The story of the last few weeks in business has been the ransomware attack that took down the Colonial Pipeline.
First, a few definitions...
What is ransomware? Ransomware is a type of malware - a software designed to cause harm to a computer, server, or network. Ransomware is used to encrypt the files on your system and hold it “hostage” until the demanded ransom is paid.
Ransomware is not new, but ransomware attacks are most definitely on the rise. With the world increasingly moving online, the cyber-attackers have experienced a windfall.
Both the frequency of attacks and the size of the average ransom payments have increased dramatically.
The way a ransomware attack works is really quite simple (even if the underlying technology is complicated).
A would-be attacker scans for vulnerable companies. They often look for dated systems or weak infrastructure - like an animal looking for injured prey.
When a target is acquired, the cyber-attacker looks for an entry point. This could be using a phishing scam or other method to gain access to the network or company data and servers.
Once inside, the cyber-attacker launches a program that encrypts all of the company’s data.
Once encrypted, the data and systems become completely unusable without a decryption key. The company is immobilized.
While this sounds complex, given the range of cybersecurity sophistication at companies, hackers say breaching some companies is “so easy a kid could do it.”
After the encryption is complete, the ransom negotiation begins.
The cyber-attackers reach out to the company, offering to provide a decryption key that will return access to the hostage data. In exchange, the company has to pay a ransom (usually in the form of Bitcoin).
If ransom isn’t paid, the data may continue to be held (leaving the company immobilized) or sensitive data (credit cards, health records, etc.) may be leaked.
Generally speaking, the company negotiates and pays the ransom, with its cyber insurance footing the bill.
The ransomware market has operated in the shadows for a long time...until recently. The story of a high-profile attack on the Colonial Pipeline - and the fascinating “ransomware-as-a-service” entity that enabled it - has shined a light on the industry.
Let’s dive in…
Colonial Pipeline is the largest gas pipeline in the U.S. On May 7, it announced it had been hit by a ransomware attack and had shut down operations. This ransomware attack was different. It wasn’t an attack on a medium-sized business. It was much, much bigger than that.
With the pipeline out of commission, gas prices spiked, impacting millions and drawing the immediate, full attention of the press (and the FBI). Suddenly, ransomware attacks were in the spotlight. And the services group enabling the attacks - DarkSide - was at center stage.
DarkSide is a so-called “ransomware-as-a-service” company. It doesn’t engage in the actual cyberattacks. Instead, it provides a suite of tools and services that enable would-be cyber-attackers to conduct their business.
DarkSide provides the malware that encrypts the data, but also much more.
A communication service - making calls to the victim companies for negotiations. A hosting site for stolen data. Customer service. It can even sell inside info to stock traders for extra profit.
Think of DarkSide as a cloud services provider for the modern ransomware era. It appears to be the market leader in providing such services! And it has an impressive economic model: DarkSide takes a 10-25% cut of the proceeds from the ransom payment.
Normally, startups with strong market traction love publicity. It helps with new customer acquisition and growth! But the difference here is that when you are a ransomware-as-a-service market leader, publicity can be really, really bad for business.
With the authorities now focused on them, DarkSide issued a statement: “Our goal is to make money and not create problems for society. From today, we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”
DarkSide learned the hard way what banks learned long ago: you have to know your customer! The Colonial Pipeline shutdown lasted about a week. Operations were restored after a rumored ransom payment of ~$5m (75-100 BTC). DarkSide’s cut was hefty - but it came at a cost.
In the months to come, with the spotlight shined on the sophistication of the ransomware market - as well as the devastating nature of the attacks - companies will step up their cybersecurity infrastructure to defend themselves. This may be bad for ransomware profits...
So is this just a classic market cycle? The ransomware market had predictable, large profits. This led to a rush of activity to exploit them. Now the market gets squeezed, making it less attractive to do ransomware attacks. Free markets at work...?
That is the story of DarkSide, the Colonial Pipeline hack, and the fascinating ransomware-as-a-service business model. For more, check out this article from Bloomberg.
Enjoy this and want to share it with family and friends? You can find the original thread below. Subscribe now and follow me on Twitter so you never miss a thread.
Until next time, stay curious, friends!
Ransomware-as-a-Service