in Russia” following last week’s ransomware attack against Kaseya.

The dialogue between the two heads of state comes just days after the REvil gang – which operates largely out of Russia - pulled off the biggest ransomware attack in history, exploiting a vulnerability in Kaseya’s on-premise VSA remote monitoring and management tool to compromise nearly 60 MSPs and encrypt the data and demand ransom payments from up to 1,500 of their end user customers.

“I made it very clear to him that the United States expects when a ransomware operation is coming from his soil, even though it’s not sponsored by the state, we expect them to act if we give them enough information to act on who that is,” Biden told reporters Friday.

Sponsored post

[Related: Kaseya VSA Down Until Sunday; CEO Fred Voccola Apologizes To MSPs]

REvil was first spotted in April 2019 and is known for refusing to target machines located in Russia or the former Soviet republics, CrowdStrike’s SVP of Intelligence Adam Meyers told CRN last year. The ransomware gang operates with impunity and hasn’t been constrained by Russian law enforcement despite having some fairly high-profile figures, Proofpoint EVP Ryan Kalember told CRN last year.

Asked by a reporter if Russia would face consequences for the recent attacks, Biden simply said ‘yes.’ In the immediate aftermath of the Kaseya ransomware attack, the Russian foreign intelligence service (SVR) took advantage of the chaos to carry out a hack of its own against IT distributor Synnex and breach the computer systems of their customer, the Republican National Committee, according to Bloomberg.

“President Biden underscored the need for Russia to take action to disrupt ransomware groups operating in Russia,” according to a White House statement released Friday after Biden’s call with Putin. “President Biden reiterated that the United States will take any necessary action to defend its people and its critical infrastructure in the face of this continuing challenge.”

The Russian foreign ministry said Friday afternoon that interactions between the United States and Russia around information security and cybercrime should be carried out using specialized data exchange channels between authorized state structures, within bilateral legal mechanisms, and in compliance with the regulations of international law.

“In the context of recent reports of a series of cyber attacks allegedly committed from Russia, Vladimir Putin noted that despite the Russian side‘s readiness to jointly suppress criminal manifestations in the information space, there have been no appeals [by] the US authorities in the last month [around] these questions,” the Russian embassy to the U.S. wrote on Facebook.

A senior Biden administration official disputed this, according to The Washington Post. “We have relayed multiple specific requests for action on cyber criminals” to Moscow, “and have been clear about what Russia’s responsibility is with regard to taking action, including again today,” the official said.

Cybercriminal groups allegedly operating out of Russia have struck it rich in a spate of high-profile ransomware attacks in recent months. Colonial Pipeline in May paid Darkside hackers $4.3 million in hopes of restoring operations on its 5,500-mile pipeline sooner. Federal authorities seized $2.3 million of Colonial’s payment by reviewing the Bitcoin public ledger and identifying transferred proceeds.

Similarly, meatpacking giant JBS paid REvil $11 million last month to shield the company’s meat plants from further disruption and limit the potential impact for restaurants, grocery stores and farmers, said CEO Andre Nogueira. As for Kaseya, EVP of Account Management Michael Sanders said the ransomware experts the company has consulted has advised against negotiating for one ransom to unlock all victims.

“The problem is that they don’t have our data, they have our customers’ data,” Sanders told KrebsOnSecurity Thursday in response to REvil’s $70 million ransom demand. “With the amount of individual machines hacked and ransomwared, it would be very difficult for all of these systems to be remediated at once.”