© 2024 Public Radio East
Public Radio For Eastern North Carolina 89.3 WTEB New Bern 88.5 WZNB New Bern 91.5 WBJD Atlantic Beach 90.3 WKNS Kinston 88.5 WHYC Swan Quarter 89.9 W210CF Greenville
Play Live Radio
Next Up:
0:00 0:00
Available On Air Stations

Inner Workings Of DarkSide Cybergang Reveal It's Run Like Any Other Business


This is FRESH AIR. I'm Terry Gross. Ransomware attacks have disrupted the flow of gas and the supply of meat in just the past few weeks after Colonial Pipeline and JBS, the meat processing company, had their computer systems held hostage for ransom. Similar ransomware attacks have been waged on many companies, large and small, and on hospitals, the police and cities. My guest got an inside look at how the new breed of ransomware attackers operate.

Michael Schwirtz is an investigative reporter at The New York Times who gained access to secret communications from the cybercriminal operation DarkSide that attacked Colonial Pipeline. These communications offered what he described as an extraordinary glimpse into the internal workings of a Russian-speaking gang that had become the face of global cybercrime. DarkSide pulled in millions of dollars in ransom payments each month after. They were outed as the attackers of Colonial Pipeline, they went dark.

Schwirtz has also reported on the company that attacked JBS, which is called REvil - R-E-V-I-L. These cybercriminals and many others are believed to be operating from Russia. Schwirtz worked in The New York Times' Russia bureau from 2006 to 2012. Last year, he was a lead reporter on the team that won a Pulitzer Prize for a series of articles about Russian intelligence operations around the world. We recorded our interview yesterday morning.

Michael Schwirtz, welcome to FRESH AIR. The inner workings of ransomware that you found out were fascinating. Let's start with what you learned the victim sees on the screen when DarkSide captures the computer system.

MICHAEL SCHWIRTZ: Right. When the ransomware is uploaded into a victim's computer system, the first thing they see is a ransom note. It says at the top, welcome to DarkSide. And it contains a list of instructions on how the victim can go about unlocking their data. They have no access to their data. And what they need to do is they'll rely on DarkSide by paying a ransom to provide them with a key that will allow them to get these files back. And the letter is written in a kind of very formal, businesslike manner with very subtle threats. They're warned - victims are warned not to try and tamper with their computer systems themselves, try not to access their data themselves, because this may result in the loss of the data completely. And so they're instructed to get in touch immediately with a DarkSide representative to begin negotiations over the ransom.

GROSS: And it not only locks victims out of computer systems. The hackers can steal proprietary data.

SCHWIRTZ: Right. And this is basically to put added pressure on the business. Not only does the victim risk losing access to important computer files that may be necessary for the day-to-day running of the business, but the hackers will threaten to spill this information into the public domain to be used by competitors, to be used by other hackers to carry out additional attacks on the company. And so they're really, really hard pressed to act very, very quickly to clear this up - the victims are.

GROSS: Now, the ransom is paid and cryptocurrency like Bitcoin. Most people don't know how to use Bitcoin. So DarkSide actually has, like, a helpdesk to help the victims pay the ransom.

SCHWIRTZ: Right. It's a really user-friendly experience. There's a helpdesk like any other...

GROSS: Great (laughter).

SCHWIRTZ: ...You know, when your internet goes out, you contact your internet service provider. And sometimes there's a chat. It's a very similar service. And it's the goal of these hackers to make this as simple as possible, so that people are more willing to just pay the ransom and get it out of the way and get back to business, rather than put up a real fight to try and get their data back that wouldn't result in them getting paid.

GROSS: DarkSide is a cybercriminal gang, but it's set up like a business with affiliates. What are the affiliates?

SCHWIRTZ: What DarkSide does is they're a ransomware creator. So they create the program that is uploaded into a victim's computer system that locks down their data. But what they do is they basically contract out to these affiliates who are other hackers. And these are the people that are responsible for actually penetrating the victim's computer services. And what they do is operate basically on a subscription service. You, as an affiliate, can sign on to DarkSide services, in which case you get access to their malware, their ransomware to use for a fee that operates on a sliding scale depending upon the size of the ransom.

