When Hackers Go Pro

colonial pipeline hack

America’s largest oil pipeline was forced to shut down and sensitive data from the police force of Washington, D.C., was compromised, all in the space of a few days, by a faceless and eerily businesslike enemy ransomware hacker.

Ransomware hackers have become steadily more brazen and sophisticated in their tactics and targets. In January, and again in March, a breach of Microsoft’s data systems caused disruptions to countless businesses.

In 2020, such attacks cost U.S. institutions around $20 billion in lost revenue, price hikes, security efforts and, in many cases, ransom costs. Estimates are not easy to calculate for a number of reasons: Ransom payments are usually kept quiet. The cost of downtime, effects of security costs on consumer costs, and other factors are difficult to quantify.

Babuk, the cyber-gang responsible for the D.C. police hack, seized data including the identities of informants and threatened to make the information public should their demand for $4 million not be met on time. Negotiators for the department offered $100,000 and when their offer was rejected, Babuk began to follow through on their threat.

The effects of the Colonial Pipeline attack have been far broader, as the system is the major conduit of domestic oil to the northeast of the United States. The company shut down its pipeline for days as it tried to protect itself from further data compromises causing major price hikes and shortages in gasoline in many states.

Late last week, reports began to circulate that Colonial had indeed paid a $5 million ransom to get its operations back up and running.

Noting the level of disruption caused by the Colonial shutdown, DarkSide, the cybercrime group linked to the hack, in keeping with the professional image it seeks to project, assured the public that its goals were strictly financial.

“We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other our motives [sic],” said a statement on the group’s blog. “Our goal is to make money, and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”

While cybercrime has been a concern for decades, the quickly increasing stakes have led many to take a better look at the expanding world of ransomware and what can be done to fight it.

A Digital Hostage

Ransomware is a term for a type of malware (malicious software) that cybercriminals use to break into computer systems to take over and lock up their networks, holding them hostage until a ransom is paid. Increasingly, ransomware gangs dually extort their victims by seizing confidential data and threatening to make it public if demands are not met.

Perpetrators inform their targets of the attack by leaving a digital note on the breached files with a link to a site on the dark web (websites hidden from standard search engines) and an access code allowing them to begin dialogue and negotiations with the digital outlaws.

Well-built ransomware models then have a portal through which they can immediately decrypt as small amount of the stolen data for the victim as proof that it is indeed the group responsible for the hack and that they have the tools to undo the damage.

“We prefer to negotiate with professionals,” said Sherri Davidoff, CEO of LMG Security, a cybersecurity firm that also negotiates with hackers on behalf of clients. “An amateur might have low-cost decryption tools with bugs, but a large criminal organization has a reputation to uphold.”

In one instance after an LMG client paid an unpolished hacker a mutually agreed-upon price, Mrs. Davidoff said her own IT staff had to pitch in to help the perpetrator unlock the encrypted files.

Not all victims are so fortunate. According to the Kaspersky cybersecurity company, 71% of companies struck by hackers were not able to have all of their data restored, irrespective of whether ransoms had been paid.

colonial pipeline hack
Colonial Pipeline storage tanks in Woodbridge, N.J. (AP Photo/Seth Wenig)

The DarkSide

Working under the cover of digital darkness, it is hard to put a face to ransomware criminals or the groups they operate under.

“They are amorphous entities and members interact anonymously. In a lot of cases, they don’t know who the people they are working with are,” said Brett Callow, a threat analyst for Emisoft Cybersecurity Company.

DarkSide, of Colonial Pipeline infamy, like many other cyber gangs, works on an affiliate basis, with its core group developing malware and providing multipronged support, licensing its products to other individuals or groups to carry out attacks. When successful, both parties split the profits.

“Most of the [ransomware] creators are in Russia and other parts of Eastern Europe, but the people who carry out the attacks could be anywhere. They could be much closer to home than you think,” said Mr. Callow.

The size and quality of operations are sometimes an indicator of whether perpetrators are an individual or a small group or an organization of dozens or hundreds of cyber-thugs working in tandem. Some hacking groups are believed to be directly linked to state sponsors.

One of the most peculiar elements of DarkSide is the extent to which it operates like a legitimate business.

