Covert ransomware attacks continue as high profile cases slow | Breaking News Updates

Since President Joe Biden warned Russian Vladimir Putin to crack down on ransomware gangs in his country, there has not been a massive attack like the one last May that resulted in gasoline shortages. .

But that’s a little comfort for Ken Trzaska.

Trzaska is president of Lewis & Clark Community College, a small school in Illinois that canceled classes for days after a ransomware attack last month that took critical computer systems offline.

“That first day,” Trzaska said, “I think we were all probably up over 20 hours, going through the process, trying to figure out what happened.”

Although the United States is not currently experiencing large-scale front-page ransomware attacks, comparable to those at the start of the year that targeted the global meat supply or prevented millions of Americans from filling their reservoirs gasoline, the problem has not gone away. In fact, the attack on Trzaska College was part of a barrage of less publicized episodes that rocked the businesses, governments, schools and hospitals that were affected.

The college ordeal reflects the challenges the Biden administration faces in eradicating the threat – and its uneven progress in that direction since ransomware became a pressing national security issue last spring.

U.S. officials have recovered some ransom payments, cracked down on cryptocurrency abuses, and made arrests. Spy agencies launched attacks on ransomware groups, and the United States pushed federal, state and local governments, as well as private industries, to strengthen protections.

Yet six months after Biden’s admonitions of Putin, it’s hard to say whether the hackers have calmed down because of American pressure. Smaller-scale attacks continue, with ransomware criminals continuing to operate from Russia with apparent impunity. Administration officials have given conflicting assessments as to whether Russia’s behavior has changed since last summer. To complicate matters further, ransomware is no longer high on the US-Russia agenda, as Washington scrambles to deter Putin from invading Ukraine.

The White House has said it is determined to “fight all ransomware” through its various tools, but the government’s response depends on the severity of the attack.

“There are some that are law enforcement issues and others that are high impact and disruptive ransomware activities posing a direct threat to national security that require further action,” the statement said. .

The ransomware attacks – in which hackers block victims’ data and demand exorbitant sums to return it – have emerged as a national security emergency for the administration after a May attack on Colonial Pipeline, which supplies near the half the fuel consumed on the east coast.

The attack prompted the company to shut down operations, causing gas shortages for days, despite returning to service after paying more than $ 4 million in ransom. Shortly thereafter, an attack on meat processor JBS took place, which paid a ransom of $ 11 million.

Biden met with Putin in June in Geneva, where he suggested that critical infrastructure sectors should be “banned” for ransomware and said the United States should know in six months to a year “if we have a deal. cybersecurity that is starting to bring order ”.

He reiterated the message in July, days after a major attack on a software company, Kaseya, which affected hundreds of companies, and said he expected Russia to take action against them. cybercriminals when the United States provides enough information to do so.

Since then, there have been notable attacks from groups believed to be based in Russia, including against Sinclair Broadcast Group and the National Rifle Association, but none of the same consequences or impact as those of the spring or last summer.

One of the reasons may be the increased control of the US government, or the fear of it.

The Biden administration in September sanctioned a Russia-based virtual currency exchange that officials say helped ransomware gangs launder money. Last month, the Justice Ministry exposed the charges against an alleged Ukrainian ransomware operator who was arrested in Poland and collected millions of dollars in ransoms. US Cyber ​​Command chief General Paul Nakasone told The New York Times his agency has launched offensive operations against ransomware groups. The White House has said “whole-of-government” efforts will continue.

“I think the ransomware makers, the people who run them, take a step back and think, ‘Hey, if we do this, the United States government is going to pursue us in an offensive way,'” Kevin Powers, Strategy Advisor security for a cyber risk company. CyberSaint said attacks on critical infrastructure.

US officials, meanwhile, shared a small number of names of suspected ransomware operators with Russian officials, who said they had started investigating, according to two people familiar with the matter who were not authorized to speak in public. .

It is not known what Russia will do with these names, although Kremlin spokesman Dmitry Peskov insisted the countries had a useful dialogue and said “a working mechanism has been established and actually functioning “.

It is also difficult to measure the impact of individual arrests on the overall threat. Even as the alleged hacker awaits extradition to the United States after his arrest in Poland, another who was indicted by federal prosecutors was later reported by a British tabloid as living comfortably in Russia and driving luxury cars. .

Some are skeptical of attributing any decline in large-scale attacks to US efforts.

“It might have been just fluke,” said Dmitri Alperovich, former chief technology officer at cybersecurity firm Crowdstrike. He said asking Russia to quell large-scale attacks would not work because “it’s far too granular a request to calibrate criminal activity they don’t even fully control.”

Senior U.S. officials have given conflicting answers on ransomware trends since Biden’s talks with Putin. Some FBI and Justice Department officials say they haven’t seen any change in Russian behavior. Cyber ​​National Director Chris Inglis said there had been a noticeable decrease in attacks, but it was too early to say why.

It is difficult to quantify the number of attacks given the lack of basic information and uneven victim reports, although the absence of disruptive incidents is an important marker for a White House trying to focus its attention on them. major national security risks and catastrophic violations.

Victims of ransomware attacks in recent months include hospitals, small businesses, colleges like Howard University – which briefly took many of its systems offline after discovering an attack in September – and the legislature from Virginia.

The Lewis & Clark attack in Godfrey, Ill. Was discovered two days before Thanksgiving when the school’s IT director detected suspicious activity and proactively took the systems offline, Trzaska said. , President.

A hacker ransom demand demanded payment, though Trzaska refused to disclose the amount or identify the culprits. While many attacks originate from hackers in Russia or Eastern Europe, some originate elsewhere.

With vital education systems affected, including the school’s email and e-learning platform, administrators canceled classes for days after the Thanksgiving break and communicated updates to students. via social media and via a public alert system.

The college, which had backups on the majority of its servers, resumed operations this month.

The ordeal was intimidating enough to inspire Trzaska and another college president who he said went through a similar experience to schedule a cybersecurity panel.

“Everyone’s stock quote,” Trzaska said, “isn’t if it’s going to happen, but when it’s going to happen.”

Suderman reported from Richmond, Virginia. Associated Press writer Dasha Litvinova in Moscow contributed to this report.