GROSS: What's the profit model for both DarkSide and for the affiliate it's working with? For example, Colonial Pipeline was told to pay $4.5 million to get access again to its computer system. Colonial Pipeline paid the $4.5 million. How is that divided between DarkSide and the affiliate that actually did the hack?

SCHWIRTZ: So DarkSide takes a cut. And so the way it worked with DarkSide, which I am told is fairly generous, if the ransom that was charged that was eventually obtained was less $500,000, DarkSide would take about a 25% cut. And this moved down to about 10% for ransoms over $5 million. So DarkSide would have taken about 10% of the ransom paid by Colonial Pipeline for its attack, with the remaining going to the affiliate, which is the - an organization or an individual that actually penetrated the computer systems and infected the company's computer systems with the ransomware.

GROSS: So do these different ransomware groups compete with each other? Do they advertise to affiliates that want to work with a group that actually has the malware that they need?

SCHWIRTZ: They do, because it's a symbiotic relationship with these affiliates. You know, they can work - DarkSide can work with dozens of affiliates who are working round the clock trying to find vulnerabilities in various companies and inserting the malware. And they just have to sit back and wait for these attacks to be successful. But they do advertise. There are dark web forums, a number of very, very big and prominent Russian-language dark web forums which exist, in part, to serve as advertising platforms for these groups, not only of the ransomware developers advertising on those platforms, the affiliates are also advertising their services. So these forums act as kind of grease to this operation, allowing these groups to interact with one another and form partnerships.

GROSS: So you got access to the DarkSide dashboard. Explain what a dashboard is for people who don't know and what you saw on it.

SCHWIRTZ: So the dashboard is is sort of the interface that is used both by DarkSide developers themselves and by the affiliates. And so what I got access to was the affiliate dashboard. And from there, you can get access to news about the latest hacks coming from DarkSide. You can get news about the profits. It had a ticker on it that was set up to count profits coming in, so you could keep an eye on how well the group was doing financially. And it also provided, like we were talking about, a tech support function where you can enter into a chat with a customer service representative from the DarkSide if you were an affiliate and had any problems.

GROSS: What insights did seeing the dashboard give you about the operation?

SCHWIRTZ: One thing that I think was the most striking was just how mundane it is. It was like entering into any other sort of company's computer systems. It was - there was a news ticker. There were press releases talking about latest services that were being offered to affiliates. One of the more recent press releases was about a news service in which DarkSide would be starting up a project to offer DDoS attacks - distributed denial of service attacks - against victims' computer systems, which is a way of overloading a victim's computer systems with fraudulent requests. And this was another way to put the screws to victims who may not be so willing to fork out the ransom. And so that - I mean, that was the most striking thing about it. This was being run just like a regular business. And, you know, we were able to get a look at how this business was run and how it was developed, going back into the archives and looking at news release, looking at company communications, going back to the group's inception, which occurred around August of last year.

GROSS: You make contact with a customer support employee. It sounds so legit. So what was the communication?

SCHWIRTZ: After I had spent some time exploring the dashboard, I decided that I was going to reach out to the customer support office at DarkSide. And it's a very simple thing to do. It's a similar interface to one that everybody is used to using when talking to customer support. There's a little button down in the lower right-hand corner of the screen that says chat. I opened the window and just wrote hello in Russian just to see if I could get any response. And sure enough, within about five or 10 minutes, somebody came on the line and said they were there and asked what I needed. And at that point, I introduced myself as a reporter with The New York Times, as we are required to do according to our rules. And within minutes, I was kicked out of the site, and the account was closed down.

GROSS: Was that the response you were expecting when you identified yourself?

SCHWIRTZ: It was. It was. I had a small sliver of hope that I might be able to engage with somebody from DarkSide for a bit longer. But that was definitely the odds-on reaction that I was expecting.

GROSS: A lot of reporters would have just entered under a false identity, gone in undercover, so to speak. What is The New York Times' rule surrounding that?

SCHWIRTZ: Ethically, we're not allowed to go undercover. And as a rule, I always introduce myself as a Times reporter first so that nobody's under any illusion about who I am and what I want. And so while going in undercover and pretending to be an affiliate - and in this case, we were using the account of an affiliate named Woris. So this was an actual account for an actual affiliate that had been in contact and involved in attacks with DarkSide in the past. So I wanted to make it very clear that I was not this individual Woris and that I was somebody new. And ethically, that is - that's Times policy.

