with Aaron Schaffer

Is China primed to become a global hot spot for ransomware and other cybercrimes? 

That question was sparked by a White House statement this week accusing Beijing’s Ministry of State Security of contracting with criminal gangs for some of its hacking work and turning a blind eye to their cybercrimes for profit.

Among the cybercrimes were ransomware attacks, including one that locked up computers at a U.S. company. The hackers demanded millions of dollars to unlock the computers, a senior administration official said. The accusations came as part of a broader international condemnation of Chinese government hacking mostly tied to a breach of Microsoft email servers. 

The accusations highlight how ransomware – which has become nearly synonymous with Russia following a string of high-profile attacks – is actually a far more global problem. 

They also underscore a difficult truth: Even if Russian President Vladimir Putin accedes to President Biden’s demands that he dramatically clamp down on ransomware gangs operating out of Russian territory, the threat could migrate elsewhere – propelled by the multimillion-dollar payouts those gangs are demanding. 

This is going to be broader than just Biden putting pressure on Putin to stop ransomware. That’s not going to stop this altogether,” Katie Nickels, director of intelligence at the cybersecurity firm Red Canary, told me.

“Ransomware is so massively profitable that if Russia becomes hostile territory, we’d start to see operators in Brazil or North Korea or elsewhere,” Brett Callow, a threat analyst at the cybersecurity firm Emsisoft, told me.

China’s ransomware industry is effectively in its infancy. 

But it could grow rapidly in the coming years. 

“They’ve taken a lot of their cues from Russian actors and are trying to figure out how to make ransomware more profitable,” Allan Liska, director of threat intelligence at the cybersecurity firm Recorded Future, told me.

Even if ransomware activity doesn’t rise in China, it could happen elsewhere

There are ransomware gangs operating in Iran and Brazil at about the same level of development as those in China, Liska said. 

Those nations also share two key traits that have propelled the growth of ransomware in Russia and cybercrime generally: They have strong computer science education systems but few large domestic tech firms where people with that expertise can get jobs.

The Kremlin generally turns a blind eye to cybercriminals operating in its territory – provided they don’t attack Russian targets. 

Even ostensibly Russian ransomware gangs are far more international than they appear. 

Many of the most notorious such gangs operate on a ransomware-as-a-service model. That means they develop the ransomware and share customized versions of it with other organizations called affiliates. 

Those affiliates use the ransomware to lock down computers at organizations they’ve already found a way to hack into and share a portion of any ransom they get for unlocking them with the ransomware provider. 

It seems that affiliates are less likely than the ransomware gangs themselves to be Russian, experts say.  

DarkSide, which was responsible for the Colonial Pipeline attack and REvil, which claimed credit for the Kaseya attack, both operate on this model. 

The ransomware gangs themselves sometimes also include remote workers outside Russia. 

As recently as last month the Justice Department charged a Latvian national for a role in the Trickbot ransomware group. In January, the department filed charges against a Canadian citizen who was part of the NetWalker ransomware gang. 

Some gangs have tried to cut down on that by seeking people based in Russia or Russian speakers when they advertise for workers on underground forums

This is probably because people based in Russia are less likely to be picked up by Western law enforcement and share information that could make it easier to disrupt the group’s work or arrest members when they travel to Western nations. 

But those rules aren’t hard and fast. 

“I very much doubt these groups would turn away someone who appeared to be a very good candidate no matter what language he spoke,” Callow said. 

The keys

Government pressure is mounting on NSO Group as revelations about its Pegasus spyware build up.

The French government ordered investigations after reports by The Washington Post and 16 media partners that the phone numbers of President Emmanuel Macron and other world leaders were included on a list of 50,000 phone records that included targets of NSO Group’s Pegasus spyware, Drew Harwell and Michael Birnbaum report.

“If the facts are confirmed, they are clearly very serious,” Macron’s office said in a statement. “All light will be shed on these press revelations. Certain French victims have already announced that they would take legal action, and therefore judicial inquiries will be launched.”

France's prime minister, Jean Castex, said that the government had ordered investigations amid the reports.

In all, the list included phone numbers of three presidents, 10 prime ministers and the king of Morocco, our colleagues report.

None of the officials offered their phones for analysis, so it’s impossible to tell whether they were actually targeted or infected by Pegasus. NSO disputed the report, saying that Macron, King Mohammed VI and some other French and Belgian officials on the list “are not and never have been Pegasus targets.”

The company has denied that the list of phone numbers was a list of surveillance targets. “The data has many legitimate and entirely proper uses having nothing to do with surveillance or with NSO,” NSO attorney Tom Clare said.

Sen. Gary Peters (D-Mich.) is investigating the role of cryptocurrency in ransomware hacks. 

The investigation will aim to identify policy changes that would help disrupt the ransomware ecosystem, his office said in a statement. It comes less than a week after the Biden administration announced a four-pronged strategy to fight back against ransomware that includes work to deter cybercriminals from using cryptocurrency.

Peters is chairman of the Senate Homeland Security and Governmental Affairs Committee. Here are more details from The Hill's Maggie Miller

Chinese hackers breached more than a dozen U.S. pipelines from 2011 to 2013.

The hackers successfully compromised 13 pipelines, CISA and the FBI said. The announcement came the same day the Biden administration unveiled new cybersecurity rules for U.S. pipelines.

The hackers were backed by the Chinese government, authorities said. The hacks aimed to help China build its “cyberattack capabilities against U.S. pipelines to physically damage pipelines or disrupt pipeline operations,” they said. Hacks that destroy or disrupt infrastructure are viewed as far more aggressive than those merely aimed at spying. However, government-backed hackers often lay the groundwork for such destructive attacks without triggering any damage.

Hill happenings

A new bipartisan bill would mandate many companies report hacks to the federal government. 

The bill would mandate reports about all hacks and attempted hacks within 24 hours for companies in critical infrastructure sectors such as transportation, agriculture and energy as well as for government contractors and cybersecurity companies. 

It would mark the most substantial increase in cybersecurity reporting requirements to date. It's being introduced today by Senate Intelligence Committee Chairman Mark R. Warner (D-Va.), Vice Chairman Marco Rubio (R-Fla.) and Sen. Susan Collins (R-Maine) among others. 

The group previewed a draft version of the bill last month. It would also provide limited immunity to companies that report breaches, the lawmakers said. 

The House of Representatives is cutting ties with a newsletter service that suffered a ransomware attack, CNN's Melanie Zanona reports on Twitter:

Here's more on the ransomware attack from CyberScoop's Sean Lyngaas.  

More on Pegasus

Industry report


  • The Senate Committee on Environment and Public Works holds a hearing on cybersecurity vulnerabilities in physical infrastructure today at 10 a.m.
  • The Atlantic Council hosts an event on Russia and cybercrime on Thursday at 1 p.m.

Secure log off