In recent years, ransomware groups have used a double-extortion scheme where they not only hold data hostage, but threaten to leak it online. Some groups have started offering the use of their ransomware code, portals, payment platforms and messaging infrastructure to others to conduct attacks, as in the Texas case using REvil, provided by a hacker group of the same name.
Last month, the Biden administration hosted a two-day conference with 30 other countries to create a coalition dedicated to disrupting the global ransomware ecosystem.
Cybersecurity experts say most ransomware developers are based in Russia, where they enjoy broad immunity because Russia does not arrest or extradite them. (Russia was notably not invited to the Biden administration’s summit.) This has limited options for law enforcement in the United States, Europe and other countries.
But in the past few months, American officials have changed tack. Last week, the State Department announced a $10 million reward for anyone who could help provide information about the leaders of DarkSide, a ransomware group alternately known as BlackMatter, which was behind the hack of Colonial Pipeline last May.
Mr. Biden said on Monday that when he met with Russian President Vladimir V. Putin in June, he made clear that the U.S. “would take action to hold cybercriminals accountable.”
American officials have also started clawing back ransom payments from cybercriminals, as they did in the case of DarkSide last June and with Mr. Polyanin, as announced on Monday.
“The message is: ‘You might think we can’t arrest you because you’re living in Russia, but there are a lot of other ways we can get to you,’” said Allan Liska, an intelligence analyst at Recorded Future, a cybersecurity firm. “This kind of sustained, cooperative law enforcement operation is making it far more expensive to conduct ransomware attacks and it’s starting to scare them.”