GROSS: Well, we need to take a short break here, and then we'll talk some more and pick up where we left off. If you're just joining us, my guest is New York Times investigative reporter Michael Schwirtz. We'll be right back. This is FRESH AIR.


GROSS: This is FRESH AIR. Let's get back to my interview with New York Times investigative reporter Michael Schwirtz about ransomware attacks and how the attackers operate. He gained access to secret communications from the cybercriminal operation DarkSide that attacked Colonial Pipeline. He's also written about how REvil operates. That's the cybergang behind the ransomware attack on JBS, the giant meat processing company.

So you not only managed to get a momentary chat (laughter) with basically somebody from customer support, you got access to some secret communications from DarkSide. What were some of these communications?

SCHWIRTZ: Correct. Well, the communications were saved, essentially, within the chat system on the dashboard. And so this individual, Woris, was the affiliate, had been communicating throughout probably since about February with the customer support service from DarkSide because the affiliate had been having trouble getting a victim to pay. And so I was able to basically trace the process of an attack and the process of squeezing a victim from the - almost from the very beginning by following these chats and from the sort of mirror images of what we're used to. What we normally get is a victim explaining to us how these attacks were carried out from their perspective. So it was very, very interesting to watch how one of these attacks and the negotiations - the subsequent negotiations that occurred over the ransom played out from the perspective of the hackers who were involved in the attack.

And the victim, which in this case is a small American publishing company that deals primarily with clients in primary education, the victim was putting up a bit of a fight. And Woris, the affiliate, was in discussions with DarkSide about how to put on additional pressure so that this victim would pay up. And it wasn't a small amount of money they were talking about. It's a small company, but what the ransom was that they had decided on was $1.75 million. And so this company seems to have balked at paying this amount of money to get its systems back online and was putting up a resistance. And the chat consists of these two individuals or perhaps groups basically charting out a strategy for putting the squeeze on them to get them to pay up.

GROSS: So this isn't a big corporate publishing company we're talking about. It was a family-run company. And for this company, 1.7 million was a lot. So what were the threats against them?

SCHWIRTZ: There was a number of threats that they had come up with, and it's unclear to me how many of these were implemented. There were - one of the earliest threats that they had discussed was essentially trying to blackmail the company. They threatened - because, as we mentioned, they had gained control over proprietary information. This is information about clients, again, who are primarily in primary school education. And at one point, they decided to threaten to spill information about clients onto the dark web. And they added that this information could be used by pedophiles to make fake IDs that would allow them to enter schools and threaten children. I think this was a fanciful idea on their part, but it shows sort of the mindset that they had. They were willing to make these kinds of threats in order to try and get this company to pay up.

GROSS: In one of the conversations between DarkSide and Woris, Woris was laughing about the pedophile threat. And Woris, whoever that is - or whoever the group is wrote, I laughed to the depth of my soul about the leaked IDs possibly being used by pedophiles to enter the school. I didn't think it would scare them that much.

SCHWIRTZ: Right. And I think this company, you know, for good reason, was really spooked that, one, proprietary information about clients would get out. This could, perhaps, be a threat to them. But also, this would be a big threat to their business if it was discovered that they had lost control of information and allowed people's identities to be compromised, right? Nobody wants to, you know, imagine that their personal information is floating around on some dark web site, you know, ready to be plucked up by a cybercriminal and used for who knows what means.

GROSS: Does DarkSide and the affiliate that it's working with to do the ransomware attack, do they collaborate on what the threats should be and how they should be expressed to the victim?

SCHWIRTZ: They do. At several points in the chat, it becomes clear that Woris is the one writing communications that they want sent to the victims. So they write a letter that is supposed to be addressed to clients of this company that is refusing to pay. And then the letter is passed on to DarkSide. And DarkSide is actually doing the direct negotiations with the company. So when the company is communicating with the hackers that hacked into its system, it's communicating with DarkSide. But Woris is there behind the scenes, basically, coaching DarkSide on what to say.

GROSS: So how did the publishing company that was - that had its computer system held hostage by Woris and DarkSide, how did the company handle it? I know the company negotiated. Who do they negotiate with? And what do you know about how the negotiations went?

