After a ransomware attack late last week, Colonial Pipeline and the United States government have been scrambling to restore service to a pipeline that delivers nearly half of the East Coast’s fuel. The culprit, according to the FBI, is the notorious and brazen ransomware gang known as DarkSide. And the repercussions of their attack may ripple far beyond what they intended.
Colonial Pipeline says it hopes to restore full service by the end of the week; in the meantime, the Department of Transportation released an emergency order on Sunday to allow expanded oil distribution by truck. But the real impact of the attack may be felt in the world of ransomware. While a number of hackers have long engaged in anarchic targeting, including a horrifying rash of attacks on hospitals last fall, close observers say the pipeline incident may finally represent a turning point.
DarkSide emerged last August, and announced itself with a veneer of professionalism and efficiency. At the time, it pledged not to target health care providers, schools, or businesses that couldn’t afford to pay. A few months later, the group made a series of charitable donations, part of a long-running attempt to manage its reputation. But as a ransomware-as-service operation, DarkSide largely works on an affiliate model, loaning out its ransomware and infrastructure to criminal customers and taking a cut of whatever clients earn in their attacks. On Monday, as pressure mounted from US law enforcement and the White House itself, DarkSide seemed to blame the Colonial Pipeline hack on its affiliates, and pledged to more thoroughly vet the criminals it contracts with.
“We are apolitical, we do not participate in geopolitics,” DarkSide posted on Monday. “Our goal is to make money, and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”
The statement is reminiscent of any industry promising to self-police as an alternative to government regulation. But even if you could take DarkSide at its word, the implication is that it’s somehow acceptable to target certain organizations with ransomware if they’re carefully selected.
“The idea that ransomware operators should decide who is worthy of being compromised is extremely problematic to say the least,” says Katie Nickels, director of intelligence at the security firm Red Canary. “It’s absurd.”
DarkSide’s dubious pledge to self-regulate likely stems from concerns that hacking a critical infrastructure company and ultimately causing a mass service outage crossed a red line—whether DarkSide or one of its clients actually perpetrated the attack.
“I am not surprised that this happened. It was realistically only a matter of time before there was a major critical infrastructure ransomware incident,” says Brett Callow, a threat analyst at antivirus company Emsisoft. “DarkSide appears to have realized that this level of attention is not a good thing and could bring governments to action. They may stay with smaller attacks now in the hope that they’ll be able to continue making money for longer.”
Callow and other researchers emphasize, though, that it’s difficult to produce meaningful deterrence when it comes to ransomware and cyberattacks in general. Even after repeated wakeup calls and ransomware-related disasters, governments have not shown enough urgency in trying to solve the problem.
“One of the biggest challenges in cyber deterrence is attribution and you can see that in this situation,” Red Canary’s Nickels says. “There are the ransomware developers, their affiliates and clients, and host countries that are ignoring their behavior. Who’s at fault? Who do you have to deter?”