This article first appeared in The Edge Malaysia Weekly on June 28, 2021 - July 4, 2021
ON Friday May 7, Colonial Pipeline Co, which accounts for more than half of all petrol and diesel supplies across the US East Coast, including New York, Boston and Miami, was targeted by DarkSide, a Russian ransomware gang. The cybercriminals stole sensitive data, which forced Colonial to shut down its pipelines, causing a spike in prices at the pump and long queues of cars and trucks trying to fill up their tanks. DarkSide demanded US$4.4 million (RM18.3 million) worth of Bitcoin as ransom. As any key infrastructure firm would have done, the pipeline operator promptly deposited Bitcoin into DarkSide’s digital wallet and got its data back.
Four weeks later, the US Department of Justice announced that it had recovered most of the Bitcoin that had been paid by Colonial to DarkSide. The FBI has not disclosed exactly how it extracted the ransom from the extortionist gang’s digital wallet. But here is what we do know: All Bitcoin transactions, even ransom paid to hackers, are duly recorded on the blockchain that stores data in blocks that are then chained together. Put simply, the blockchain provides digital footprints that can be traced back to the people or parties on both sides of a cryptocurrency transaction.
Ransomware is a type of malicious software that gets on to your computer system and encrypts all your files. You can’t open your files and soon, a ransom note appears on your screen asking you to pay up if you want your files back or to decrypt your files.
Colonial is not alone. Among the targets of recent ransomware attacks are the world’s largest meatpacker JBS, the Irish national health service and the Martha’s Vineyard-to-Nantucket ferry service in Massachusetts. They have one thing in common with Colonial — they are all key cogs of critical infrastructure and were targeted because they are more likely to pay promptly. The biggest ransom ever paid was by US travel management company CWT Global in July 2020, when it handed over US$4.5 million in Bitcoin to the Ragnar Locker gang. Attackers like DarkSide, Avaddon, Netwalker and REvil are increasingly using sophisticated ransomware techniques to shake down unwary and unprepared businesses, public institutions and government agencies.
Most attacks start by installing Cobalt Strike beacons in the computers of their targets to proactively test their defences against advanced tactics and procedures. The beacons give attackers access to the network. Once they have gained a foothold inside the IT network of the firm, they can easily steal data and deploy their ransomware.
As at mid-June, there had been over 90 reported ransom attacks this year alone. That’s a 60% surge over the past 12 months. Most ransomware attacks go unreported because companies, particularly publicly listed ones, do not want investors to know that they are paying a ransom. While most news reports focus on million dollar ransoms being paid by big companies, small to mid-size businesses are at the largest risk, with ransom demands often hitting six figures. Oh, by the way, the average ransom payment doubled over the past year, according to Coveware, a Connecticut-based cybersecurity consultancy. About 56% of ransomware victims paid a ransom last year, according to global security company Kaspersky. Most of the big firms, or those in sensitive sectors like infrastructure, pay up immediately.
The business of ransomware is more than just a bunch of hackers in a Moscow basement coding software that allows them to hack a website in Texas, London or Tokyo, extracting information and then divvying up the money among themselves. It is a far more complex undertaking. It requires detailed planning, teamwork and precision execution. Ransomware gangs sometimes use dozens of groups, and software and digital security experts who plan a major attack and divide the work. When the attack is successful, they get paid in accordance with the value they provided the ultimate hackers in carrying out the attack.
There are people who scout targets for ransomware attacks. And people who know what sort of companies are vulnerable, like Colonial, which cannot afford to have its pipelines shut off for too long yet have not spent enough on cybersecurity to protect themselves from a coordinated attack. Other affiliates are recruited to publicise previous victims to pressure new victims into paying for the stolen data. It takes weeks, sometimes months, of meticulous planning to launch a successful attack.
The proceeds from ransomware are shared between attack administrators like DarkSide and their partners, or affiliates, who provide access to organisations and deploy the ransomware. Ransomware as a service (RaaS) administrators can take up to 25% of the ransom for attacks that generate less than US$500,000. The take decreases to 10% for ransom greater than US$5 million.
The attackers, administrators or core gang use affiliates to rent the use of ransomware strains like Cobalt Strike from their creators on the dark web. Before a big attack such as the Colonial Pipeline hack, the organisers place ads across the dark web asking for help in an upcoming operation. The creators of ransomware and other services get a cut of the ransom from each successful attack from DarkSide for the tools or services they provide.