SCHWIRTZ: They negotiated directly with DarkSide. So as I explained early on, they would have received this letter, a ransom note, giving them instructions on how to contact DarkSide and begin these negotiations. And that appears to be what they did. The negotiations were done primarily through email and a specialized chat service probably similar to the one that I was seeing on the dashboard, the DarkSide dashboard for the affiliates. And they were communicating with somebody who used very, very bad English. And...

GROSS: Because they're Russian-speaking, the cybergangs.

SCHWIRTZ: They're Russian-speaking. It's interesting to me that there were not better English speakers that could be utilized for this purpose. But when you look at some of the communications between the DarkSide negotiators and the company, the English language skills are pretty poor. And, you know, this company negotiated with DarkSide for several weeks and maybe a few months before - negotiations broke down around the time of the Colonial Pipeline hack, at which point, DarkSide had to contend with all of the troubles that arose following the massive international reaction to that attack.

GROSS: So during the months of negotiation, was this publishing company locked out of its own system? And if so, how did it function? You might not know the answer to that.

SCHWIRTZ: According to the company - and I've communicated with them - they were locked out of their information for a while. And it was pretty damaging to their business. They wouldn't go specifically into sort of monetary losses that they endured as a result of this. But according to them, it was fairly damaging. And they were working very hard to both keep their systems online, but also avoid paying what would have been a very, very steep price. They also approached the FBI. And the FBI began investigating as well. The thing that I don't know - I do know the ransom was never paid. I do not know what happened to the company's information because DarkSide, as has been reported, has gone quiet, at least, if it hasn't disappeared completely. And so the fate of victims who had not yet resolved their attacks, I think, is a bit unclear.

GROSS: Do you think that the publishing company negotiated a long time to stall so that the FBI could continue to investigate who was behind the attack?

SCHWIRTZ: There was some indication that that was the case. And I don't - I'm not privy to details about the federal investigation into the case. But, yeah, there is some indication that the company was trying to, basically, keep DarkSide on the line while the FBI investigated. And as has been revealed in almost-daily updates about the Colonial Pipeline attack, it seems as if the FBI had been investigating DarkSide almost since its inception. And it had gained a lot of real insight into how the company operated.

GROSS: Let's take a short break here, and then we'll talk some more. If you're just joining us, my guest is New York Times investigative reporter Michael Schwirtz. We'll talk more about ransomware attacks and who the attackers are after we take a short break. I'm Terry Gross. And this is FRESH AIR.


GROSS: This is FRESH AIR. I'm Terry Gross. Let's get back to my interview with New York Times investigative reporter Michael Schwirtz. He's been writing about ransomware attacks and how the attackers operate. He gained access to secret communications from the cybercriminal operation DarkSide that attacked Colonial Pipeline. These communications offered what he describes as an extraordinary glimpse into the internal workings of a Russian-speaking gang that had become the face of global cybercrime. He's also written about how REvil operates - that spelt R-E-V-I-L. That's the cybergang behind the ransomware attack on JBS, the giant meat processing company.

Let's talk about the Colonial Pipeline hack. Colonial Pipeline paid the ransom. The CEO says he thought it was in the best interest of the country to make sure that the oil kept flowing because this is a pipeline that supplies much of the East Coast. So they paid - and I think they paid pretty quickly. So was this attack against Colonial Pipeline through an affiliate of DarkSide?

SCHWIRTZ: Yeah. That's how it would have worked. I don't know that we have a lot of details about the affiliate in this case, but it would have been likely an affiliate using DarkSide's ransomware in the same way that Woris sort of carried out the attack on this publishing company, another affiliate would have carried out the attack on Colonial Pipeline. And DarkSide would have been the direct interface conducting negotiations with Colonial to get their systems back up and running.

GROSS: Do you have any idea what the negotiations were like between the affiliate and Colonial Pipeline?

SCHWIRTZ: I do not know, but it seemed to have happened very, very quickly. The CEO of Colonial testified this week that the ransom was paid even before the FBI was contacted to inform them about the ransomware attack. I believe the first we had heard the Colonial Pipeline had been the victim of a ransom attack was on the 7 of May. And by the 8 of May, there's evidence that money had been transferred from Colonial to a Bitcoin account operated by DarkSide. So if there were any negotiations, they happened very, very quickly and resulted in a big payday for DarkSide, at least initially.

