The general American public got an unwelcome glimpse into the world of Old West ransomware this week, after a cyber attack crippled Colonial Pipeline, causing fuel shortages on the East Coast and the declaration of states of emergency in four states.
But experts warn that ransomware attacks – which are part ransom, part blackmail, part invocation of squatters’ rights – are on the rise, while hackers, mostly based in Russia, are on the rise. more sophisticated with their methods.
They have hit solar energy companies, federal and local government agencies, water treatment plants, and even police departments across the United States. While the nation’s eyes were focused on the pipeline attack this week, another group of hackers were busy targeting Washington DC police – hitting law enforcement in the US capital.
But it was the pipeline attack that had the biggest impact, emerging from the dark web and sending tens of thousands of Americans into panic to buy gas for their cars. The 5,500-mile-long pipeline, which carries 45% of the east coast’s fuel supplies, said on Saturday it was forced to shut down after attackers used the internet to take control of the operation. fuel pumping.
Colonial Pipeline said on Wednesday it “kicked off” operations, apparently after paying a ransom of $ 5 million. But that did not prevent lines from forming several hours long at gas stations in the Southeastern United States, as fuel began to dry up and gas prices hit their highest level in years. .
A group of cybercriminals called Darkside have taken responsibility for the ransomware attack, which works by hacking into a corporate or government network and scrambling data. The hacker then posts a note in the system requesting payment. If the organization pays, the hacker returns control.
“The analogy would be that I break into your house, and once I gain access to your house, I change all the locks and lock you in your own house,” said Eric Cole, author of the book. Cyber Crisis and founder of cybersecurity company Secure Anchor.
“And then I say, ‘Hey, unless you give me some money, I’m not going to give you the keys to your house.’ “
The Colonial Pipeline debacle is just the latest in a series of ransomware attacks, which include targeting a water treatment plant in Florida and Texas-based IT company SolarWinds.
The US police force has also been at the center of concerns. The Babuk Group, another Russian cyber gang, is currently detaining the Washington DC Police Department, threatening to disclose stolen data unless law enforcement spits out an unspecified amount of money.
The Presque Isle Police Department was attacked in April, Azusa Police were hit in March, while the city of Baltimore suffered a costly attack in 2019.
As the number of attacks increases, Darkside has emerged as one of the biggest groups, and Cole has said he has successfully “commercialized cybercrime.”
“They’ve been running for over three years, they started around 2018, and they usually focus on the smallest ransoms,” he said. “The average Darkside attack would demand between $ 80,000 and $ 100,000 in ransom, and they typically carried out eight to ten of these attacks per month, earning them about $ 12 million per year.
“But we’ve noticed that in the last couple of months, they’ve started targeting and preying on large organizations. Colonial really shows their change of business model – where now, instead of going after 12 small entities, they are going after one big one. ”
The Washington Post reported that 26 government agencies have been affected by ransomware since the start of the year. The number of private companies targeted is difficult to calculate, given that no company wants to reveal to the world, and other potential attackers, that it will pay in the event of a compromise, but it is likely that the number of reported attacks is just the ‘tip’ of the iceberg, ”said one expert.
In most cases, organizations have little choice but to pay the ransom. After the attack on Baltimore City in May 2019, she decided not to pay the 13 Bitcoin ransom, which at the time stood at around $ 91,000. It was a noble initiative, but not financially successful – Baltimore ended up spending over $ 18 million on the takeover.
The FBI and other security experts claim Darkside is made up of a group of Russia-based criminals, but little is known beyond that.
Joe Biden said there was “no evidence” that the Russian government was behind the attack, despite the ransomware that targeted Colonial Pipeline being based in Russia, and Darkside himself reinforced the idea that they are driven by profit rather than geopolitics, when the group published A declaration this week, describing himself as “apolitical” and saying, “Our goal is to make money.”
With the attack on the colonial pipeline, Darkside profited from the pandemic, Cole said.
Prior to the coronavirus outbreak, the pipeline was run on a closed system by workers on site. The need for social distancing to prevent the spread of the disease led Colonial Pipeline staff to work remotely, to use the internet – which ultimately allowed attackers to gain access to computer systems. Colonial Pipeline did not respond to a request for comment.
Mark Stamford, CEO of cybersecurity firm OccamSec, said “the criminal business model around ransomware has changed” and groups like Darkside are getting more sophisticated.
“The way the ransomware worked, you would get a message that pops up on the screen, saying, ‘All of your data has been encrypted, send me, say, 20 Bitcoins, and I’ll send you the encryption key.’ ”Stamford said.
“Now we’ve gone from ransom attacks to some sort of extortion. What happens now is that I will introduce the ransomware into your environment and encrypt your data, but what I will also do is exfiltrate the data out of your network.
“So now it’s encrypted in your network, so you have to pay me a ransom, but I also have a copy of your data which I can then use to extort money from you.” “
But groups like Darkside don’t just profit from their attacks. Often times, they also sell ransomware to potential cyber attackers on the dark web, which means that the number of attacks is likely to increase.
“You’ve got this bad guy market,” Stamford said.
“Where I can go and buy ransomware – and what’s even more impressive is that there is tech support around this ransomware, so I can call someone and say, ‘I used your ransomware, it didn’t work, can you give me any advice on how to make it work? “
As Colonial Pipeline strives to regain control of its systems and Darkside’s name resonates in the United States, Stamford said one theory among cybersecurity observers is that it could even be a promotional effort by the group. cybercriminal.
“It’s a good part of the marketing for them,” Stamford said.
“If you’re selling ransomware, that’s a really good way to go out into the world and say, ‘Look, our stuff is cool and it works. “”