Earlier this year, the U.S. government imposed sanctions against Russian national Mikhail Matveev, an FBI most-wanted cybercriminal, who authorities accuse of being a “prolific ransomware affiliate” involved in cyberattacks in the United States and overseas.
Authorities say Matveev played a major role in the development and deployment of the Hive, LockBit and Babuk ransomware variants, and is said to have ties to the notorious Conti hacking group. Matveev was allegedly involved in the high-profile ransomware attack on Costa Rica, which sought a $20 million ransom demand (and the overthrowing of the government), and claimed responsibility for a 2021 cyberattack on Washington, D.C.’s police department.
Matveev, who lives in the Russian enclave of Kaliningrad, seemed unmoved by the sanctions. He told TechCrunch that the sanctions make him “happy” and are “a plus for my security,” because it means Russia would not deport him to face a U.S. courtroom.
Ransomware attacks are at an all-time high and increasingly target vulnerable public sector organizations, like schools and hospitals, which only add to the urgency of getting critical networks and systems up and running again. There are no laws in the U.S. that ban ransom payments, but the FBI has long advised victims not to pay, for fear of helping hackers profit from ransomware and encouraging further cyberattacks.
That’s where sanctions come in.
Sanctions are an important weapon in the U.S. government’s bureaucratic armory against ransomware groups (and other hacking groups), who are often out of reach of U.S. indictments or arrest warrants. Sanctions, which are issued by the U.S. Treasury’s Office of Foreign Assets Control, make it illegal for U.S. businesses or individuals to transact with a sanctioned entity, such as Matveev, a tactic aimed at barring American victims from paying the sanctioned hacker’s ransom demands.
But ransomware gangs are also trying to stay ahead. Some ransomware gangs, which have rebranded or switched-up tactics in an effort to avoid sanctions, are on track to have one of their most profitable years during 2023, according to data from Homeland Security.
Sanctions aren’t perfect
Ciaran Martin, the founding CEO of the U.K.’s National Cyber Security Center, told TechCrunch that there are a number of problems that sanctions fail to tackle. A key criticism is that many ransomware actors, like Matveev, reside in Russia, which has a history of looking the other way while allowing hackers to continue to operate freely.
Does that mean that sanctions aren’t working? Not exactly. While sanctions are by no means perfect against ransomware gangs, sanctions undoubtedly make it harder for criminal organizations to profit from launching cyberattacks.
Allan Liska, a threat intelligence analyst at Recorded Future, said during a panel at TechCrunch Disrupt that while largely symbolic, sanctions do make it less profitable to be a ransomware actor. In an email, Liska added that it may seem like sanctions aren’t working due to the fact that tracked ransomware payments are at all-time highs, but noted that this is due in part to the size of the ransomware ecosystem, which Liska said is “so much larger than in previous years.”
There’s also the risk that sanctions could be driving the wrong behavior. By making it illegal to make a ransomware payment to a sanctioned entity or country — even if the victim was unaware of the sanctions — victim organizations might conceal the incident and subsequent payment without notifying the authorities.
Violating sanctions can be costly for Americans, leading to hefty fines and criminal prosecution. Those consequences alone “should be enough to encourage victims not to pay, effectively taking funds away from the sanctioned individuals or groups,” said Crystal Morin, cybersecurity strategist at cloud security firm Sysdig.
It may seem like sanctions against ransomware actors aren’t making a significant impact, but they are undoubtedly a step in the right direction — and one that only benefits from greater international collaboration to combat the global ransomware threat.
Comment