Michael Shwirtz, an investigative reporter for the New York Times, got an inside look at this new breed of Ransomware Attack called “Ransomware as a Service” launched against businesses both large and small. Credit and thanks go to Mr. Schwirtz of the New York Times for most of the information below.
Darkside, a group or individual who speak fluent Russian, has developed Ransomware software that was used against Colonial Pipeline. However, unlike previous Ransomware Attacks, this software is used as Ransomware-As-A-Service. As such, Ransomware attacks are being conducted by “affiliates” of Darkside, i.e. other individuals or groups, and not by Darkside itself using software developed by Darkside. If the ransom is paid, Darkside gets a cut of the ransom for providing the software as a service to its affiliates.
Darkside also provides software to its affiliates that can bring the victim’s website down if the victim balks at paying the ransom. This is done by what is known as a Denial-of-Service attack. This type of attack overloads the victim’s web servers to the point where they become nonresponsive thus putting more pressure on the victim to pay the ransom.
Since ransom is normally collected via cryptocurrency, if the victim is unfamiliar with payment of cryptocurrency, Darkside offers a Helpdesk to help the victim through the process of paying the ransom in cryptocurrency. This is another “service” of Darkside.
As has been reported, some of the ransom paid by Colonial Pipeline has been recovered. It is believed that the FBI hacked into the affiliate’s cryptocurrency wallet and transferred the cryptocurrency to Colonial Pipeline. This is the first known instance of ransom money being recovered. The difference in the value of what was paid and what was recovered is a result of the difference in value of the cryptocurrency at the time of the two transactions. It is believed that Darkside’s cut of the ransom is still retained by Darkside.
It is important to note that Darkside is not the only hacking group providing Ransom-as-a-Service to affiliate. Another group, Revil, Ransomware Evil is also known to be a RaaS provider. It is not known if Darkside may be an affiliate of Revil.
While it is possible for the ransom to be paid and the key to decrypting the victim’s computers would not be provided, it is believed that this will not happen as it is a bad business decision on behalf of the attacker. If it becomes generally accepted practice not to provide the key to unlock the victim’s computers, then victims will be more likely not to provide the ransom.
Wired magazine reports that insurance companies may be inclined to pay the ransom on behalf of the victim rather than pay claims for the recovery of the files and lost business revenue because of the attack.
It is also believed that attacks against small companies will become more prevalent rather than against infrastructure companies such as Colonial Pipeline so as not to get the ire of the FBI and other law enforcement agencies.
It is reported that Darkside has now gone “dark”, meaning there is no activity from them on the Dark Web since the Colonial Pipeline attack. Law enforcement is not sure why or what their plans are, if any. One possibility is that they may be rebranding and will reappear under a different name.
It should be noted that if Darkside is indeed operating out of Russia, Darkside is not breaking any Russian laws. Russian law only outlaws a cyberattack against companies or organizations within Russia, not outside of Russia. In essence, these attacks, if indeed they are being done within Russian borders are operating legally within Russian laws. Nonetheless Russia and the United States have begun talks to cooperate in addressing Cyber Attacks launched from each other’s borders.
The bottom line is that Ransomware attacks have matured into being a model for a business operation known as Ransomware-as-a-Service. What that means for the future of RaaS remains to be seen. In the meantime, businesses both large and small can help defend themselves against a cyberattack by having an independent Cyber Security Audit of their operations by a qualified professional skilled in Cybersecurity.