Lessons From the Colonial Hack: Law Enforcement Action Isn’t Enough To Defeat Ransomware

The Colonial Pipeline ransomware attack caused at least three ransomware gangs to either pull back or cease services. This might seem like a good thing, but ransomware attacks have not stopped. These attacks’ profitability and the low probability of legal repercussions make ransomware cybercrime too profitable and low risk for gangs to go away completely.

Writing in the May 12 issue of the Wall Street Journal, Robert McMillan et al. asserted that a member of the Biden Justice Department likenedOpens a new window ransomware to “cyber weapons of mass destruction.” The increasing ransomware challenges and attacks seem to support this.

In addition to the recent Colonial Pipeline attack, another ransomware attack this week partially shut down operations at JBS Foods, the world’s largest meat processing company. Both of these attacks were attributed to Russian ransomware gangs.

The pipeline and meatpacking attacks had a significant impact on both these companies and the public. However, it is not just large organizations that are under attack. McMillan et al. write that organizations reported as many as 2,500 ransomware incidents to the FBI in 2020, up 66% from 2019. These numbers do not include organizations that paid a ransom but did not report the incident. 

Why Ransomware is Attractive To Criminals

Ransomware attacks are massively profitable. Rob Pegoraro writesOpens a new window that ransomware gangs have become highly professional within an ecosystem of partner and affiliate firms. This collaboration results in global ransomware attacks against businesses and government agencies of all sizes, with cyber criminals demanding $300,000 in ransom on average.

Cybercriminals seeking to carry out a ransomware attack do not need to develop their tools. Instead, they engage a ransomware service provider. Darkside, the gang accused of attacking Colonial Pipeline, is a RaaS (Ransomware as a Service) provider, enabling “affiliates” to pay for the ability to conduct ransomware attacks.

.aligmentchange p {display: inline-block !important; width: 100% !important;}

Figure 1

When ransomware attacks began, cybercriminals relied on victims paying the ransom. That has changed. Many organizations are now resistant to paying a ransom with response controls. Further, many simply refuse to pay a ransom. Consequently, gangs are now using additional means of making money.

Many new ransomware variants can both encrypt and steal sensitive information. If the victim organization refuses to pay the ransom, the gangs sell the information. Selling the information may not match the same revenue levels as the ransom, but it is better for the criminals than not making anything.

Finally, getting arrested for ransomware attacks is low risk for most ransomware gangs. As I wrote in a previous article, gangs in countries that are not friendly with the West are far less likely to be arrested and shut down. 

For example, gangs in two of the Big Four sources of cyberattacks against western countries (Russia, China, Iran, and North Korea) have even signed an agreement that inhibits cooperation. Russia, China, and several smaller nations are signatories to the Shanghai Cooperation Organization, emphasizing security and state control over collaboration with the West.

Learn More: Why Transnational Cooperation Is Key in the Battle Against Cross-Border Cybercrime

Ransomware Gangs Taking a Step Back

The success of international efforts to take down ransomware gangs depends on the targets and the overall impact. Small attacks, or those with minimal public impact, are lumped together in tepid efforts at enforcement. However, attacks that have a significant public impact result in quick law enforcement responses.

The Colonial Pipeline attack resulted in fuel shortages across the southeastern U.S. Because of its impact on national and public infrastructure, law enforcement agencies took immediate steps to shut down Darkside. The impending enforcement surge caused Darkside to shut down. However, before shutting down, Darkside blamed one of its affiliates for the attack. As a result, the RaaS provider had planned to prohibit using its services to attack certain types of targets.

Part of the reason Darkside shut down was a loss of business. In addition, the attack on Colonial Pipeline reportedly crossed a line that made many Darkside affiliates stop using its RaaS services.

Writing for the HIPAA Journal, Steve Alder reportedOpens a new window that another RaaS provider, Babuk, announced it was getting out of the ransomware business. Consequently, it provided keys for already infected targets to the appropriate affiliates. The affiliates are now responsible for resolving the active attacks.