GROSS: You know, authorities often warn that you should not pay ransomware attackers, because even if you pay, they might still not free up your computer system. Do they offer any guarantee? Does DarkSide have any ethics about actually following through on its word that if you pay the ransom, you'll get your intact computer system again?

SCHWIRTZ: The whole ransomware industry depends on a kind of honor system. And so it is very much in the interest of the ransomware companies to pay. If it gets out there that there's a ransomware criminal gang that is locking down computers, collecting ransoms and refusing to pay, there's going to be very, very little incentive for victims to hand over a bunch of money. Everything in the ransomware business revolves around making it as easy as possible for victims to hand over money. If it becomes any more difficult than it is, you know, victims are going to invest their time and energy into finding ways to avoid doing that.

What these ransomware companies want you to do when you're a victim of these attacks is to make a calculation in your head. How much is it going to cost me to engage into lengthy negotiations to try and get this ransom tossed out? How much is it going to cost me to resist? And is it just cheaper for me to pay this ransom and get on with my business? And I think for a number of companies, because of the way the ransomware industry has evolved, a number of companies make the calculation that it's just better to pay and get on with it. Obviously, then this feeds the industry and allows it to continue to grow.

GROSS: My understanding is that the CEO of Colonial Pipeline did not communicate with the FBI until after the ransom was paid, but the FBI did eventually manage very recently to get access to a Bitcoin wallet that was used by Colonial Pipeline to pay the ransomware attacker. What do you know about how the FBI was able to do that or what that even means? Most of us don't really understand cryptocurrency talk, so if you can explain what happened.

SCHWIRTZ: Right. And this was a really big deal because I think it's, you know, the first or at least the first major effort by the FBI to really go after one of these, you know, largely virtual ransomware game. And what appears to have happened is that the FBI, soon after DarkSide's creation in about August 2020, started investigating its finances. And basically, the way these groups operate is they set up cryptocurrency accounts which allow for easily transferable funds from a victim to the hackers. And they set up a number of these accounts into which victims will pour their funds.

And so when this Colonial Pipeline attack happened, the FBI already had very good insights into where DarkSide was storing its money, these digital wallets, as they're called, for Bitcoin. And what appears to have happened is that the FBI actually hacked into one of these wallets that was containing Bitcoins that were transferred from the Colonial Pipeline Company and took it back. And this amounted to - because of the price, the changing price in Bitcoin, this was a little less than what the company paid, but nevertheless, it was over $2 million worth of Bitcoin that was taken back from the hackers, which is just something that we've never seen before.

GROSS: So my understanding is that the affiliate of DarkSide didn't get paid, but DarkSide managed to keep their money because it was only the wallet from the affiliate that was hacked.

SCHWIRTZ: It appears that DarkSide managed to keep its money, but that that much is not clear either. Shortly after the Colonial Pipeline attack, DarkSide came under what it said were threats coming from the United States, some sort of undetermined kind of attack from the United States. And it announced publicly on its public-facing webpage that its Bitcoin accounts had been drained. And there had been mystery about whether, in fact, they drained the Bitcoin accounts themselves in order to hide their assets or that somebody else might have done it.

At the time, the United States said that it had not infiltrated the group's accounts. But it seems that later, just in the last few days, the FBI had been able to at least find one wallet probably belonging to an affiliate from which it extracted these funds.

GROSS: Let me reintroduce you again. If you're just joining us, my guest is New York Times investigative reporter Michael Schwirtz. We'll talk more about ransomware attacks after a break. This is FRESH AIR.


GROSS: This is FRESH AIR. Let's get back to my interview with New York Times investigative reporter Michael Schwirtz about ransomware attacks and how the attackers operate. He gained access to secret communications from the cybercriminal operation DarkSide that attacked Colonial Pipeline.

So DarkSide went dark. What does it mean that DarkSide went dark? Does it mean they disappear, or maybe they're just kind of creating another iteration of the group with, you know, with different - I don't even know the language - different passwords or encryption or whatever?