When DarkSide launched last year, it posted a “why choose us” section on its website, listing advantages for potential affiliates, like a pledge to stand behind promises to unlock networks and delete seized data if ransoms are paid and to follow through on threats to companies that do not meet demands.

It explains its victim policies saying that it will only attack “companies that can pay the requested amount, we do not want to kill your business.” DarkSide adds that it carefully analyzes companies’ financial standing before a hack and that all questions that victims have can be answered by their support team. It also lists a stated policy not to attack medical facilities, educational organizations, funeral services, nonprofits, or government agencies. The group issues press releases and maintains a portal for media inquiries.

Last year, DarkSide made two $10,000 charitable donations. One of them was rejected by the recipient, Children’s International.

“There is a long list of cybercriminal groups with very polished models. They have tools and infrastructure and turned hacking into a successful business model,” said Mrs. Davidoff. “We once dealt with someone who manned the chat portal for a group. After we were done, he wanted feedback from us on his performance.”

It is unclear to what extent DarkSide has stuck to its principles. Several other ransomware groups have attacked hospitals, slowing down treatment for patients and triggering potentially dangerous situations. The D.C. police hackers’ decision to publicize informants poses a clear danger for those individuals and a move that could make it more difficult for law enforcement to guarantee protection in the future.

A Successful Business Model

While the number of ransomware attacks has remained relatively steady in recent years, 2020 saw a massive spike in gangs targeting larger and higher profile companies and demanding larger ransoms.

“Any company that can pay and that has some security vulnerability is a potential target,” said Mr. Callow. “Demands have increased significantly. In 2018, $200,000 was the average; now multimillions are the norm. It’s a vicious cycle because the more money they make the more motivated the criminals are and since they invest ransom money into infrastructure, they are better equipped for the next attack.”

Alejandro Mayorkas, Secretary for Homeland Security, said that in 2020, $350 million had been paid in ransoms, a 300% increase from the year before.

“Cybercrime has undergone an industrial revolution,” said Mrs. Davidoff, who identified four factors contributing to the spike, the first of which is the development of high-quality hacking software built by nearly two decades of experience and ransom payments.

Secondly, she identified the emergence of an open Amazon-like market on the dark web for hacking tools including infiltration software and forums to publish stolen data, allowing criminals of varying means and skill levels access to effective cybercrime weapons.

The rise of crypto-currencies such as bitcoin, which allows for victims to make anonymous and non-reversible payments without having to rely on a third party, Mrs. Davidoff said, was a third key factor.

Lastly, she tagged the increase on the rise of the affiliate model, allowing ransomware operations to branch out and for criminals to develop niches.

“As in e-commerce in general, we are seeing a lot more specialization,” said Mrs. Davidoff. “Some work on initial access, [then] break in and sell access to criminal gangs; some specialize in infrastructure or plug-in software. Amateurs can purchase low-cost hacking tools for $150 and launch an attack.”

colonial pipeline hack
Gas pumps out of service in Annapolis, Maryland, on May 12. (Photo by Jim Watson/AFP via Getty Images)

Russian Hackers

The term “Russian hackers” has become commonplace. However, China has been blamed for several large-scale hacks including the recent one against Microsoft’s servers. North Korea is believed to engage in state-controlled ransomware operations as a means of generating access to foreign currencies denied to it by sanctions. A good deal of hacking development and activity has also been traced to several former Soviet Republics and other states in Eastern Europe.

Still, U.S. intelligence continues to believe that the lion’s share of ransomware development and direction comes from within Russia. Some activities have been linked to Russia’s Chief Intelligence Office, the GRU (Glavnoye Razvedyvatelnoye Upravlenie), suspected to be behind the Solar Winds hack, which compromised data from U.S. government agencies.

“The Russian state has long been interested in information warfare generally,” said Peter Rutland, a Russia expert who teaches at Wesleyan University. “Russia, back to the Cold War, worried about Western media dominance and the creation of the internet, [and] created a new headache for them which is part of the besieged fortress thinking which is very deep in Russian history. Cyberwarfare is part of that bigger picture.”

U.S. officials said that they believe DarkSide is a “criminal actor,” but that investigations into the role that state actors might have played in the Colonial hack are ongoing.

