Imagine a valuable criminal commodity — Class A narcotics, for example — which had no chemical impact when used in certain countries. Or high-grade illegal weapons which would not fire if sold to customers in certain jurisdictions. Any sensible observer would begin to wonder whether those countries were complicit in the criminal activity itself.
But that is where we are with ransomware. For some years we have seen that much of the malware in common use cannot be installed on computers which are running the language settings of certain nations, mostly those 16 or so countries of the former Soviet Union and its allies such as Syria. In short, criminals have constructed the malware to check whether the machines they are attacking are situated in one of these countries and, if so, it moves on to other targets.
Of course some of this is about self-preservation for the criminals. Russian law enforcement will not investigate cyber crimes that do not affect its own citizens. Cyber criminals therefore know that preventing attacks against machines in Russia or its sphere of influence, is a form of protection from unwanted attention.
That is the most charitable explanation. President Biden and US law enforcement clearly believe that Russian sponsorship of cyber criminal activity goes much further: from raking off the proceeds of crime to using cyber criminals as proxies for political pressure, transferring sophisticated nation-state skills in the process. It is almost certainly true that for those in the Kremlin addicted to asymmetric warfare, large scale attacks which damage the economy of the West are an obviously attractive weapon. Since they regard the internet as a giant Western conspiracy dominated by US companies, this is another way of levelling the field.
For all the talk about the internet crossing borders, there are obvious built-in settings that present a machine as being in a certain country. National identity does exist in cyberspace. Of course it is easy enough to change these and pretend you are somewhere else, and there has been a lively debate among security researchers about the merits of installing Russian language settings in addition to English as a form of protection from Russian criminals. But even if this works (and not all ransomware scans for language settings), most users are not going to go to this trouble.
The answer has to be greater pressure on these countries to take the crime emanating from their jurisdictions seriously. The best way to do this will be through building a coalition of economic and diplomatic pressure which makes the criminal activity costly for its hosts. That is a long term project and one on which the new US Administration has embarked.
I have written a good deal about ransomware in recent years, mostly on the theme that decent cyber security could prevent much of the current epidemic. Better defence remains the priority for most companies and that is what Western governments should be promoting.
But the fact remains that ransomware is also a geopolitical matter. Not all of it, of course, but some of the highest profile and largest scale ransomware families and certainly some of the more sophisticated recent malware aimed at SCADA and remote management systems in manufacturing.
When the Irish Republic’s healthcare system was immobilised by ransomware last week, some Irish politicians talked about an attack on the nation. They were referring to the scale of the impact, but they were not wrong in assuming nation state complicity in the attack. Doing nothing to stop this happening from your territory is as bad as doing it. And the claims of ransomware groups that they are ‘apolitical’ are undermined by the coding of their own malware.