Ransomware: US warns Russia to take action after latest attacks

US warns Russia to take care of cybercrime operating in its own backyard or the US will take care of it themselves.

Following the latest series of ransomware attacks, the White House has said the US will take action against the gangs involved, if the Russian government doesn't. 

The June ransomware attack on Colonial Pipeline, which distributes much of the fuel to the eastern seaboard of the US, was a turning point in discussions about cybercrime between US president Joe Biden and Russian president Vladimir Putin

Biden in June said critical infrastructure should be "off-limits" to these style of cyberattacks and is pressuring Putin to get a grip on ransomware gangs operating in Russia's jurisdiction. While the US intelligence community has not attributed the attack to one gang, most cybersecurity experts are pointing to gangs operating out of Russia.

SEE: Network security policy (TechRepublic Premium)

The question over ransomware came up again after last week's attack on US tech firm Kaseya, whose VSA remote management and monitoring software was compromised, leading to about 1,500 companies being affected. While few critical infrastructure providers appear to have been hit, it has forced the closure of dozens of Coop supermarket stores in Sweden since Sunday. Affected Coop stores remained closed until Tuesday as it replaced cash registers. 

REvil offers its ransomware infrastructure as a service to any gang who's willing to pay. The attackers have demanded $70 million for a universal decryption key that would resolve the issue for Kaseya, its managed service provider (MSP) customers, and MSPs' customers. 

White House press secretary Jen Psaki on Tuesday offered an update to the US response to Russian-based cybercrime.

"As the President made clear to President Putin when they met, if the Russian government cannot or will not take action against criminal actors residing in Russia, we will take action or reserve the right to take action on our own," said Psaki. 

She said a high level of the US national security team has been in touch with a high level of Russian officials to discuss the attacks.

But she said that even if the ransomware gangs were not operating with the permission of the Russian government, stopping the attacks was still Russia's responsibility.

"Even as it is criminal actors who are taking these actions against the United States or entities – private-sector entities in the United States, even as – even without the engagement of the Russian government, they still have a responsibility. That continues to be the President's view and the administration's view," she said.  

The G7 alliance, which includes Canada, France, Germany, Italy, Japan, the UK and the US, in June warned countries from which ransomware gangs operated to reign them in. Colonial ended up paying $4 million to its ransomware attackers while JBS, which was also compromised by a REvil-related gang, paid $11 million.   

Kaseya on Tuesday issued a statement outlining its efforts to minimize impact on critical infrastructure

ZDNet Recommends

The best cybersecurity certification: Deepen your knowledge

Cybersecurity certifications can help you get your foot in the door into what has fast become an industry with a high demand for skilled staff. Here is how to get started.

Read More

It said the REvil attack impacted about 50 Kaseya customers. 

"Of the approximately 800,000 to 1,000,000 local and small businesses that are managed by Kaseya's customers, only about 800 to 1,500 have been compromised," Kaseya said in a statement. 

SEE: Ransomware: Paying up won't stop you from getting hit again, says cybersecurity chief

The attack exploited a previously unknown flaw in Kaseya's VSA software and only impacted customers with on-premise VSA servers. Kaseya however took its VSA software-as-a-service (SaaS) product offline too and was expected to bring it back online on July 6. 

The company issued a notice late on July 6 that it deferred its SaaS restoration due to an undisclosed issue. 

"We apologize for the delay and R&D and operations are continuing to work around the clock to resolve this issue and restore service. We will be providing a status update at 8 AM US EDT," it said in a statement.