The Evolution Of Ransomware Creates More Severe Risks For All Organizations

Five months before the ransomware gang DarkSide shutdown the Colonial Pipeline, two cybersecurity researchers discovered that DarkSide was using the same digital keys to lock and unlock multiple victims. The researchers, who work with a volunteer group called the Ransomware Hunting Team that has cracked more than 300 major ransomware strains and variants, were quietly looking for victims to help.

However, one month later, on Jan. 11, 2021, the antivirus company Bitdefender made a public announcement that it had discovered a flaw in the ransomware that DarkSide was using to shutdown dozens of businesses in the U.S. and Europe. Bitdefender provided a free tool that companies could use to unlock their networks and avoid paying millions of dollars in ransom.

By publicizing its discovery, Bitdefender alerted DarkSide to the issue. The following day, DarkSide announced that it had fixed the problem and "new companies have nothing to hope for." The hacking group even thanked Bitdefender for helping them fix the issue.

Some experts believe that if Bitdefender had not made its announcement, the Colonial Pipeline could have been discretely restored with the decryption tool provided by the two researchers, which would have prevented panic gas buying and the $4.4 million ransom in Bitcoin that Colonial paid to DarkSide.

Ransomware hunters try to keep hacking groups in the dark as long as possible so that they can continue to decode the ransomware, even if it means being able to contact and help fewer victims.

According to one of the researchers, ransomware creators can reverse engineer decryptors that are made publicly available to figure out how cybersecurity experts can decrypt their files. The cybercriminals will then fix their ransomware so that it can no longer be decrypted.

On the other hand, the director of threat research at the Romania-based Bitdefender said it published its tool "because most victims who fall for ransomware do not have the right connection with ransomware support groups and won't know where to ask for help unless they can learn about the existence of tools from media reports or with a simple search."

He argued that DarkSide might have discovered the flaw anyway and that the "vast majority of victims" would not know that they could get their data back for free if the decryptor was not made publicly available. Renee Dudley and Daniel Golden "The Colonial Pipeline Ransomware Hackers Had a Secret Weapon: Self-Promoting Cybersecurity Firms" propublica.org (May 24, 2021).

Commentary

Ransomware has increased exponentially since 2012 because the creation of Bitcoin made it difficult to track or block ransom payments.

The ransomware tactics have evolved from “spray and pray” campaigns demanding a few hundred dollars from users to targeted campaigns demanding millions of dollars from businesses, government agencies, and nonprofit groups.

In 2019, ransomware gangs began using a new technique called “double extortion.” The hackers will steal sensitive information when they break into a computer network before encrypting files with ransomware. Then, in addition to demanding a ransom to unlock the files, the cybercriminals will threaten to leak sensitive information if the ransom is not paid. Cybercriminals will often post samples of the confidential information they have as leverage.

For example, in April 2021, a ransomware gang called Babuk published intelligence briefings, names of criminal suspects and witnesses, and personnel files that included officer and candidate medical information and polygraph test results when the Washington, D.C. police department refused to pay a four-million-dollar ransom.

DarkSide uses “zero-day exploits” that capitalize on software vulnerabilities before they can be patched to infiltrate their target’s network. The cybercriminals look around for two or three days, stealing sensitive data and checking the organization’s cyber insurance policy so that their ransom demand fits the coverage amount. The minimal amount of time that DarkSide spends snooping around the network decreases the chance of catching them before they encrypt files.

In Nov. 2020, DarkSide adopted the “ransomware-as-a-service” model, relying on affiliates to launch cyberattacks. DarkSide and its affiliates reportedly grossed $90 million.

DarkSide recently stated that it was shutting down under U.S. pressure. However, ransomware gangs have been known to break up to avoid scrutiny only to reform under a new name or join another ransomware group. Renee Dudley and Daniel Golden “The Colonial Pipeline Ransomware Hackers Had a Secret Weapon: Self-Promoting Cybersecurity Firms” www.propublica.org (May 24, 2021).

Finally, your opinion is important to us. Please complete the opinion survey:

What's New

Limited Access Is The Centerpiece Of All Data Security Strategies

Employers must revoke account access when employees leave. Read about how continued access creates exposure.

Why Is Trojan Malware So Effective?

The latest security report shows Trojan malware is a primary network security risk for users. Read about the dangers of this type of attack and how to avoid becoming a victim.

Back Up Often And Off-Line To Help Address Ransomware Risks

Ransomware attacks are increasingly common, and all organizations must prepare now for an attack. We examine.