Following on from the Australian, UK and US joint sanctions designations of Russian cybercriminals in January 2023 (in connection with the Medibank hack) and May 2024 (targeting a member of the LockBit ransomware outfit), these three countries struck out with joint cybercrime sanctions again. On 2 October, they designated three Russian nationals allegedly involved in Evil Corp, another ransomware group.
These sanctions are clearly part of a bigger push to put pressure on Evil Corp and LockBit alike. Over the past two days, the UK’s National Crime Agency published a write-up of LockBit’s operations, which contains a chronology of its activities and highlights its connections to Evil Corp. Meanwhile, Europol provides this summary of the recent flurry of law enforcement activity:
A suspected developer of LockBit was arrested at the request of the French authorities, while the British authorities arrested two individuals for supporting the activity of a LockBit affiliate. The Spanish officers seized nine servers, part of the ransomware’s infrastructure, and arrested an administrator of a Bulletproof hosting service used by the ransomware group. In addition, Australia, the United Kingdom and the United States implemented sanctions against an actor who the National Crime Agency had identified as prolific affiliate of LockBit and strongly linked to Evil Corp.
These are significant law enforcement successes, and sanctions are an important component. In essence, they broadcast the message of ‘we know who you are, and what you did’. Sure, arrests do not always follow, but often they do.
Signalling aside, the other facet to cybercrime sanctions is the prohibition on making payments to sanctioned criminals. It is generally not illegal to make a ransomware pay-out, and many companies do precisely that. However, no one in Australia, the UK or the US can now lawfully pay the sanctioned members of LockBit or Evil Corp — and, therefore, for all practical intents and purposes these ransomware outfits become ‘beyond the pale’.
As I highlighted in a recent article — forgive the plug! — this produces a two-tier ransomware ecosystem. There are those outfits who can be paid, and those who cannot. The question then is what distinguishes the regular cybercriminals (who, while objectionable, can be lawfully paid) from those who get the sanctions treatment.
The Medibank case, which involved the hack of one of Australia’s largest health insurers, supplies a useful indicator. Health infrastructure is off-limits, and any attempts to go after it will trigger a coordinated response from law enforcement, intelligence and sanctions agencies. The same could be expected in connection with other critical infrastructure. The Evil Corp and LockBit situations further suggest that, if one grows too much and becomes too big a ransomware problems, a similar response may follow.
Economic Crime Law 