ArchiveOODA Original

Dark Side Reports Closing Shop: What’s the Future for Ransomware Gangs?

The ransomware attack against Colonial Pipeline revealed how disruptive this malware can be when it impacts civilian critical infrastructure.  The successful shutdown of 5,500 miles of pipeline created concern among gas-strapped populations and a government wondering if this attack was the work of cyber criminals or a foreign adversary looking for retribution. Though largely a tool of cyber criminals, ransomware has been tied to foreign governments seeking to extort money as was evidenced by the North Korean execution of 2017’s global WannaCry campaign, or the more disruptive NotPetya attacks conducted by Russian intelligence officers.  One thing is clear: the multi-purpose malware has proven effective for both financial extortion and meting punishment, depending on the intent of the operators.

While ransomware may have started as a way for enterprising cyber criminals to make quick money, the more capable groups have increasingly evolved their operations, becoming more professionalized in their services, and seeking to exploit those organizations with the resources to pay substantial ransom amounts.  The more advanced groups not only started to steal victim data before encrypting it, but also used it as further leverage to coerce victims into paying ransoms or else risk its exposure.  These groups also created affiliate programs, bringing in hungry members to carry out separate operations for a percentage of the profits, thereby limiting exposure while benefiting financially.  DarkSide especially has shown innovation in its money-making exploitation, looking to target companies on the NASDAQ and leak information for the purposes of impacting their stock prices, thereby enabling traders to turn a profit from the fall of the stock price.  Collectively, these savvy gangs have become monolithic in reputation, targeting large well-known organizations, and in several instances, successfully compromising them and receiving millions in ransom payments for their efforts.

However, there are some developments that may ultimately influence future ransomware campaigns by these proficient gangs.  One unforeseen consequence of the Colonial Pipeline attack was the geopolitical fallout that materialized once it surfaced that some if not all of the DarkSide operators were Russian nationals.  Cyber security experts have long believed that Russian cyber criminals have been allowed to operate as long as they don’t target Russian organizations.  The code in the DarkSide malware ensured that it could not execute on systems identified to be in former Soviet Union countries.  This invariably raised questions if the DarkSide group was not somehow either linked to Moscow, or took direction from the Russian government, an accusation that the Kremlin has vehemently denied.

The allegation may not be as far-fetched as some may think. DarkSide prided itself on its “Robin Hood” image, giving a portion of money made from ransoms to charities, and not targeting organizations like healthcare, education, and non-profits.  For such a professional group, they either did not research Colonial Pipeline enough or ignored their research that a successful attack against the organization would adversely impact vulnerable civilians.  The disruption may have only lasted six days, but effects are still being felt via price hikes and fuel shortages in some areas.  One can’t help but hearken back to the 2015 cyber attack that disrupted Ukraine’s power grid, an act that also lasted a minimal time.  The fact that a nation state had to officially deny involvement and affiliation with cyber crime activity via its spokesperson may very well be a sign that some groups have gotten too renowned and too brazen for their own good.  More importantly, proxies cease to be non-attributable assets when states are willing to assign some measure of responsibility for their actions to the perceived offending government.

A second key development is the reaction of underground markets to the Colonial Pipeline attack.  According to one news source, DarkSide “closed shop” shortly after collecting Colonial’s ransom payment as a result of an unidentified law enforcement effort that seized its servers and cryptocurrency accounts.  If true, this revelation may be an indication to these rogue criminal elements that targeting civilian critical infrastructure will not be tolerated, which may help curb future behavior.  Compounding matters, XSS, a leading cyber crime forum recently claimed to ban all ransomware activity in its spaces because of ideological concerns, and the fact that their campaigns frequently generate negative press. This ouster from a prominent crime forum bears note as it demonstrates how cyber criminals will police their own for their own self-preservation.

Whether this catches on with other forums will largely depend on if nation states will aggressively work together to take down ransomware gangs.  Most of the more proficient gangs have targeted high-profile organizations in several countries creating an opportunity for these host governments to collaborate in shutting down key infrastructure, and access to cryptocurrency.  There are some signs indicating that fear of being targeted by their peers and nation states is already being felt.  According to one news source, other ransomware groups were closing down or reducing their own operations as a result of the law enforcement action against DarkSide. This suggests that the gangs are not omnipotent but can be addressed if there is motivation and resolve to do so. The gangs see this and are scrambling to change how they do business.  Moreover, if any of these gangs have enjoyed permissive operating environments in the nations in which they have operated, that protection may not be as solid as they had thought.

However, while promising, to think these incidents alone will dissuade ransomware operators from their craft is a misperception.  Other operators of ransomware campaigns have been known to “retire” from their involvement in one ransomware strain, only to be affiliated with a new one.  Former members of the now defunct GandCrab are believed to have started REvil, and former members of Maze ransomware campaigns are believed to have started Egregor. This is a testament to the lucrative nature of ransomware, especially for those groups that have demonstrated the ability to create new malware and execute campaigns.  Recent reporting indicates that DarkSide cleared an estimated USD 90 million in Bitcoin for all of its efforts before it closed up shop.  Furthermore, a recent news report indicates that the gang appears to have developed a new strain of ransomware that targets disk partitions used to hide backup files.  There is no indication of activity associated with this as of this writing, but it does show that arrest and prosecution may be the only way to curb these activities.

The clear mistake made by DarkSide was targeting critical infrastructure, the consequence of which is reverberating in the criminal underground.  For the sake of their own preservation, it is likely that the other ransomware gangs will make good on their promises to avoid these critical targets in the future.  If this holds true, it will likely dampen attempts of nation states deciding to use ransomware against opponent’s critical infrastructures as they may lack the “plausible deniability” that a criminal element once provided.  They too may have to adjust how they use the malware, as well.  Ultimately, the game will change, the extent of which remains to be seen.  But the truly smart groups have persevered by knowing how to change their tactics for survival.  DarkSide has already demonstrated its ability to do so in the past.  Success breeds imitation” is an expression that holds very true in the criminal underground, and DarkSide ranks among the best in what they do.  What the group does in the coming the months may very well foretell the future of the other advanced ransomware gangs.  And they as well as nation states are watching.

Emilio Iasiello

Emilio Iasiello

Emilio Iasiello has nearly 20 years’ experience as a strategic cyber intelligence analyst, supporting US government civilian and military intelligence organizations, as well as the private sector. He has delivered cyber threat presentations to domestic and international audiences and has published extensively in such peer-reviewed journals as Parameters, Journal of Strategic Security, the Georgetown Journal of International Affairs, and the Cyber Defense Review, among others. All comments and opinions expressed are solely his own.