Conflict Alerts # 381, 19 May 2021
In the news
On 14 May, the cybercrime group, DarkSide (infamous for the recent Colonial Pipeline hack) announced that they would be closing down operations due to increasing pressure from the US and several law enforcement agencies. Cybersecurity firms FireEye and Intel 471 noted that the hacker group had informed their associates that they had lost access to their operations infrastructure and funds collected through recent attacks (Colonial & Brenntag).
On the same day, Toshiba announced in a public statement that its European subsidiaries had also become victims of a ransomware attack by DarkSide. Toshiba's spokesperson later informed media outlets that it was attacked on 4 May and the company had not paid any ransom.
On 13 May, Bloomberg reported that within hours of being attacked by ransomware on 7 May, Colonial Pipeline had paid nearly USD 5 million in Bitcoin to DarkSide, contradicting earlier statements made by the company.
Issues at large
First, the rise of ransomware attacks. Ransomware is a type of malware that encrypts data in a victim's system and requires a private key (which the hacker has) to decrypt the data. In order to get the private key, victims are forced to pay a ransom. In 2016 alone, the number of ransomware created increased by 752 per cent compared to the previous year; 2016 also marked the advent of ransomware-as-a-service as Advanced Persistent Threats began selling ransomware via affiliate programmes. This new business model incentivized and increased ransomware attacks, making them even more lucrative and successful. The ongoing pandemic has witnessed a 150 per cent increase in ransomware attacks since many businesses had to operate remotely. Cryptocurrency tracker Chain analysis reported that the ransoms paid to cybercriminals in 2020 alone amounted to USD 370 million.
Second, the growing influence of Advanced Persistent Threats (APTs). APTs are highly sophisticated groups of cybercriminals who engage in cyberterrorism, cyberespionage, cybercrimes and hacktivism. These groups are usually state-sponsored due to their scale of operations and precise targets. Each APT has its own agenda. DarkSide, for instance, was outspoken about its apolitical nature, the goal of gaining more money, and habit of giving a portion to charity. The rise in APT activity could also be directly tied to the pandemic. The cybersecurity measures of numerous companies could not guarantee safe and secure remote working conditions for employees. The recent trend amongst APTs is their ability to form cartels or disperse into newer groups. DarkSide, for example, is considered to be an offshoot of another prominent, persistent threat actor called REvil. This is one reason why cybersecurity experts find it hard to believe that groups like DarkSide would just shut down their operations. In reality, when APTs feel pressure from law enforcement agencies, they usually stay dormant for a while or disband the group to form another.
Third, the influence of cryptocurrency in abetting ransomware attacks. Cryptocurrencies have been used as the go-to form of ransomware demands and payments since 2015. Cryptocurrencies such as Bitcoin were created to form a decentralized financial system that would not require any singular entity to control the transactions. The opaque transaction processes embedded within cryptocurrencies like Monero have made it a favourite of ransomware operators. Popular currencies such as Bitcoin, on the other hand, make it easier for hackers to legitimize and circulate the illegal ransom. This has been one of the main reasons why governments are critical of cryptocurrencies. Once the ransom is paid, it becomes very hard for law enforcement agencies to trace and retrieve it.
The reign of ransomware and APTs such as DarkSide will continue as long as victims such as Colonial Pipeline are ready to pay a ransom. Law enforcement agencies have strongly advised individuals and businesses not to pay ransom to cybercriminals. But, the fear of personal or confidential data being leaked or deleted pushes most of the victims to pay. Businesses should follow good cybersecurity practices such as proper maintenance of system logs and multiple data backups to minimize the impact of ransomware attacks.