Ransomware attacks have slowed down in recent months, according to Rob Joyce, the National Security Agency (NSA)’s director of cybersecurity, and it’s due in large part to sanctions on Russia introduced after the Ukraine invasion.
Speaking at a recent UK security conference, Joyce said the sanctions are making it difficult for criminals in the country to work out ransom payments, due to a combination of financial services pulling out of Russia and companies being hesitant to pay a newly expanded range of sanctioned entities.
Ransomware payments slow down as it becomes harder to convince victims and collect funds
Since the invasion of Ukraine began, Russia has become financially isolated from the rest of the world to some degree. Major banks have been expelled from the international SWIFT banking system, credit providers have pulled their services from the country, and there are now more countries than ever before participating in sanctions that have expanded to include more individuals and entities.
The net result of all of this is a much more limited set of options for cyber criminals in the country to convert crypto ransom payments to cash. It is also tougher to convince victims of ransomware attacks to pay in this climate, as they could be fined for making a payment to someone who is even merely suspected of being involved with a sanctioned entity. Sanctions also prevent certain entities from purchasing necessary hardware from other countries, making it much tougher to build new operations up.
The NSA says that this is reducing ransomware attacks, which are still largely originating from Russia and allies such as Belarus. It has not eliminated them, however, as groups such as Conti and REvil continue to operate (both strongly suspected to be in the region). New groups have also been emerging since the war began in late February, but the NSA sees an overall downward trend in both ransomware attacks and ransom payments during this period.
Sanctions suppressing ransomware attacks, but not eliminating them
The NSA has taken a more direct role in monitoring and intervening in ransomware attacks after the 2021 incidents involving critical infrastructure made clear that it had become an immediate national security issue.
Though the agency has not taken an official position on the issue, this information would appear to support the argument for banning ransom payments to get a handle on ransomware attacks. Other agencies (such as the FBI) have recently come out against the practice; organizations are generally against it as well, given that they often feel they have no real option but to make the payment and hope for the best. The sanctions on Russian entities are the closest thing the US has to a ban on ransom payments at present, threatening those that make “willful” payments with very large fines and even prison sentences.
In February the NSA, FBI and CISA issued a joint advisory on ransomware attacks, recommending that organizations keep up with patching, implement a user email security training program, review the security of remote desktop protocols, and ensure that regular offline backups of data are being created in addition to any cloud-based backups.