SCHWIRTZ: I mean, a different - I mean, just a rebranding exercise. That's possibly what it was. The timeline of the shutdown is unclear. So shortly after DarkSide was identified by the U.S. government as being involved in the Colonial Pipeline attack, the group itself announced that it was shutting down. And this was a few days after they were announced in connection with this attack. They announced that they were voluntarily shutting down and that they would be operating as kind of a private service, so they wouldn't be taking on new affiliates. They would continue to work with their affiliates in some guise. And they announced that they were taking down all of their infrastructure, their dashboard and things like that. But when I entered into the dashboard, which was about 10 days after this announcement, it was still open and active, though it had been clear that the accounts were drained or at least the tickers which showed the profits that they were bringing in from these random attacks read zero.

And so whether or not they have shut down and these individuals have decided they've made enough money and they're going to retire and then find some other line of work or whether they are just rebranding and regrouping, it's unclear. There's some evidence that exists that DarkSide was merely an affiliate of this other large ransomware hacking group REvil that then repackaged itself as a ransomware developer around August last year. So these groups go through a number of iterations. You know, they shut down and pick back up all the time. And so it wouldn't be surprising that the individuals who are behind DarkSide either joined other groups or set up another group under a different name and continue doing this sort of work.

GROSS: So how big of a victory do you think the FBI actually scored against DarkSide in particular and ransomware hackers in general?

SCHWIRTZ: I think it's hard to say right now, but I think it'll be interesting to see what the reaction is to the FBI's going in and retaking some of this ransom that Colonial Pipeline paid. It basically sends a message that there's not the impunity that you thought you had. In the past, once you got the money, you were basically scot free. And this is showing that there perhaps some consequences, at least to targeting the wrong kind of company. I don't know that the FBI has the resources every single time there's an attack to go after and take the money back. It's probably a large effort. And this is, you know, perhaps - I don't want to say it's completely symbolic, but perhaps, you know, the larger effect will be symbolic by putting these individuals on notice that there are cases in which they will cross the line and their earnings could be in jeopardy.

GROSS: So what's the understanding of what kind of case would cross the line? And do groups like DarkSide or REvil have a code about who is off-limits?

SCHWIRTZ: Well, what was special about the Colonial Pipeline attack was that it was a company that was involved in critical infrastructure. This company had customers going from Texas to New York. And shutting down the pipeline, which we should be clear, the company made the decision to shut down the pipeline as an administrative matter because it wasn't able to ensure that its customers would be able to pay for its deliveries. DarkSide didn't, in fact, shut down the company's pipeline. But nevertheless, it caused huge amounts of disruption and was a real wake-up call to policymakers, I think, in Washington and everywhere about the dangers that ransomware poses.

And this is something that ransomware operators just really don't like. They'd like to operate in the shadows. They don't want a ton of attention. And they certainly don't want to touch off a geopolitical conflict as a result of their business. Their job, as they see it is, to just get money and do it as quickly as possible without causing anything of a fuss. And so there were some really real recriminations in the ransomware world following the Colonial Pipeline hack. One of the major forums where cybercriminality is organized, one of the major Russian-language forums announced that it was banning all ransomware activity from its site. REvil, which we've mentioned, and some other groups reiterated long-standing rules against attacks on critical infrastructure as well as hospitals, educational institutions.

And I should say that DarkSide had these rules in place as well. And it's not clear whether the affiliate in this case that went after Colonial Pipeline just got a bit ahead of their skis and thought that, you know, they could attack the business side computer systems of this pipeline company and avoid sort of the larger ramifications that occurred or whether they just weren't thinking or they just got too greedy. But it's unclear. But there was a definite reset in the ransomware world as a result of this.

GROSS: One of the things - perhaps the main thing that has made these ransomware attacks possible is cryptocurrency, digital currency like Bitcoin. And most of us don't really understand how this works. But can you explain a little bit about why cryptocurrency has allowed these ransomware attacks to flourish?

SCHWIRTZ: One of the major features of cryptocurrency is that you can be anonymous. You're not handing over your banking information, right? You are transferring money into an anonymized wallet, essentially a digital wallet or an account that holds Bitcoin, which is just a currency like any other, like pounds, like dollars, like yen. And it's easily transferable from wallet to wallet. Once you transfer your dollars into Bitcoin, you can transfer from wall to wall.

