Here’s why ransomware gangs are now rebranding themselves as ‘white hat’
On the surface, ‘white hat’ hackers don't differ a great deal from their ‘black hat’ peers, in that they strive to expose vulnerabilities in digital systems through various means. The difference lies in what they do with the exploits they uncover.
A few years ago a survey from privileged access management (PAM) solutions Thycotic into the hacking community revealed that around 70% of hackers identify as ‘white hat,’ or ethical hackers, whose motivation is to find wholes and vulnerabilities in software so that organizations can patch them and improve their security.
A non-binary issue
While the ‘white hat’ and ‘black hat’ labels create the impression of a purely binary issue between good and evil, the reality is somewhat more nuanced than that. For instance, DarkSide is one of the more notorious hacking groups in the world and shot to global infamy after their ransomware attack on the Colonial Pipeline resulted in a near $5 million payout for the group.
That may paint them as typically unscrupulous criminals, but they subsequently announced that they hadn’t meant to target such vital infrastructure, and would in the future take steps to ensure that their targets are not so socially important. That appeal to their inherent good nature did little to dissuade infrastructure providers from banning it, thus denying it access to the cryptocurrency accounts used to squirrel away its ill-gotten fortune.
In response to the seizure, Brian Krebs speculated that some cybercrime groups are distancing themselves from ransomware attacks entirely due to the reputational fallout from them during 2021. For example, Krebs says that the XSS forum has banned discussion of ransomware due to its inherent toxicity, its ability to stoke geopolitical tensions, and growing danger as a concept.
A charitable front
Of course, one might realistically ponder how on earth ransomware could ever be viewed as anything that was not toxic or dangerous. After all, there isn’t a form of ransomware that could be passed off as ethical, or indeed even morally ambiguous. The very point of ransomware is to extort money out of your target. But it does appear that there is a degree of honor among thieves.
In 2021, a number of ransomware groups have announced that they will no longer go after certain targets, including hospitals, critical infrastructure, and schools.
Suffice to say, those with a good memory will have a wry smile, as hacking groups also said at the start of the Covid crisis that they would not be targeting hospitals, before the healthcare sector actually become one of the most targeted in the last 18 months. It’s highly unlikely that many will be taken in by these claims, and it seems that they were largely aimed at convincing infrastructure providers not to seize their assets, as even criminals need server space and financial infrastructure.
If you’re so toxic that no providers will touch you, then it destroys your business entirely.
Such actions are not unknown in the criminal world. For instance, the yakuza crime organization in Japan tends to think of itself as a humanitarian organization, despite engaging in everything from human trafficking to extortion. The group notably stepped in to help after the Kobe earthquake in 1995, distributing thousands of food parcels from the parking lot of their headquarters. Even Al Capone created one of the first soup kitchens in response to the hardship caused by the Great Depression. It's rumored that one such facility provided 5,000 meals on Thanksgiving Day alone.
Indeed, DarkSide themselves have said that in addition to not targeting certain sectors, they too donate a portion of their ill-gotten gains to charity. In a statement, they went as far as to hope that they were able to make a positive difference to people’s lives.
Of course, these seemingly benevolent acts are quickly seen as the PR front that they are, and it should equally not be expected that hackers have suddenly developed a conscience or a moral code. After all, even if they choose only to extort money from certain targets, they’re still extorting money.
There are no hacking groups adopting a Robin Hood-style approach that only sees them target “deserving” targets, with any gains from these foes funneled to more deserving causes. Such a venture does not exist, and for all of the PR done by DarkSide, they are certainly not it.
So while there might be a majority of hackers who classify themselves as ‘white hat,’ it’s not the case that the likes of DarkSide qualify for such an ethical status.
They are cybercriminals, and no amount of PR will change that fact, and it would certainly not be advisable for organizations, whether in so-called “safe sectors” or not, to take their eye off the ball and leave vulnerabilities for such groups to exploit.