Is this the end of the road for ransomware?

Hackers seem to have developed a conscience, but it’s unlikely they are gone for good

This article originally appeared in the June edition of IT Pro 20/20, available here. To sign up to receive each new issue in your inbox, click here.

Ransomware, a type of malware that threatens to publish a victim's personal data or perpetually block access to it unless a ransom is paid, has long had grave consequences for businesses. As a result of this kind of attack, organisations have suffered the loss of critical business data and, in some cases, major financial losses if revenue-generating operations are shut down. 

Recently, however, ransomware has gone further into the public sphere. The recent attack on Colonial Pipeline, for example, not only forced the US’s largest fuel pipeline to suspend operations after hackers made off with 100GB of data, but also caused fuel prices to climb towards their highest level since 2014 and saw states of emergency declared in four states.

This followed the ransomware attack in May that forced Ireland’s Health Service Executive (HSE), which is responsible for healthcare and social services across Ireland, to shut down all of its IT systems. As a result, while essential services such as COVID-19 vaccinations continued, the HSE warned patients that they could face delays and cancellations to appointments.

Social conscience 

Following these attacks, which had devastating, perhaps unintended societal consequences, it seems hackers are starting to develop a conscience. The DarkSide hacking group, responsible for the six-day shutdown of Colonial Pipeline, has since disbanded and released decryption tools for all the companies that have had their data held to ransom but which haven’t yet paid. "Our goal is to make money, and not creating (sic) problems for society," the criminal hacking group said in a statement posted on its website.

Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows, tells IT Pro: “By targeting critical national infrastructure, the Darkside ransomware operators raised their head above the parapet and exposed their operations to a far greater level of scrutiny from both media and law enforcement. This level of scrutiny likely wouldn't have happened if they had continued to solely target private sector companies, which has brought continued success across the ransomware landscape.”

DarkSide isn’t the only ransomware group to call it quits in recent months as a result of this increased scrutiny. Maze, one of the world’s most notorious hacking groups, also said it was disbanding in a "retirement" note posted to its darknet site, while Avaddon recently announced it was suspending operations and released decryption keys for almost 3,000 of its victims. 

Further, following these high-profile attacks with devastating consequences, cyber crime site forum Exploit.in announced that ransomware-related chatter and activity would be banned.

Is this the end of ransomware as we know it, or will these gangs return from the dead?

Branding exercise

Related Resource

How to reduce the risk of phishing and ransomware

Top security concerns and tips for mitigation

Large letter 'O' against a background of a city - whitepaper from MimecastFree download

According to Christopher Budd, senior global threat communications manager at Avast, the recent actions of DarkSide, along with REvil – the Russian hacking gang that targeted Brazilian international meat supplier JBS before distancing itself from the attack – show that “a sea-change is underway”. 

“Both Darkside and REvil took steps to try and distance themselves from the impact of the attacks attributed to them, which was unprecedented. DarkSide has seen its operations disrupted, its money taken, and is dealing with affiliates who say they are owed money,” Budd says. 

“Other ransomware operators have noticed and taken action. For example, the Avaddon group announced certain restrictions on what types of attacks they’ll carry out or allow their affiliates to carry out, banning the targeting of government-affiliated entities, hospitals, or educational institutions. Interestingly, REvil was one of the operators who said they would ban certain attacks prior to the JBS attack. This gives credence to their statement, implying that the results of the JBS attack weren’t what they expected.”

However, while a step in the right direction, few believe this should be taken as a signal that the threat of ransomware is dissipating. Erin Kenneally, director of cyber risk analytics for Guidewire Software, tells IT Pro: “While some may have [been] exited amid the hype, several ransomware gangs are merely re-grouping or ratcheting down their marcomm activity (advertising on forums) and reverting to a private modus operandi.  

“The larger campaigns (such as REvil or Avaddon) can leverage an already healthy affiliate network to continue their business.  Smaller groups may, in fact, have been forced to shut down as a result of the forum bans because they don’t have the luxury of such a supply chain.”

This is a view shared by Paul Robichaux, senior director of product management at Quest, who believes that while smaller ransomware groups may feel the heat of more scrutiny from law enforcement, larger groups will simply rebrand. 

“These gangs aren’t dissolving, they’re rebranding. A comparison can be made to those little furniture stores that do business for a few years then have big ‘Going out of Business’ sales only to reopen two weeks later with a new name, same location, same inventory. This is the same thing.

“A successful parasite doesn’t kill its host too quickly – ransomware gangs that attract too much attention by attacking the wrong targets are going to bring the heat on themselves and get put out of business through law enforcement activity. The smarter ones will pick their targets more carefully, both by industry and by geography. 

“The smartest will focus only on territories where there is unlikely to be any meaningful law enforcement or intelligence community response and focus all their activity there.”

What’s next?

With ransomware gangs unlikely to be shutting down their operations for good, what should businesses be on the lookout for next? According to Kevin Curran, senior IEEE member and professor of cyber security at Ulster University, attacks are only going to become more sophisticated. 

“Cyber crime has become an industry and attackers are most certainly becoming far more organised,” he tells IT Pro. “Many have cyber crime units typical of any large legitimate business, such as partner networks, associates, resellers, and vendors. In fact, they even have dedicated call centres, which are typically used to help with requests from ransomware victims. 

“Of course, they use sophisticated methods to remain hidden, such as encryption, dark web forums, virtual private networks (VPNs) and other obfuscation techniques. They also offer franchises which allow other hackers to replicate their botnets and vectors of compromise and even provide training.”

Similarly, Jérôme Segura, director of threat intelligence at Malwarebytes, believes that the revenue these hacking groups have earned so far means that this money will be used to advance their operations. 

“Ransomware is big business and creates its own ecosystem of various threat actors and affiliates,” Seguar comments. “One of the issues with those million dollar payouts is that criminals can easily reinvest the money into developing better tools and teams. That means businesses that are already trailing behind with security patches could be completely caught off guard with things like zero-day exploits.”

With this in mind – and with ransomware unlikely to be disappearing for good anytime soon – businesses need to make sure that they soup-up their security protections. Andrew Rubin, co-founder and CEO at Illumio, tells IT Pro: “Our hope is that these recent wake-up calls will ensure that we do a better job protecting ourselves going forward – because if not, it’s more likely that eventually an attacker is going to hit something much more critical, whether by design or accidentally.

“Criminals don’t stop being criminals due to unintended consequences. There is little to no data in the history of crime to support that outcome, and we should not bet on it as our security strategy this time around.”

Featured Resources

The ultimate law enforcement agency guide to going mobile

Best practices for implementing a mobile device program

Free download

The business value of Red Hat OpenShift

Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift

Free download

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Free download

Digital remote monitoring and dispatch services’ impact on edge computing and data centres

Seven trends redefining remote monitoring and field service dispatch service requirements

Free download

Recommended

Almost 70% of CISOs expect a ransomware attack
ransomware

Almost 70% of CISOs expect a ransomware attack

19 Oct 2021
Organizations warned of ransomware risk from smaller operators
ransomware

Organizations warned of ransomware risk from smaller operators

19 Oct 2021
Best ransomware removal tools
ransomware

Best ransomware removal tools

14 Oct 2021
Senator to introduce new bill to force ransomware payment disclosures
ransomware

Senator to introduce new bill to force ransomware payment disclosures

6 Oct 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans
Laptops

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

11 Oct 2021
Windows 11 has problems with Oracle VirtualBox
Microsoft Windows

Windows 11 has problems with Oracle VirtualBox

5 Oct 2021