The Colonial cyberattack that cost a US fuel pipeline $4.4m in May highlights why businesses need to treat the fast-emerging threat of ‘ransomware as a service’ more seriously
A wry observation doing the rounds among cybersecurity experts is that the hackers who’ve transformed ransomware attacks into a multibillion-dollar industry are more professional than their high-profile corporate victims.
It was certainly no laughing matter for the CEO of the Colonial Pipeline, one of the largest fuel-distribution networks in the US, when an attack in early May disabled the 5,500-mile system, triggering fuel shortages and panic-buying at filling stations. Within hours of the breach, Joseph Blount controversially paid a $4.4m (£3.1m) ransom to DarkSide, the Russian hacking group that mounted the attack, on the basis that it was “for the good of the country”. Despite this, the network was still out of action for a week.
The Colonial Pipeline case is one of many similar incidents, which have increased sharply in number since the pandemic started but have tended to go under the radar, as the victims are understandably reluctant to publicise their security failings. This high-profile example has exposed the rise of so-called ransomware as a service (RaaS), which DarkSide and various other professional hackers are now offering.
Ethically speaking, you have to consider that you are enabling cybercrime by paying a ransom
The number of cybercrimes committed worldwide in 2020 was 69% higher than the previous year’s total. Ransomware was involved in 27% of these and a total of $1.4bn was demanded, according to a report published in May by US data security company Zscaler. In the UK, cybersecurity specialist Mimecast believes that as many as 60% of companies suffered a ransomware attack during the year.
“Covid-19 has driven a huge ransomware surge,” reports Deepen Desai, Zscaler’s chief information security officer. “Our researchers witnessed a fivefold increase in such attacks starting in March 2020, when the World Health Organization declared the pandemic.”
Criminals seeking to exploit the network vulnerabilities created by the general shift to remote working during the Covid crisis either developed more sophisticated hacking methods or, seeking a shortcut, paid for RaaS.
RaaS business model rings alarm bells
“RaaS has enabled even the least technically advanced criminals to launch attacks,” says George Papamargaritis, director of managed security services operations at Obrela Security Industries. “Gangs are advertising their services on the dark web, collaborating to share code, infrastructure, techniques and profits.”
The RaaS model means that the spoils are split among three partners in crime: the programmer, the service provider and the attacker. “This is a highly structured and organised machine that operates much like many other legitimate organisations,” he adds.
The earliest reference to RaaS can be traced back to 2016. But, as Jen Ellis, vice-president of community and public affairs at Rapid7 and co-chair of the Ransomware Task Force, notes: “There are indications that it’s on the rise as more criminals take the chance to make a quick, easy and relatively risk-free profit by entering the ransomware market.”
This collaborative approach to ransomware attacks is terrible news for businesses, warns Ian Pratt, global head of security for personal systems at Hewlett-Packard. “Once, it was the preserve of opportunistic individuals who targeted consumers with demands of a few hundred pounds. Today, criminal gangs operating ransomware make millions from corporate victims in so-called big-game hunts,” he says. “This should have the alarm bells ringing in boardrooms.”
By educating themselves and their employees, business leaders can improve company-wide security protocols and so minimise the risk of ransomware attacks. Pratt explains that “users are the point of entry for most attacks”, accounting for 70% of successful network breaches. Malware is “almost always delivered via email attachments, web links and downloadable files”.
Prevention better than cure
Michiel Prins, co-founder of HackerOne, a vulnerability-disclosure platform connecting businesses with penetration testers, agrees. “Difficult as it may seem to prevent these attacks, prevention is always better than cure when it comes to ransomware,” he says. “This means maintaining a nimble and adversarial approach to cybersecurity that takes into account the perspective of an attacker, getting beyond traditional solutions that miss more elusive vulnerabilities.”
Prins argues that working with ethical hackers will “strengthen an organisation’s overall security posture”, as potential weak spots are reported and fixed “before serious damage is done”. Additionally, establishing a so-called bug-bounty programme, which rewards people for highlighting faults in the coding, “signals a high level of security maturity,” meaning that the criminals might look for easier prey.
If they do fall victim to an attack, should organisations accede to ransomware demands? CrowdStrike estimates that just over a quarter of victims end up paying the hackers to unlock their systems. Nearly 60% of UK businesses would enter negotiations, according to Sam Curry, chief security officer at Cybereason.
Gangs are advertising their services on the dark web, collaborating to share code, infrastructure, techniques and profits
“We’d advise against paying ransoms. But in extreme situations, where lives are at risk or a national emergency is likely, it could be better to pay,” he says. “Before making that decision, it’s essential to notify your legal counsel, your insurer and the relevant law-enforcement agencies.”
Even when a business does cough up, there’s no guarantee that this will put an end to its problems. Peter Yapp, former deputy director at the UK’s National Cyber Security Centre and now a partner at law firm Schillings, cites the Travelex attack in December 2019 as an example. Many of the company’s web pages were still out of action two months later and a $2.3m ransom was eventually paid to the hackers. Later in 2020, Travelex sank into administration, “partly due to the losses and reputational damage caused by the attack”, he says.
Charles Brook, threat intelligence specialist at cybersecurity company Tessian, acknowledges that it’s a tough decision. “Ethically speaking, you have to consider that you are enabling cybercrime by paying a ransom,” he says. “But I can sympathise with organisations that may have no other option.”
There are other considerations, Brook adds. “If you pay, you could put a target on your back for further attacks. And, even after your files are decrypted, there may still be something malicious left behind.”
With the hackers in the ascendancy, Yapp believes that the government needs to step up its efforts to combat ransomware. “This has become such a serious problem that perhaps it’s time to lobby for the UK’s new National Cyber Force to fight back against these criminals in a different, military, way,” he suggests.
Perhaps the hackers won’t have the last laugh, after all.
This article was originally written for Raconteur’s Connected Business report, published as a supplement in The Times in June 2021