After ransomware attack at the end of last week, Colonial Pipeline and the United States government collide to restore service to a pipeline that supplies nearly half of the East Coast’s fuel. The culprit, according to the FBI, is the notorious and brazen ransomware gang known as DarkSide. And the repercussions of their attack can have repercussions far beyond their intention.
Colonial Pipeline says it hopes to restore full service by the end of the week; in the meantime, the Ministry of Transport issued a emergency order Sunday to allow an expanded distribution of oil by truck. But the real impact of the attack can be felt in the world of ransomware. While a number of hackers have long engaged in lawless targeting, including a horrible rash of attacks on hospitals Last fall, close observers say the pipeline incident could finally represent a turning point.
DarkSide appeared last August and announced itself with a veneer of professionalism and efficiency. At the time, he vowed not to target health care providers, schools or businesses that could not afford to pay. A few months later, the group performed a series of charitable donations, as part of a long-standing attempt to manage its reputation. But as a ransomware-as-a-service operation, DarkSide largely operates on an affiliate model, lending its ransomware and infrastructure to criminal clients and taking a share of what clients earn from their attacks. On Monday, as pressure mounted from US law enforcement and the White House itself, DarkSide appeared to blame the colonial pipeline hack on its affiliates and vowed to control criminals more thoroughly with which he contracts.
“We are apolitical, we do not participate in geopolitics,” DarkSide posted on Monday. “Our goal is to make money, not to create problems for society. From today, we introduce moderation and check every business that our partners want to cost to avoid social consequences in the future. . ”
This statement is a reminder of any industry promising to self-control as an alternative to government regulation. But even if you could take DarkSide at its word, the implication is that it’s somehow acceptable to target certain organizations with ransomware if they’re carefully screened.
“The idea that ransomware operators should decide who deserves to be compromised is extremely problematic to say the least,” said Katie Nickels, chief intelligence officer of security firm Red Canary. “It’s absurd.”
DarkSide’s questionable commitment to self-regulation likely stems from fears that the hack of a critical infrastructure company and ultimately a mass service outage has crossed a red line – whether DarkSide or the one of his clients actually carried out the attack.
“I am not surprised that this has happened. It was actually only a matter of time before a major critical infrastructure ransomware incident occurred, ”said Brett Callow, threat analyst at anti-virus company Emsisoft. “DarkSide seems to have realized that this level of attention is not a good thing and could lead governments to act. They can continue to participate in smaller attacks in the hope that they can keep making money for longer. “
Callow and other researchers point out, however, that it is difficult to produce a meaningful deterrent when it comes to ransomware and cyber attacks in general. Even after repeated wake-up calls and ransomware-related disasters, governments haven’t shown enough urgency to try and fix the problem.
“One of the biggest challenges in cyber deterrence is attribution and you can see it in that situation,” says Nickels of Red Canary. “There are the ransomware developers, their affiliates and customers, as well as the host countries that ignore their behavior. Who is at fault? Who do you need to dissuade?