No Room for Medieval Thinking in Ransomware

You come home one evening, and your keycard doesn’t open your door. Punch in the code, nothing. The building manager can't make the door open either. Suddenly your phone pings with a message from an unknown number: “Want to get into your home? Send 0.37 BTC to [email protected]”

This is the concept of ransomware, but there's an important difference. In the previous example, you could remove your lock or door to gain entry. If ransomware locked your system, you have no choice but to deal with “Sergei.”

Bigger target

How seriously do chief digital officers take this threat? If it's real, wouldn't a bad actor target, for example, a known metropolis for ransom?

“It’s been more than a month since a nasty ransomware infection hobbled the City of Baltimore, disrupting almost every aspect of the city’s operations, including police communications, court systems, and the local property market,” wrote Tracy Rock, “and it’s not over yet.”

A covert COVID-19 operation? Hardly. Rock's report was published in June, 2019. “City employees say the recovery could cost at least USD 18 million,” she wrote. “But they’ve been mum about some of the most significant details, like who might be behind the attack and what data has been lost.”

Deep dark secret

This is one aspect of security not discussed often enough: those who know the details of cyberattacks prefer not to divulge them. There are several reasons for this. While the cyberattack ecosystem has evolved from “script kiddies” who were in it for the lulz, the prospect of media attention remains a perennial attraction. Maybe “I hacked Baltimore” isn't a smart thing to post on one's Facebook account but would earn bragging rights in dodgier forums on the Dark Net.

Other reasons for secrecy: the type of data that was “lost” (or perhaps, stolen). The attack of May 2019 motivated Baltimore mayor Bernard Young to write on Twitter, “Baltimore City core essential services (police, fire, EMS and 311) are still operational, but it has been determined that the city’s network has been infected with a ransomware virus...out of an abundance of precaution, the city has shut down the majority of its servers.”

This statement meant — among other things — that city employees lost access to email, court records could not be accessed, and Baltimore residents couldn't pay bills, parking tickets, or taxes.

In a ransomware attack, attackers use malware to encrypt computer files and demand the victims pay a ransom to restore them. Without the decryption key, the files typically can’t be accessed again. But even if victims pay the ransom, there’s no guarantee that they’ll receive the decryption key as promised.

In the 2019 Baltimore ransomware attack, hackers demanded 13 Bitcoins, valued at roughly USD 76,280. But the city refused to pay.

So, how did that work out for them?

More attacks

Predictably, more attacks occurred:

• Ransomware Attack Closes Baltimore County Public Schools (November 29, 2020)
• [Baltimore] Nurse: Hospital ‘Crippled’ By Ransomware Cyberattack (December 18, 2020)

Ransomware-infectors are criminals by nature. If there is honor among thieves anywhere, there may not be in cyberspace. No one knows if the original group or other cybercriminals perpetrated the later attacks.

Jugular strike

Crippling a U.S. metropolitan area pales in comparison to the most recent ransomware gambit, which went for the jugular.

In an attack described by Wired Magazine as “a new extreme for ransomware,” Colonial Pipeline (which described itself as “the largest refined products pipeline in the United States” on their website) temporarily halted all pipeline operations. On May 9, Reuters reported that “Fuel pipeline operator Colonial Pipeline shut its entire network, the source of nearly half of the U.S. East Coast’s fuel supply, after a cyberattack on Friday that involved ransomware.”

The Reuters report quoted Amy Myers Jaffe, research professor and managing director of the Climate Policy Lab: "This is as close as you can get to the jugular of infrastructure in the United States...it's not a major pipeline. It's the pipeline."

“The incident is one of the most disruptive digital ransom operations ever reported and has drawn attention to how vulnerable U.S. energy infrastructure is to hackers,” said Reuters. “A prolonged shutdown of the line would cause prices to spike at gasoline pumps ahead of peak summer driving season, a potential blow to U.S. consumers and the economy.”

DarkSide emerges

For years, cybersecurity experts have warned of the possibility of ransomware chaos on this level. And file this under “deep dark secret”: Reuters quoted a former U.S. government official and two industry sources as saying that investigators are looking at something "DarkSide." Just what might that be?

“DarkSide is a relatively new ransomware strain that made its first appearance in August 2020,” wrote security firm CyberReason in a blog post. “The team is very active on hack forums and keeps its customers updated with news related to the ransomware.”

The CyberReason blog post said that “the DarkSide team has already built itself quite a reputation for making their operations more professional and organized. The group has a phone number and even a help desk to facilitate negotiations with victims.”

The investigation into the Colonial Pipeline intrusion is just beginning. As usual, it's not possible to pinpoint the attackers' location, but CyberReason said: “DarkSide is observed being used against targets in English-speaking countries and appears to avoid targets in countries associated with former Soviet Bloc nations,” which kind of narrows it down a bit.

Hello again, “Sergei.”

Stefan Hammond is a contributing editor to CDOTrends. Best practices, the IOT, payment gateways, robotics and the ongoing battle against cyberpirates pique his interest. You can reach him at [email protected].

Image credit: iStockphoto/alessandroguerriero