So it - in the past, the way a lot of cybercriminality worked, it revolved around banking systems, right? You had to find ways to get people to give you their banking login credentials - in which case, you could drain their accounts. But you couldn't just drain their account and send it to your account, you know? You had to launder the money through a range of accounts and, in some cases, use individuals to physically bring cash across borders.

These days, you have your victim - one, you know, ransomware basically allows you to just ask your victim for the money. You don't have to trick them into giving you anything. You just have to infiltrate their systems and threaten to destroy their business. But then they just hand you over the money. And Bitcoin and other cryptocurrencies have allowed the transfer of this money to happen very, very easily. So it's just, you know, you transfer your dollars into Bitcoin. And then you send your money from your account to the hackers' account. And then the transaction is done.

GROSS: So - you know, we were talking about DarkSide. You've also looked into REvil, which is another ransomware group that works with affiliates. The affiliates actually do the hacking of the group and ask for the ransom. But they do it with the help of REvil or DarkSide or whoever the malware originator is. So can you compare REvil and DarkSide or compare the attack on JBS to the attack on Colonial Pipeline just to show what these groups have in common and what the differences are?

SCHWIRTZ: I mean, it's hard to compare and contrast. DarkSide is, perhaps, according to some cybersecurity researchers - the members of DarkSide of, the members that created DarkSide were, perhaps, affiliates of REvil. So they were, perhaps, working with REvil's ransomware at one point before they set off on their own and made their own product. The thing that ties them both together and I think is most significant is that both groups appear to operate largely inside Russia. And I'd caveat that to an extent because some of these groups can be rather big. And they - because of the nature of the work being online, individuals can operate anywhere in the world. But at least the core of the operation is based in Russia and among Russian-speaking users.

GROSS: Let me reintroduce you if you're just joining us. My guest is New York Times investigative reporter Michael Schwirtz. We'll talk more about ransomware attacks after a break. This is FRESH AIR.


GROSS: This is FRESH AIR. Let's get back to my interview with New York Times investigative reporter Michael Schwirtz about ransomware attacks and how the attackers operate. So REvil and DarkSide are based in Russia, as are many other cybercriminal gangs. Why is Russia such a hub for cybercriminals?

SCHWIRTZ: There are a number of reasons for this. First, you know, the education system that focuses on math and science is very, very robust. But there are countries with robust, you know, computer science cultures all around the world. And I think what sets Russia apart and what makes the country a greenhouse for this type of activity - to use the term one cybersecurity researcher used with me - is that the government at best turns a blind eye to these sorts of activities and at worst co-ops and uses these groups as part of a broader, geopolitical strategy meant to undermine Western countries.

GROSS: How do they get away with it in Russia?

SCHWIRTZ: There's a simple answer - there's a simple and more complicated answer to that. The simple answer is that the Russian government has, basically, taken the stance that if none of these individuals are attacking Russian interests, so companies inside of Russia, then they can't be prosecuted under Russian laws. Russian law, according to the Kremlin, according to Vladimir Putin himself, does not have a provision for prosecuting individuals for carrying out ransom attacks against American companies. And so as long as these groups avoid attacking companies within Russia - and often, these groups will have rules prohibiting attacks against companies not only in Russia but also in the former Soviet Union at large. They are able to do so with impunity, which makes this problem very pernicious and difficult to snuff out if you're coming at it from a law enforcement perspective.

GROSS: With so many Russian cybergangs attacking computer systems in America and other places around the world, do we know if Russian intelligence is cooperating with them, helping them in any way, and if Putin sees this as a kind of way of flexing his muscles without having any fingerprints on it?

SCHWIRTZ: And there's a number of different ways that I think the Russian government and the intelligence services are involved. I don't think that every single attack has a Russian intelligence or law enforcement angle to it. But there is evidence that Russian intelligence services have co-opted cybercriminals to engage in intelligence. You know, it just too good of an opportunity to explore the computer systems of your enemies if you've already got a robust industry of individuals breaking into systems.

So what seems to occur on occasion is that the intelligence services will make relationships with these cyber criminals and ask them, say, you know, they'll make a deal and say, you know, let's say we'll let you continue to engage in these sorts of operations and make money. But if you come across any sort of computer systems that might interest us, if you break into any government computer systems that might possess intelligence that could be used for national security purposes, you need to let us know.

