Colonial Pipeline hack shows ransomware is growing as professional industry, experts say
Hacker collectives like DarkSide operate like 'legitimate businesses,' according to cybersecurity expert
Hollywood films may present hacker collectives as groups of programmers furiously typing away at keyboards in dark rooms, but cybersecurity experts say real-life groups are far more professional — more closely resembling startups than 80s hacker flicks.
"I don't know if I would go as far as comparing it to Silicon Valley, but definitely these operations can be compared to legitimate businesses," said Kimberly Goody, a senior manager at Mandiant Threat Intelligence.
Earlier this week, the FBI announced that a group known as DarkSide was behind the software responsible for crippling the business network of the Colonial Pipeline Company, leading the company to shut down its pipeline operations out of an abundance of caution. The company's pipeline, spanning more than 8,850 km, carries gasoline and other fuels, supplying approximately 45 per cent of the fuel consumed in the U.S. east coast.
On Wednesday, the company announced that it had begun to restart its main pipeline. Bloomberg reported on Thursday that the company paid approximately $5 million US to restore its business network despite earlier reports that it would not pay.
The Wall Street Journal, citing security researchers, reports a website operated by DarkSide has been down since Thursday and that the group has signalled it will shut down. Some experts caution that the move could be a ploy to restart under another name, however.
Groups like DarkSide that work under the ransomware-as-a-service umbrella often aren't the ones responsible for executing a hack. That work is left to affiliates, who carry out cyberattacks, while groups like DarkSide are responsible for coding the software used in the hacks themselves.
The hacker collectives responsible for coding the ransomware also share a cut of the profits. It's a buyer's market, and Goody says that affiliates can shop around on underground forums for groups that offer the best deals.
In the case of DarkSide, the service operator takes 25 per cent of the ransom from companies with an annual revenue of less than $500,000, according to Goody who referenced information posted on underground forums.
"But if that victim organization's annual revenues are more than $5 million, they only take 10 per cent," she added. "So [they are] offering essentially more favourable terms for higher revenue victims that could potentially make some actors decide to use this particular ransomware over another one that might take 20 per cent, for example."
Groups like DarkSide don't just compete with one another by offering a different share of the criminal profits. They also compete on the service level as well, which extends to customer support — both for ransomware affiliates and even victims.
"From the victim perspective, they want to make sure that victims are able to … actually decrypt their files," Goody said. "Because if the victim organization comes out in public and says, 'This decryptor didn't work, they didn't help us,' then that doesn't incentivize the next victim to actually have a reason to pay."
WATCH | Cyberattack targets major U.S. pipeline
'We are essentially playing catch up,' expert says
Access to these groups requires more than just knowledge of how to navigate the so-called dark web. It also requires adhering to strict rules — especially regarding who can be held for ransom.
Kim Zetter, an investigative journalist who has covered cyber and national security for over two decades and author of Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon, told Day 6 host Brent Bambury that DarkSide specifically advertises that they "don't want affiliates who are English-language speakers."
At the same time, Zetter added that DarkSide's code won't work on systems that are using eastern European languages, like Russian or Ukranian, saying that evidence suggests the group operates in Eastern Europe, and likely Russia.
U.S. President Joe Biden this week said there's no evidence that the Russian government was involved in the Colonial Pipeline hack, but did say that Russia needs to take responsibility for an attack that appears to have originated on Russian soil.
The reason DarkSide's code bars Eastern European languages has to do with an unwritten "tacit agreement" between criminal hackers in Russia and the Russian government, according to Zetter.
"They can perform their services elsewhere and they're fine with that, but they just can't turn it on their own citizens or government," she said.
Since these groups often operate in countries that don't have extradition agreements with the U.S. — like Russia — Goody said collectives like DarkSide are able to continue conducting attacks in a more sophisticated way, while also gaining more resources.
"While we are essentially playing catch up, they are significantly further ahead of us," she said.
Goody noted that dealing with the collectives themselves will require conversations with foreign governments like Russia, and "holding them accountable for what criminals operating on their soil are doing."
For her part, Zetter said companies like Colonial Pipeline can respond to cyberattack threats by having advanced plans, and strategies for how to deal with these incidents when they take place.
"[Experts] that I spoke with said [Colonial Pipeline] should have had a strategy in place where they could have continued operations in a safe and secure manner, even though their business network had been taken down by the ransomware," she said.
Written and produced by Sameer Chhabra with files from The Associated Press.
Hear full episodes of Day 6 on CBC Listen, our free audio streaming service.