Colonial Pipeline's ripple effect: are wounded ransomware gangs getting angrier?


Despite being under a magnifying glass since the Colonial Pipeline attack, ransomware gangs remain a major headache for organizations worldwide.

A year ago, Colonial Pipeline fell victim to a ransomware attack, resulting in gas shortages, causing a chain of unintended consequences, and putting ransomware gangs under the spotlight.

DarkSide's attack on a pipeline system supplying the Southeastern United States with gasoline and jet fuel caused a wave of panic-buying across the East Coast and sent gasoline prices soaring.

ADVERTISEMENT

Despite the financial cost and temporary public panic, Colonial Pipeline restored its operations in less than a week. However, the attack might have changed the ransomware landscape irreversibly.

Waves in the criminal community

DarkSide, which ditched its name shortly after the attack, manifested themselves as Robin Hoods, claiming to give some of the ransom money to charity. After the Colonial pipeline attack, the ransomware group released a public note claiming they were after money, not the chaos. A claim that many experts didn't buy, given their affiliation with the Russian criminal underground, judging by their victim pool and linguistic analysis.

In the aftermath of the attack, ransomware discussions were banned from the dark forums, fearing it might attract unwanted law enforcement attention.

"That made it more challenging to keep an eye on some of the activities because they went into more private areas where we wouldn't have access," Chester Wisniewski, a principal research scientist at the cybersecurity company Sophos, once told Cybernews.

According to cybersecurity company Digital Shadows, many ransomware operators have since publicly reviewed their affiliate programs to exert tighter control over them and avoid further dangerous consequences.

"For example, REvil/Sodinokibi had also updated their thread on Exploit with new rules for their affiliate program, including a ban on targeting governments or the social sector and a requirement to obtain approval for targets prior to attacks. Affiliates who violate these rules would be "kicked" off the program, and their victims' decryption keys given out for free. Up to this day, most of these restrictions appear to be still in place," company's researcher Stefano De Blasi said.

ADVERTISEMENT

Den Jones, a former executive at Cisco and Adobe and current CSO at Banyan Security, noted that the war in Ukraine also impacted the ransomware landscape.

"There were a lot of ransomware groups, Conti springs to mind, that were a blend of people from Russia and Ukraine. With the war underway, there's been a split, and they've changed how they've operated," Jones told Cybernews.

After Conti announced its allegiance with Vladimir Putin, a pro-Ukrainian researcher with the means to access Conti's data exposed the ransomware gang by leaking thousands of documents.

out of sign gas
Limited fuel supply. Image from Shutterstock

Is the “sleeping giant” awake?

"Nobody wants the sleeping giant – the US government – to get really serious about attacking cybercriminals," Stel Valavanis of Chicago-based onShore Security told me after the attack.

Is the giant awake? Last June, President Joe Biden told Vladimir Putin that certain critical infrastructure should be "off-limits" to cyberattacks. But does that even matter now, since the Russian invasion of Ukraine triggered a cyberwar with no borders?

Jones is on regular calls with the FBI, which is trying to establish relationships with the private sector.

"There's evidence that they are knocking on the door, looking around. It's almost as if they [Russians] are gearing up to launch an attack. If you can think of sanctions that have been applied from the West towards Russia, at some point, they are going to have a retaliation," he told Cybernews.

In March, the Kremlin rejected US warnings that Russia may be preparing to conduct cyberattacks against the West.

ADVERTISEMENT

For now, Russian cyber warriors seem to be busy supporting their military operations. According to the latest Microsoft report detailing the relentless and destructive Russian cyberattacks, the Kremlin's use of cyber weapons is strongly correlated and sometimes directly timed with its kinetic military operations.

"It's not beyond them to launch a mass malware campaign on companies in the US. All the different APT [advanced persistent threat] teams and different organizations, including the Russian government, are not coordinating attacks. At some point, if they operate together and coordinate, that could be a different situation for us," Jones said.

Hand with black glove typing on red matrix laptop screen with Ransomware inscription
The Colonial Pipeline cyberattack might serve us a lot of important lessons, with not paying a ransom being one of them. Image from Shutterstock

Organizations got smarter but so did cybercriminals

With initial access brokers and ransomware gangs forming alliances, the problem is only about to get worse, Dmitry Volkov, the CEO of cybersecurity company Group-IB, warned last December.

The Colonial Pipeline cyberattack might serve us a lot of important lessons, with not paying a ransom being one of them. It ended up paying a $4,5 million ransom hoping to restore its operations faster.

"With a twisted sense of humor, the decryptor tool provided by DarkSide proved so slow that the company's business continuity planning tools were more effective in bringing back operational capacity; there's probably a lesson in there about the ethics and feasibility of paying cybercriminals," Digital Shadows noted.

However, many ransomware victims keep paying extortion money, believing it's their only way out. Succumbing to criminals' demands only fuels the ransomware problem.

"Some believe that ransomware-as-a-service has tapered off and mature attack groups are bringing expertise in-house. This means higher quality and more targeted ransomware will be potentially harder to detect and remediate. Perhaps there may be fewer attacks, but they could be more damaging and difficult to recover from," Benny Czarny, CEO of critical infrastructure protection company OPSWAT, said.

According to Jones, there are still a lot of 'spray and pray' attacks where adversaries hope that if they try enough people, eventually someone will fall for the scam.

ADVERTISEMENT

"It's easy for someone on the dark web to get ahold of email addresses and launch a campaign. Also, ransomware-as-a-service makes it so easy for many people to get involved," Jones said. He believes we will see more coordinated attacks in the coming months.

Insurers play a crucial role

“Despite all the chaos following the attack on Colonial Pipeline, ransomware still remains the most pressing cyber threat for organizations across various industry verticals and geographies. The relative ease with which this malware can be deployed on targeted organizations, along with the potential high payouts associated with a successful attack, make this cyber threat a persistent and pernicious risk,” Stefano De Blasi.

A recent report by Sophos supports his claims. The average ransom paid by victims increased nearly fivefold in 2021 to over $800,000. The number of companies hit by ransomware attacks is also rapidly growing. 66% of organizations experienced an attack in 2021, up from 37% in 2020.

Another report by Ordr argues that insurers might have spurred the growth of ransomware attacks recently. Well aware that the insurance company would often foot the bill in the event of a cyberattack, cybercriminals leverage it in their attacks. However, the insurance industry is adapting to the new reality by implementing novel rules designed to avoid overextending itself and losing money on its cybercrime policies.