Now, there are also more direct use of cybersecurity infrastructure by the intelligence services. We've seen cases - there was one case from a few years ago where the operator of a very large botnet, which is a network of infected computers, started running searches that appeared to indicate a hunt for actionable intelligence. There were searches for information about a weapons deal between the United States and Turkey. There were searches for information about the situation, the war going on in Ukraine.

And this fell so far outside of the normal operations of this infected network, which was generally focused on stealing banking credentials, that most security researchers and intelligence officials in the United States and elsewhere assumed that this was the Russian intelligence services basically coopting an infected network to engage in intelligence gathering.

GROSS: President Biden is meeting with Putin next week. Do you assume that ransomware is going to come up in the conversation?

SCHWIRTZ: It's definitely going to come up in the conversation. I think the Biden administration has made that clear. The real question is what the United States can do about it. The United States has leveled sanctions against Russian entities for involvement in cyberattacks carried out by the Russian intelligence services. And these would be overt attacks, you know, presumably ordered at the highest level of government to, in fact, the government computer systems. And the SolarWinds attack recently, which was recently revealed, comes to mind as part of that.

But these ransomware attacks fall into this sort of strange area where the Biden administration and Western governments in general have to be a bit more creative because normally, this would be a law enforcement issue. And if Russia were an ally, the FBI could meet with the FSB, which is Russia's version of the FBI, and hash out a plan for going after these groups. But that's an impossible thing to do when the Russian government is, at very best, turning a blind eye to these groups, but often protecting them.

GROSS: So these cybergangs, this ransomware, this is like criminal activity. Even if the Russian intelligence is collaborating with them in some way, it's not official. And I don't know if the U.S. could prove that Russian intelligence is working with them at all. So can Biden use something like the military Cyber Command to go after the ransomware attackers, or would that be considered an inappropriate use of the military because it's a criminal action?

SCHWIRTZ: Right. This is the sort of gray area that we find ourselves in. I think the administration is pretty reticent to use the military, like you said, to be - for involvement in what is generally considered a law enforcement issue. I think it's no surprise to see that it was the FBI that was involved in extracting these Bitcoins from the DarkSide affiliate's wallet and not some other entity within the U.S. government. It's a very difficult thing to unleash the U.S. military, even in the realm of cyber, on the citizens of a country with which you share an adversarial relationship or anywhere, right?

The potential for escalation is just unknown. And I think the administration is rightly treading carefully. And there just isn't a playbook for dealing with this. And part of that reason is because, you know, there's a hazy line between criminality, pure criminality and, you know, Russian-government-sanctioned actions that the administration and I think everyone is trying to figure out in this world of cybercriminality.

GROSS: Well, Michael Schwirtz, I want to thank you so much for talking with us.

SCHWIRTZ: I really appreciate it. It's been an honor. Thank you.

GROSS: Michael Schwirtz is an investigative reporter for The New York Times. If you'd like to catch up on FRESH AIR interviews you missed, like this week's interview with Rita Moreno about the ethnic stereotyping and sexual harassment she faced in Hollywood and her tumultuous relationship with Marlon Brando, check out our website. You'll find lots of FRESH AIR interviews.


GROSS: FRESH AIR's executive producer is Danny Miller. Our technical director and engineer is Audrey Bentham. Our interviews and reviews are produced and edited by Amy Salit, Phyllis Myers, Sam Briger, Lauren Krenzel, Heidi Saman, Therese Madden, Ann Marie Baldonado, Thea Chaloner, Seth Kelley, Kayla Lattimore and Joe Wolfram. Our associate producer of digital media is Molly Seavy-Nesper. Roberta Shorrock directs the show. I'm Terry Gross. Transcript provided by NPR, Copyright NPR.

Combine an intelligent interviewer with a roster of guests that, according to the Chicago Tribune, would be prized by any talk-show host, and you're bound to get an interesting conversation. Fresh Air interviews, though, are in a category by themselves, distinguished by the unique approach of host and executive producer Terry Gross. "A remarkable blend of empathy and warmth, genuine curiosity and sharp intelligence," says the San Francisco Chronicle.