This article originally appeared in the June edition of IT Pro 20/20, available here. To sign up to receive each new issue in your inbox, click here.
Ransomware, a type of malware that threatens to publish a victim's personal data or perpetually block access to it unless a ransom is paid, has long had grave consequences for businesses. As a result of this kind of attack, organisations have suffered the loss of critical business data and, in some cases, major financial losses if revenue-generating operations are shut down.
Recently, however, ransomware has gone further into the public sphere. The recent attack on Colonial Pipeline, for example, not only forced the US’s largest fuel pipeline to suspend operations after hackers made off with 100GB of data, but also caused fuel prices to climb towards their highest level since 2014 and saw states of emergency declared in four states.
This followed the ransomware attack in May that forced Ireland’s Health Service Executive (HSE), which is responsible for healthcare and social services across Ireland, to shut down all of its IT systems. As a result, while essential services such as COVID-19 vaccinations continued, the HSE warned patients that they could face delays and cancellations to appointments.
Social conscience
Following these attacks, which had devastating, perhaps unintended societal consequences, it seems hackers are starting to develop a conscience. The DarkSide hacking group, responsible for the six-day shutdown of Colonial Pipeline, has since disbanded and released decryption tools for all the companies that have had their data held to ransom but which haven’t yet paid. "Our goal is to make money, and not creating (sic) problems for society," the criminal hacking group said in a statement posted on its website.
What is ransomware?
Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows, tells IT Pro: “By targeting critical national infrastructure, the Darkside ransomware operators raised their head above the parapet and exposed their operations to a far greater level of scrutiny from both media and law enforcement. This level of scrutiny likely wouldn't have happened if they had continued to solely target private sector companies, which has brought continued success across the ransomware landscape.”
DarkSide isn’t the only ransomware group to call it quits in recent months as a result of this increased scrutiny. Maze, one of the world’s most notorious hacking groups, also said it was disbanding in a "retirement" note posted to its darknet site, while Avaddon recently announced it was suspending operations and released decryption keys for almost 3,000 of its victims.
Further, following these high-profile attacks with devastating consequences, cyber crime site forum Exploit.in announced that ransomware-related chatter and activity would be banned.
Is this the end of ransomware as we know it, or will these gangs return from the dead?
Branding exercise
How to reduce the risk of phishing and ransomware
Top security concerns and tips for mitigation
According to Christopher Budd, senior global threat communications manager at Avast, the recent actions of DarkSide, along with REvil – the Russian hacking gang that targeted Brazilian international meat supplier JBS before distancing itself from the attack – show that “a sea-change is underway”.
“Both Darkside and REvil took steps to try and distance themselves from the impact of the attacks attributed to them, which was unprecedented. DarkSide has seen its operations disrupted, its money taken, and is dealing with affiliates who say they are owed money,” Budd says.
“Other ransomware operators have noticed and taken action. For example, the Avaddon group announced certain restrictions on what types of attacks they’ll carry out or allow their affiliates to carry out, banning the targeting of government-affiliated entities, hospitals, or educational institutions. Interestingly, REvil was one of the operators who said they would ban certain attacks prior to the JBS attack. This gives credence to their statement, implying that the results of the JBS attack weren’t what they expected.”
However, while a step in the right direction, few believe this should be taken as a signal that the threat of ransomware is dissipating. Erin Kenneally, director of cyber risk analytics for Guidewire Software, tells IT Pro: “While some may have [been] exited amid the hype, several ransomware gangs are merely re-grouping or ratcheting down their marcomm activity (advertising on forums) and reverting to a private modus operandi.
“The larger campaigns (such as REvil or Avaddon) can leverage an already healthy affiliate network to continue their business. Smaller groups may, in fact, have been forced to shut down as a result of the forum bans because they don’t have the luxury of such a supply chain.”
This is a view shared by Paul Robichaux, senior director of product management at Quest, who believes that while smaller ransomware groups may feel the heat of more scrutiny from law enforcement, larger groups will simply rebrand.
“These gangs aren’t dissolving, they’re rebranding. A comparison can be made to those little furniture stores that do business for a few years then have big ‘Going out of Business’ sales only to reopen two weeks later with a new name, same location, same inventory. This is the same thing.
“A successful parasite doesn’t kill its host too quickly – ransomware gangs that attract too much attention by attacking the wrong targets are going to bring the heat on themselves and get put out of business through law enforcement activity. The smarter ones will pick their targets more carefully, both by industry and by geography.
“The smartest will focus only on territories where there is unlikely to be any meaningful law enforcement or intelligence community response and focus all their activity there.”
What’s next?
With ransomware gangs unlikely to be shutting down their operations for good, what should businesses be on the lookout for next? According to Kevin Curran, senior IEEE member and professor of cyber security at Ulster University, attacks are only going to become more sophisticated.
“Cyber crime has become an industry and attackers are most certainly becoming far more organised,” he tells IT Pro. “Many have cyber crime units typical of any large legitimate business, such as partner networks, associates, resellers, and vendors. In fact, they even have dedicated call centres, which are typically used to help with requests from ransomware victims.
“Of course, they use sophisticated methods to remain hidden, such as encryption, dark web forums, virtual private networks (VPNs) and other obfuscation techniques. They also offer franchises which allow other hackers to replicate their botnets and vectors of compromise and even provide training.”
Similarly, Jérôme Segura, director of threat intelligence at Malwarebytes, believes that the revenue these hacking groups have earned so far means that this money will be used to advance their operations.
“Ransomware is big business and creates its own ecosystem of various threat actors and affiliates,” Seguar comments. “One of the issues with those million dollar payouts is that criminals can easily reinvest the money into developing better tools and teams. That means businesses that are already trailing behind with security patches could be completely caught off guard with things like zero-day exploits.”
With this in mind – and with ransomware unlikely to be disappearing for good anytime soon – businesses need to make sure that they soup-up their security protections. Andrew Rubin, co-founder and CEO at Illumio, tells IT Pro: “Our hope is that these recent wake-up calls will ensure that we do a better job protecting ourselves going forward – because if not, it’s more likely that eventually an attacker is going to hit something much more critical, whether by design or accidentally.
“Criminals don’t stop being criminals due to unintended consequences. There is little to no data in the history of crime to support that outcome, and we should not bet on it as our security strategy this time around.”