It is not just ransomware that a gang rents in the process of carrying out an attack. Successful execution requires coordination and teamwork. DarkSide might need illicit cloud services to store stolen data from Colonial. It can’t just ring Amazon.com’s outgoing CEO and say, “Hey, Jeff Bezos, can you spare space on AWS?” It may need payment software and digital wallets. It can’t just call up Jack Dorsey, the CEO of payments giant Square, and ask for his help. It may need a whole suite of money laundering services as well as a bunch of hackers who actually carry out the attack. These services cost money and require teams that execute to perfection in a timely manner.
Think of the ransomware administrators like DarkSide or Ragnar Locker the way you might think of a contractor who supervises the construction of a building. He has to hire plumbers, electricians, wall painters and indeed oversee an entire supply chain making sure steel, cement, paints as well as all the necessary fixtures and fittings get to the site on time and the whole system operates like clockwork. The contractor often collects the biggest chunk of the money but he can’t do it all himself. He relies on others who have to be paid their fair share so he can keep constructing other buildings and keep making money. The DarkSides of the world are just ransomware administrators or a contractor at the apex of a complex ecosystem of bad actors helping in a great heist. And the teams have huge support infrastructure around the world — Europe, Asia, America and Africa — to whom they outsource key parts of the work. But as often in organised crime, most people in the ecosystem do not know the whole details of who is being attacked when. They just know the role they are supposed to play. It may have begun with an individual rogue hacker or a gang of mates in some basement in Moscow or Shanghai or Tehran but the ransomware industry is now a well-oiled machine.
How was the DarkSide gang caught by the FBI? What does it all mean for future ransomware attacks? Will the hackers now abandon Bitcoin and other cryptocurrencies that leave footprints on the blockchain or will they merely be more careful? In the aftermath of the FBI’s raid on the DarkSide wallet to recover the ransom, new attacks have continued unabated. After all, the use of marked currency notes to pay ransom in kidnappings around the world has not ended such crimes. Where there is money, thieves just keep finding new ways to steal it.
After every reported ransomware attack, law enforcement agencies try to learn about how the hackers operate — how they attack the website, what they steal, how they blackmail companies and force them into paying ransom, how they collect ransom in cryptocurrencies and how the proceeds are distributed across the vast ransomware supply chain. Cryptocurrencies have allowed governments to dig deeper into where the ransom money goes and enabled enforcement agencies to understand who does the real grunt work behind the attacks and how much that work is worth to the ransomware administrators.
While cryptocurrencies like Bitcoin have long been used in money laundering as well as other crimes like ransomware, or by rogue states to fund espionage, terrorism or get paid for their nefarious activities, only in the past year or so has the scale of crypto transactions become so huge that law enforcement agencies around the world have actively begun to use and harvest the blockchain to scour such transactions, track down culprits and indeed disrupt those businesses.
In the aftermath of the Colonial attack, the White House described ransomware as a major national security threat and indeed even compared it to the 9/11 terrorist attacks of 20 years ago. If you speak to cybersecurity experts and consultants, and I have spoken to several of them in recent weeks, they will tell you that while there are very real threats to business and security from state actors — Russia, China, Iran and North Korea, for example — the key threat is cybercriminals, some of whom may be known to their home governments even if all their work is not expressly condoned by the leaders.
The big ransomware groups based in Russia are tolerated as long as they do not threaten the interests of President Vladimir Putin’s administration. If they disrupt infrastructure in North America or Europe, they are just serving the interests of the Russian state. The solution might be to force Russia to own the growing ransomware problem. For their part, governments around the world should discourage the payment of ransoms, and make it compulsory for such payments to be disclosed. So far, insurance companies have been happy to pay out ransom demands as long as premiums from new policies continue to grow. They must discourage clients from promptly paying up ransom and moving on because that only encourages the DarkSides of the world to get ready for the next attack.
A bigger issue is the sprawling data recovery industry, which has become a tool for ransomware attackers. When Western companies are hit by attackers, data recovery firms are often the first port of call. Instead of using their own software and expertise to decrypt files encrypted by attackers, they have become just another conduit for routing ransom payments to bad actors in Moscow, Tehran or Shanghai, and collecting a commission from them. Regulators need to come down hard on their practices if we are to eliminate ransomware attackers.
Assif Shameen is a technology and business writer based in North America
Save by subscribing to us for your print and/or digital copy.