RaaS providers usually advertise on the Dark Web, but one of the biggest ransomware services, REvil, announced after the Colonial Pipeline attack that it would no longer advertise. According to Alder, it is going private. However, this has not slowed them down. REvil is allegedly responsible for this week’s ransomware attack on meat processing giant JBS Foods.

Avaddon, another ransomware gang, joined REvil in placing limitations on what types of industries their affiliates can attack. In what appears to be an attempt at taking the moral high ground, the gangs banned attacks on governments, healthcare, charities, and educational institutions in any country. Further, affiliates must obtain approval from the service provider before launching any attack.

There are likely no moral high-ground goals with these moves. Instead, Avaddon and REvil are simply trying to avoid concerted transnational efforts to shut them down due to some types of attacks.

Learn More: Ransomware Attack on Colonial Pipeline: Was It Preventable?

Ransomware is Not Going Away

Although the U.S. government is now intent on treating ransomware attacks as terrorist attacks, such attacks will not stop. Attacks after the Colonial attack and Darkside shut down continued. The profits are too high, and the risk of arrest is too low.

We cannot depend on increased law enforcement activities to stop the attacks. The ransomware gangs are within national borders, where U.S. efforts at arrest and extradition will likely fall far short. Based on previous malware gang shutdowns or downsizing, it is probable that Darkside will come back in some form and under a different name. Even if it does not, plenty of other RaaS providers are waiting to increase their market shares.

While these limitations on transnational efforts to take down gangs continue, U.S. organizations and government agencies must assume they will be targeted. After the Colonial attack, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) published a detailed documentOpens a new window listing controls needed to prevent, detect, and respond to ransomware attacks. The list (with some adjustments and additions by me) includes 

• Assume a ransomware attack is imminent. In addition to enabling prevention and detection controls, each organization should form and train an incident response team. Smaller organizations should engage with third-party incident response service providers.
• Treat preparation for a ransomware attack as you would disaster recovery planning. A successful ransomware attack meets the definition of a disaster by taking down some or all business-critical processes
• Require multi-factor authentication for remote access
• Enable strong spam filters to prevent phishing emails from reaching end users. Filter attachments to prevent delivery of high-risk files.
• Filter network traffic to prohibit ingress and egress traffic with known malicious IP addresses, including those in the Big Four. This approach is limited, given that gangs often use attack servers in countries other than their own.
• Train users on spear phishing and the risk of clicking on unknown links in email, social media, texts, etc. However, treat user behavior as control of last resort. It should only fill in the gaps left by logical/technical controls.
• Implement a centralized patch management program. Integrate it with threat intelligence and vulnerability management efforts.
• Segment networks with vigorous network traffic policy enforcement. 
• Restrict the use of the Remote Desktop Protocol (RDP). Do not use RDP unless absolutely necessary and only if surrounded by robust access and detection controls.
• Ban the use of Office macros that are not explicitly approved by security and management.
• Implement application whitelisting across all devices.
• Block all Tor connections. See CISA Advisory AA20-183A: Defending Against Malicious Cyber Activity Originating from TorOpens a new window .
• Deploy signatures to detect or block inbound connections from Cobalt Strike servers and other post-exploitation tools.
• Implement a SIEM or behavior analysis solution for quick detection of a ransomware attack.

Learn More: Top 3 Security Tools To Protect Networks From Ransomware Attacks

Final Thoughts

Ransomware attacks must be prevented or detected before sensitive data is stolen.  Even if an organization follows law enforcement recommendations and does not pay the ransom, the attacker may still sell stolen data.  The total cost of the loss and release of customer, patient, or trade secret information may exceed the demanded ransom.

We cannot rely on law enforcement to stop the attacks. The responsible criminals are usually out of our reach and are protected by governments hostile to the West. The support or protection of ransomware gangs has led to a new moniker to describe them: privateers. The supporting governments benefit somehow, just like Great Britain benefited when Queen Elizabeth I allowed privateers (e.g., Sir Francis Drake and Sir Walter Raleigh) to operate against Spain.

Because of enforcement weaknesses, organizations and agencies must take steps to protect themselves while pushing for more transnational cooperation in taking down networks used by RaaS providers.