No place for medieval thinking in ransomware


You come home one evening and your key card won’t open your door. Type in code, nothing. The caretaker cannot open the door either. Suddenly your phone rings with a message from an unknown number: “Do you want to go into your house? Submit 0.37 BTC to [email protected]”

This is the concept of ransomware, but there is one important difference. In the previous example, you could remove your lock or door to gain access. If ransomware has locked your system, you have no choice but to deal with “Sergei”.

Bigger goal

How seriously do chief digital officers take this threat? If it’s real, wouldn’t a bad actor, for example, target a well-known metropolis for ransom?

“It has been more than a month since a malicious ransomware infection hampered the city of Baltimore and disrupted almost every aspect of the city’s operations, including police communications, judicial systems, and the local real estate market,” wrote Tracy Rock, “and it’s not over yet .” still.”

Covid-19 surgery? Barely. Rock’s report was released in June 2019. “City officials say the recovery could cost at least $ 18 million,” she wrote. “But they talked about some of the most important details, like who was behind the attack and what data was lost.”

Deep dark secret

This is an aspect of security that is not discussed often enough: Those who know the details of cyber attacks would prefer not to disclose them. There are mutliple reasons for this. While the cyberattack ecosystem has evolved from the “script kiddies” who were there for the Lulz, the prospect of media attention remains a constant attraction. Perhaps posting “I hacked Baltimore” on your Facebook account is not a smart thing, but would brag on dubious forums on the Dark Net.

Other reasons for confidentiality: the type of data that has been “lost” (or perhaps stolen). The May 2019 attack motivated Baltimore Mayor Bernard Young to write on Twitter: “The main Baltimore City basic services (Police, Fire, EMS and 311) are still operational, but the network of the City was infected with a ransomware virus … out of a plethora of precautionary measures, the city shut down most of its servers. “

This statement meant, among other things, city officials lost access to email, had no access to court files, and Baltimore residents were unable to pay bills, parking tickets, or taxes.

In a ransomware attack, attackers use malware to encrypt computer files and demand a ransom from victims to restore them. Without the decryption key, the files are usually inaccessible. But even if the victims pay the ransom, there is no guarantee that they will get the decryption key as promised.

In the 2019 Baltimore ransomware attack, hackers demanded 13 bitcoins worth around USD 76,280. But the city refused to pay.

So how did that work out for you?

More attacks

Further attacks were foreseeable:

Ransomware infectors are criminals by nature. If there is honor among thieves anywhere, it may not exist in cyberspace. Nobody knows if the original group or other cyber criminals carried out the later attacks.

Throat blow

The crippling of a US metropolis pales in comparison to the latest ransomware gambit that involved the carotid artery.

In an attack described by Wired Magazine as “a new extreme for ransomware”, Colonial Pipeline (which described itself on its website as “the largest refined product pipeline in the United States”) temporarily halted all pipeline operations. On May 25th, Reuters reported that “fuel pipeline operator Colonial Pipeline shut down its entire network, the source of nearly half of the US east coast’s fuel supply, after a ransomware cyberattack on Friday.”

The Reuters report quoted Amy Myers Jaffe, research professor and executive director of the Climate Policy Lab: “This is as close as possible to the constrictor of infrastructure in the United States … it’s not a big pipeline. It’s the pipeline. “

“The incident is one of the most disruptive digital ransom actions ever reported and has drawn attention to the vulnerability of the US energy infrastructure to hackers,” Reuters said. “A prolonged shutdown of the line would cause prices at the pumps to rise before the peak summer season, which would be a potential blow to US consumers and the economy.”

DarkSide shows up

For years, cybersecurity experts have warned of possible ransomware chaos at this level. And put this under “Deep Dark Secret”: Reuters quoted a former US government official and two industry sources as saying that investigators are investigating something “DarkSide.” What could that be?

“DarkSide is a relatively new strain of ransomware that appeared for the first time in August 2020,” wrote the security company CyberReason in a blog post. “The team is very active in hack forums and keeps their customers up to date with news related to the ransomware.”

The CyberReason blog post states, “The DarkSide team has already built a reputation for making their operations more professional and organized. The group has a phone number and even a help desk to facilitate negotiations with the victims. “

The investigation into the penetration of the Colonial Pipeline is just beginning. As usual, it is not possible to determine the location of the attackers, but CyberReason said, “DarkSide is used against targets in English-speaking countries and seems to avoid targets in countries connected to former Soviet bloc states,” which kind of puts it down a bit .

Hello again, “Sergei.”

Stefan Hammond is co-editor of CDOTrends. Best practices, IOT, payment gateways, robotics and the ongoing fight against cyberpirates spark his interest. You can reach him at him [email protected].

Photo credit: iStockphoto / alessandroguerriero


About Author

Leave A Reply