Is the Ransomware Threat Overblown? - A Realistic Assessment

Cryptocurrency Ransom Recovery and the DarkSide Hack

The U.S. Justice Department announced on Monday afternoon the recovery of a significant portion of the cryptocurrency ransom paid by Colonial Pipeline, a major U.S. pipeline operator. This recovery was achieved by meticulously tracking the funds as they moved through accounts associated with the Russian hacking group, DarkSide, and ultimately gaining access to one of those accounts with judicial authorization.

This development represents a positive outcome in a situation that initially involved a cyberattack on Colonial Pipeline, leading to fuel shortages exacerbated by panic buying following the pipeline's temporary shutdown. A subsequent shutdown occurred due to an overloaded internal server.

Insights from Recorded Future’s Christopher Ahlberg

Christopher Ahlberg, founder of the security intelligence firm Recorded Future, posits that the capabilities of DarkSide may have been overestimated. He shared detailed insights into the group’s operational methods during a recent interview.

TC: Could you describe the core functionality of your technology?

CA: Our primary objective is to comprehensively index the internet. We strive to capture data from all online sources, analyzing the flow of information and the activities of malicious actors. This includes monitoring their online hangouts, understanding data transmission networks, and examining the infrastructure they utilize.

We also focus on identifying and analyzing the digital traces left behind by these actors, which can be found in diverse locations.

TC: Who constitutes your client base?

CA: We serve approximately 1,000 clients, ranging from the Department of Defense to some of the world’s largest corporations. Roughly one-third of our business comes from government entities, another third from the financial sector, and the remainder from various industries, including transportation.

TC: Does your technology primarily focus on predicting attacks or analyzing incidents after they occur?

CA: Our capabilities encompass both proactive prediction and post-incident analysis.

TC: What key indicators guide your analysis?

CA: A crucial element is understanding the adversary, which generally falls into two categories: cybercriminals and intelligence agencies.

Currently, ransomware gangs, predominantly originating from Russia, are a major focus. It’s important to note that these “gangs” often consist of only a few individuals, rather than large, organized groups.

Intelligence agencies, conversely, are typically well-resourced and involve larger teams. Our work involves tracking these entities, monitoring their networks, and understanding potential targets, all integrated in an automated system.

TC: Is there evidence of collaboration between intelligence agencies and these Russian hacking groups?

CA: While we don’t believe these groups are routinely tasked by Russian intelligence, several countries – including Russia, Iran, North Korea, and to some extent, China – have fostered a hacker community with limited oversight. This allows individuals to pursue cybercrime, particularly in Russia.

Over time, Russian intelligence agencies – FSB, SVR, and GRU – have been known to recruit individuals from these groups or directly assign them tasks. Official documentation reveals a history of interaction between these entities.

TC: What was your reaction to DarkSide’s claim of losing access to its Bitcoin and servers after the Colonial Pipeline attack?

CA: If you perpetrated that attack, you likely had limited knowledge of Colonial Pipeline’s significance. The sudden media attention would likely trigger internal inquiries within Russia, demanding an explanation and a plan for damage control.

A common initial response is to deny involvement or claim loss of funds and server access. I suspect DarkSide’s statement was a tactic to cover their tracks, as they later attempted further operations. We may have overestimated the speed with which the U.S. government could respond effectively.

TC: DarkSide reportedly operates as a franchise, providing software to individual hackers. Is this a new development, and does it broaden the pool of potential attackers?

CA: That is accurate. The Russian hacker underground is characterized by its distributed nature. Some individuals develop the ransomware itself, while others utilize these services to carry out attacks. Still others manage Bitcoin transactions and laundering processes.

The process of converting cryptocurrency to usable funds often involves legitimate exchanges and money mules, requiring specialized skills. There are approximately 10 to 20 distinct services involved in this ecosystem.

TC: How are the profits from these operations distributed?

CA: They employ effective systems for sharing proceeds. Bitcoin facilitates payments, and underground forums provide ranking and rating systems, similar to online marketplaces. These forums allow users to identify and report scammers within the cybercriminal community. The internet’s distributed nature is a key factor in their success.

Protecting Against Ransomware

TC: What advice would you offer to organizations seeking to enhance their cybersecurity defenses?

CA: A recent analysis revealed that ransomware attacks are distributed across 20 different industries. Colonial Pipeline’s experience highlighted that attackers target the easiest, not necessarily the most prominent, victims.

Ensure your systems are regularly patched and updated. Minimize your online exposure by removing unnecessary services from the internet. Implement strong passwords and enable multi-factor authentication wherever possible.

A checklist of essential security measures can significantly reduce your risk. While these steps may not be sufficient against highly sophisticated attacks, they provide a strong foundation for defense.