Most people in the public sector will have heard of ransomware and know about the May 2021 ransomware attack on the American Colonial Pipeline Company, but few would know much about the cyber criminal hacking group DarkSide that the FBI says was responsible for the Colonial Pipeline attack.
For the uninitiated, ransomware is a type of malware designed to block access to a computer system until a sum of money is paid. Ransomware attacks started in 2012, with the number of incidents growing exponentially since then. (Reported global attacks increased by 485 percent in 2020).
Ransomware allows a hacker to threaten to publish a victim's data, block access to it, or destroy it - unless a ransom is paid. Ransomware attacks are most effective when backup systems are compromised as well.
Common human attack vectors are phishing (fake emails with a malware attachment), SMSishing (using SMS [often appearing to come from a financial or service provider] to acquire personal information), vishing (using voicemail for the same purpose), social media (through downloaded images and files with active content), and instant messaging (to distribute malware to the victim's contact list). Some Microsoft products have also been an agent of infection.
Automated machine attack vectors include drive-by (from a web page containing malicious code), exploiting system vulnerabilities (often related to slow application of security patches), using malvertising (ads containing malware), and automatic propagation throughout network systems that don't have security barriers.
A common ransomware tactic is continually increasing the ransom price to persuade the victim to pay up quickly. This also puts pressure on remediation attempts.
Encryption ransomware is by far the most common recent variety of ransomware, requiring the victim to obtain a decryption key from the hacker.
Once inside a network, cyber criminals may examine it for several weeks before copying data, encrypting access, and issuing a ransom demand.
Payment to regain access is made in cryptocurrency, making it difficult to trace and prosecute the perpetrators, particularly if they're in another jurisdiction.
A disadvantage of targeting individuals is that most can't afford to pay large ransoms. Today, to get million dollar plus ransoms, organised cyber criminal groups need to target large organisations.
A ransomware attack on a large organisation is usually the culmination of a detailed search for vulnerabilities in its IT system. Having employees working from home outside firewalls during COVID-19 has undoubtedly made organisations more vulnerable.
Once inside a network, cyber criminals may examine it for several weeks before copying data, encrypting access, and issuing a ransom demand. Some cyber criminals even review an organisation's financial situation to establish an affordable ransom amount.
The FBI and Australian Cyber Security Centre maintain that ransomware victims should not pay cyber criminals - but not doing so can be costly and result in protracted disruption as encrypted systems may need to be rebuilt from scratch.
On May 7, 2021 the Colonial Pipeline Company's pipeline that carries fuel oil 8000 kilometres from Texas to New Jersey suffered a DarkSide encryption ransomware attack against computers managing the infrastructure. The FBI described it as the worst cyberattack to date on US critical infrastructure.
The company closed down its computer system to try to isolate the infection but paid the ransom of 75 bitcoin (about $US 5 million) within a few hours of the attack. DarkSide then provided Colonial Pipeline with the decryption key to restore the network, but getting the pipeline up and running again took several days. On May 9, President Joe Biden declared a state of emergency to introduce emergency measures to deal with the problem.
The attack created a fuel crisis because the pipeline accounts for 45 per cent of the US east coast's fuel, carrying 2.5 million barrels a day of gasoline, diesel, heating oil, and jet fuel.
It's probable that other targeted companies have paid up without reporting ransomware attacks to avoid business disruption and loss of reputation. While most of the publicity has been about attacks on the business sector, the public sector has not been immune.
Regrettably, any computer that's connected to the internet is going to be vulnerable.
Some public entities have refused to pay - but defiance can be costly. In one case reported by the FBI, an unidentified US city refused to pay cyber criminal group Robbinhood the relatively modest amount of about $100,000 but it then cost the city $11.5 million to rebuild its IT system.
According to Kaspersky, the five most active international cyber criminal groups are (in order) Maze (aka ChaCha ransomware), Conti (aka IOCP ransomware), REvil (aka Sodin, Sodinokibi ransomware), Netwalker (aka Mailto ransomware), and DoppelPaymer ransomware.
Who or what then is DarkSide?
DarkSide is both a group and a type of ransomware. The creators are most likely based in Russia, but unlike some other cyber criminal groups, DarkSide is not known to be state-sponsored or controlled by Russian intelligence services.
DarkSide seems to be one of the many hack-for-profit ransomware groups that have proliferated and thrived in Russia with at least the implicit sanction of the Russian authorities as long as they only attack foreign targets.
Between December 2020 and May 2021, DarkSide attacked US oil and gas infrastructure on four occasions. DarkSide ransomware was also used in an attack on Toshiba Tec Corporation in May 2021.
DarkSide and other ransomware groups usually engage in "double extortion" - requiring payment for both a digital key and a commitment to destroy stolen data.
DarkSide's malware is also available to other cyber criminal groups through a shared-profit arrangement. DarkSide claims it targets only big companies and forbids affiliates from using its ransomware on organisations in healthcare, funeral services, education, the public sector and non-profit organisations. The group even claims it donates some of its proceeds to charity.
The Australian Signals Directorate and ACSC have reported an increase in the number of ransomware incidents affecting Australian organisations, noting that the most targeted sectors (in order) are health, state and territory governments, education and research, transport, and retail. (There is little data about the number of attacks on individual Australians).
While non-payment of encryption ransoms may be viable for organisations in the public sector, non-payment may not be an affordable option for private sector companies who, like Colonial Pipeline, could face financial ruin if they don't pay up - and pay quickly.
Far better then to minimise one's vulnerability to a ransomware attack in the first place.
In this regard, the ACSC advises: update your device and turn on automatic updates; turn on multi-factor authentication; set up and perform regular backups; implement access controls, and; turn on ransomware protection.
The ASD's complementary advice is: back up computers, phones and other devices regularly; ensure operating systems and software are regularly patched; disable macros in Microsoft Office where possible, and; have a plan ready to reduce the damage to one's business operations.
Regrettably, any computer that's connected to the internet is going to be vulnerable. My additional advice to individuals is keep all your data on an external hard drive, and regularly back it up onto another external hard drive. Also close down your computer system when you're not using it and disconnect everything!
- Clive Williams is a visiting professor at the Australian National University's Centre for Military and Security Law and Strategic and Defence Studies Centre. He was formerly Director of Security Intelligence in Defence.