US, UK, Australia Sanction Russian Ransomware Operator


January 23, 2024

World map

The U.S., U.K. and Australian governments announced Tuesday sanctions against Alexander Ermakov, a Russian ransomware operator accused of participating in an October 2022 attack on Australia’s biggest private health insurance provider Medibank that exposed the Personal Health Information (PHIT) of nearly 4 million patients.

“Ermakov is linked to the REvil ransomware operation, which, at one time, was among the most notorious cybercrime gangs in the world, having been deployed on approximately 175,000 computers worldwide and tied to at least $200 million paid in ransom, according to the U.S. Treasury statement,” CyberScoop reports.

“Russia continues to provide a safe haven to ransomware actors and enable ransomware attacks by cultivating and co-opting criminal hackers who have launched disruptive ransomware attacks against U.S. and allied countries. We will continue to stand with our partners to disrupt ransomware actors that threaten our economies and critical infrastructure,” the U.S. State Department said in a statement.

Takeaway: So, what can governments do to protect organizations from the relentless onslaught of ransomware attacks? From what we have witnessed so far, not much, if anything. But sanctions make for good headlines.

While we have seen some scattered arrests of affiliates and other low-level threat actors in the ransomware space, overall law enforcement has had little impact in disrupting ransomware operations.

We know rogue nations like Russia, China, Iran, and North Korea directly support and/or direct ransomware operations, and these attacks have risen to the level of state-sponsored terrorism, and perhaps we should be addressing them as such.

But the US, UK, Australia and other allied governments are in a tough spot regarding what actions to take to stem disruptive ransomware attacks, mostly because there is so much ambiguity in determining root attribution for these attacks.

Law enforcement actions and government sanctions against ransomware operators are necessary, but even if they are arrested or their operations shuttered, there will quickly be someone to take their place.

At some point, these ransomware attacks are going to cross the line from cybercriminal activity to a national security event, especially when we are talking about attacks on critical infrastructure, Defense Industrial Base targets, and healthcare providers.

Even if the ransomware attack itself is resolved, the fact remains that the attackers may have exposed incredibly valuable intelligence for foreign adversaries, and this can potentially mean that an entirely different set of rules kick into place.

Cybercriminal activity is the purview of law enforcement. They investigate, collect evidence of a crime, indict and prosecute when possible.

But when an attack drifts into the national security space, there are different rules of engagement, and they can include offensive action deemed appropriate and proportional.

As Cyber evolved into a theater of operations militarily, conventional thinking is that a major attack on critical infrastructure would likely only come as part of a larger operation that included traditional kinetic warfare.  

Ultimately, it's these rogue governments that are both providing safe harbor for criminal elements conducting ransomware attacks and influencing some of their targeting.

Until the US government directly sanctions these regimes for their direct or tacit support of ransomware operations, we will not see this spate of attacks abate any time soon. is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.