After a ransomware attack late last week, Colonial Pipeline and the United States government have been scrambling to restore service to a pipeline that delivers nearly half of the East Coast's fuel. The culprit, according to the FBI, is the notorious and brazen ransomware gang known as DarkSide. And the repercussions of their attack may ripple far beyond what they intended.
Colonial Pipeline says it hopes to restore full service by the end of the week; in the meantime, the Department of Transportation released an emergency order on Sunday to allow expanded oil distribution by truck. But the real impact of the attack may be felt in the world of ransomware. While a number of hackers have long engaged in anarchic targeting, including a horrifying rash of attacks on hospitals last fall, close observers say the pipeline incident may finally represent a turning point.
DarkSide emerged last August and announced itself with a veneer of professionalism and efficiency. At the time, it pledged not to target health care providers, schools, or businesses that couldn't afford to pay. A few months later, the group made a series of charitable donations, part of a long-running attempt to manage its reputation. But as a ransomware-as-a-service operation, DarkSide largely works on an affiliate model, loaning out its ransomware and infrastructure to criminal customers and taking a cut of whatever clients earn in their attacks. On Monday, as pressure mounted from US law enforcement and the White House itself, DarkSide seemed to blame the Colonial Pipeline hack on its affiliates and pledged to more thoroughly vet the criminals it contracts with.
“We are apolitical, we do not participate in geopolitics," DarkSide posted on Monday. “Our goal is to make money, and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”
The statement is reminiscent of any industry promising to self-police as an alternative to government regulation. But even if you could take DarkSide at its word, the implication is that it's somehow acceptable to target certain organizations with ransomware if they're carefully selected.
“The idea that ransomware operators should decide who is worthy of being compromised is extremely problematic, to say the least,” says Katie Nickels, director of intelligence at the security firm Red Canary. “It's absurd.”
DarkSide's dubious pledge to self-regulate likely stems from concerns that hacking a critical infrastructure company and ultimately causing a mass service outage crossed a red line—whether DarkSide or one of its clients actually perpetrated the attack.
“I am not surprised that this happened. It was realistically only a matter of time before there was a major critical infrastructure ransomware incident,” says Brett Callow, a threat analyst at antivirus company Emsisoft. “DarkSide appears to have realized that this level of attention is not a good thing and could bring governments to action. They may stay with smaller attacks now in the hope that they'll be able to continue making money for longer.”
Callow and other researchers emphasize, though, that it's difficult to produce meaningful deterrence when it comes to ransomware and cyberattacks in general. Even after repeated wake-up calls and ransomware-related disasters, governments have not shown enough urgency in trying to solve the problem.
“One of the biggest challenges in cyber deterrence is attribution, and you can see that in this situation," Red Canary's Nickels says. “There are the ransomware developers, their affiliates and clients, and host countries that are ignoring their behavior. Who’s at fault? Who do you have to deter?”
DarkSide was illustrative of that enforcement problem even before the Colonial Pipeline attack. It almost exclusively targets English-speaking organizations and is widely thought to be a criminal group based in Russia or Eastern Europe. The DarkSide malware is even built to conduct language checks on targets and to shut down if it detects Russian, Ukrainian, Belarusian, Armenian, Georgian, Kazakh, Turkmen, Romanian, and other languages associated with Russia's geopolitical interests. The Kremlin has historically let cybercriminals operate unfettered within its borders as long as they don't go after their countrymen.
DarkSide's rent-a-ransomware business model makes it difficult to determine who, specifically, is behind any given DarkSide attack, convenient insulation for all involved. And the very existence of ransomware-for-hire services shows just how popular—and profitable—these attacks have become. Members of DarkSide focused on point-of-sale credit card data theft and ATM cashout attacks for years, says Adam Meyers, vice president of intelligence at the security firm CrowdStrike, which tracks DarkSide's activity under the name Carbon Spider. “They’ve transitioned to the ransomware game because there’s so much money in it,” Meyers says.
The Biden administration has signaled in recent weeks that it plans to focus real attention on addressing the threat of ransomware. The White House has been hiring for key cybersecurity policy and response roles and participated in a public-private ransomware task force aimed at generating comprehensive recommendations to curb the problem. The Colonial Pipeline incident now gives the White House a renewed motivation to turn policy proposals into action.
“We’re taking a multipronged and whole-of-government response to this incident and to ransomware overall,” deputy national security adviser Anne Neuberger said in a White House briefing on Monday. “We’re aggressively investigating the incident and its culprits."
Neuberger said that the administration believes DarkSide is a criminal actor only but that the intelligence community is looking into the possibility of government ties. On Monday, President Biden called on the Russian government to stop harboring cybercriminals.
“I’m going to be meeting with President Putin,” Biden said. “So far there is no evidence … from our intelligence people that Russia is involved, although there is evidence that the actors’ ransomware is in Russia. They have some responsibility to deal with this.”
One question that dogs ransomware response is whether governments should make it illegal for victims to pay ransoms. In theory, no more ransom payments would mean no more incentives for criminals to continue. But members of the public-private ransomware task force say that the group was unable to reach a consensus about firm recommendations to that end; the trade-offs aren't easily navigable.
Steps that could work in the near term? Requiring that victims disclose ransomware incidents, and creating a cyber incident review board in the US, says Rob Knake, a senior fellow at the Council on Foreign Relations and a former director for cybersecurity policy at the National Security Council. Currently most victims keep ransomware attacks quiet when possible; a full accounting of these rolling crises could spur a response. “Notification is essential, because cyber incidents are not like plane crashes—the investigating agency may never find out that they have happened,” Knake says. “So for the cyber incident review board to be successful it will need to be notified of incidents and then have the authority to investigate. Voluntary will not work.”
In the meantime, cybersecurity professionals say that they hope the Colonial Pipeline incident really will finally spark action in the fight against ransomware. Given how many other dire attacks have failed to act as this catalyst, though, they are wary of being too hopeful.
“We’re at a point where only systemic improvement will have any meaningful impact,” Crowdstrike's Meyers says. “And organizations don’t necessarily have the bandwidth, funding, and personnel to do that. But this should be a wake-up call to any organization: You need to do better or you’re going to suffer the same fate.”