While the GRU does employ its own team of hackers, many cybercriminals that operate independently in Russia are believed to be doing so with the consent of the government, which is suspected of contracting with such groups to carry out operations at times.

“It’s reasonable to assume the worst and collusion is more likely [to be happening] than not,” said Professor Rutland. “Even if this is being done by criminal gangs, once the state tracks them down, it’s likely that they make a deal with them to use their skills to penetrate networks for the government rather than go to jail.”

Very few ransomware operations target Russian organizations, leading experts to conjecture that there is an unspoken agreement between cyber gangs and the Kremlin that they will not suffer legal consequences so long as their nefarious activities focus strictly on foreign targets. One of DarkSide’s features is that its malware will not encrypt if Russian or any of about a dozen languages used in the FSU are detected.

What to Do

The rising financial costs and level of disruption caused by cybercrime have moved many to question what the role of the U.S. government should be in combatting the threat. The Colonial Pipeline shutdown highlighted the degree to which the nation’s energy infrastructure remains vulnerable to such attacks and the complex interplay that could exist given that most of it is in the hands of private companies.

colonial pipeline hack
Vehicles line up for gaso at a Costco in Greensboro, N.C., May 11. (Woody Marshall/News & Record via AP)

At a White House press conference following the Colonial hack, Deputy National Security Advisor for Cyber and Emerging Technologies Anne Neuberger announced that the government was working directly with the company to help restore their systems. She added that intelligence organizations were investigating the culprits. More substantively, Mrs. Neuberger announced several steps the administration was taking to gather information from stakeholders and develop better practices in protecting energy infrastructure from future ransomware attacks.

“This has been a longstanding challenge figuring out how to coordinate a response [to cyberattacks] working together with the private sector and with other countries and it has improved,” said Quentin Hodgson, a senior international and defense researcher at the RAND Corporation focusing on cybersecurity.

Law enforcement has had some limited success in identifying and apprehending ransomware perpetrators. In February, French and Ukrainian police arrested operators of the Egregor network.

A month prior, U.S. intelligence partnered effectively with a large team of European counterparts to take down the Emotet network which has served as the most heavily used “door opener” for hackers since 2014. The same week, the FBI arrested a Canadian national who is suspected of being behind a series of ransomware attacks against the healthcare industry.

Still, with the sheer volume of bad actors in the malware industry, scattered arrests are unlikely to serve as a solution. Several organizations have developed plans for the federal government to adopt to better combat cybercrime, including a tightening of the patchwork of regulations that now govern private industry.

Mr. Hodgson said that multiple strategies need to be employed to confront the threat effectively.

“We could look at how people benefit from these attacks, move to prevent payments, and trace payments on the exchanges since, at some point, cryptocurrency has to be turned into real money or used to buy goods,” he said, citing one possibly strategy.

Mr. Hodgson said that government can help the problem by revisiting regulations, creating incentives for companies to improve their cybersecurity, and using its forensics to trace threats, but felt that the plethora and sophistication of cybersecurity firms could put more of the onus on private industry to use their services and follow best practices in securing their own networks.

“There might be less need for government to be the one to clean up the mess than there would have been 10 years ago,” he said.

While not dismissive of concerns that cybercriminals would pose an ever more destructive threat to American infrastructure, Mr. Hodgson felt such actors’ goals remained focused on profit, not chaos.

“I’m cautious about saying that the electric grid could get attacked and fall apart, but that doesn’t mean that you shouldn’t take steps to be prepared for that potential.”

One potential strategy in fighting ransomware attacks is a ban on paying ransoms. Still, such a move would be difficult to enforce and would come at a high price to victim companies. Presently, the FBI recommends against paying ransoms, but there is no law to back up the policy.

“[A ransom ban] would be extremely damaging for businesses that get hit,” said Mrs. Davidoff. “This is a difficult and sensitive time and I think a softer approach that would incentivize companies to go after the root cause and work on their security is what really needs to happen.”

Studies differ on the exact figure, but estimates are that between 30% and 50% of affected companies end up paying ransoms.

“I favor a prohibition on ransoms,” said Mr. Callow. “These attacks happen because they are profitable. If they stop being profitable, they will stop. There will be some short-term pain, but the alternative is a long-term constant bombardment of ever more dangerous attacks.”