The recent ransomware attack on Colonial Pipeline that crippled fuel supplies to 50 million Americans highlights the vulnerability of the country's energy infrastructure to hackers. It also shines light on an emerging business trend in the depths of the dark web where criminal gangs brazenly sell their expertise in computerized mayhem to the highest bidder.
"It is a marketplace that involves services, products and goods. It's like eBay," Mark Arena, CEO of the cybercrime intelligence firm Intel471, told CBS News.
Cybersecurity experts say "ransomware-as-a-service" — it even has the acronym RaaS — is now a business model in which criminal groups like DarkSide, the organization believed to be behind the Colonial Pipeline attack, sell or rent their hacking software or services to those who want to carry out cyberattacks to extort victims.
Arena said RaaS has become "very professionalized and very organized," adding that groups like DarkSide tend to have sophisticated operations including a marketing team that advertises their products and services, a customer service support offering, and negotiators that communicate with the victims on behalf of their clients to discuss ransom payment. The setup makes criminal activity easier for customers while creating a revenue stream for malware owners.
Writing a piece of software to run on another computer and encrypt files is a simple technical deed that most hackers can perform, according to Arena. "But if somebody does that, plus also provides all these services around it and manages the customer, I think that's compelling from a cybercriminal's perspective," he said.
DarkSide, the group the FBI said is behind the hack that shut down more than 5,500 miles of fuel-transporting pipeline along the Gulf Coast, has executed this business model successfully in a short period of time.
DarkSide first came into light in August 2020 and was initially conducting its own ransomware attacks. By November, the group and 14 other such criminal gangs were responsible for more than 1,200 ransomware attacks, according to Intel471, which tracked 25 different RaaS groups throughout 2020.
Three months later, DarkSide began marketing a new program on Russian-language web forums. The program provided ransomware for others to use in their own operations. Ransomware attacks involving DarkSide have taken place each month since November, researchers at cybersecurity firm FireEye said this week. The number of publicly named victims on the DarkSide blog has gone up overall since August 2020, with the number of victims spiking to 20 and above in the months of February and April.
"The overall growth in the number of victims demonstrates the increasing use of the DarkSide ransomware by multiple affiliates," noted FireEye researchers in their report.
The group's advertising posts in the Russian-language forum XSS indicated that those who operate the malware take a 25% cut of ransom payments under $500,000 and 10% of any ransom payments over $5 million. Researchers also traced five different Russian-speaking "threat actors" as either new or former customers of DarkSide. Some of those actors claiming to use DarkSide may have also partnered with other RaaS programs, such as Babuk and an outfit called Sodinokibi, aka REvil.
Colonial Pipeline ultimately paid a multimillion-dollarto the hackers, a source familiar with the investigation told CBS News. The money was paid shortly after the computer systems started locking up earlier this month.
"Basically a franchise"
Theresa Payton, CEO of cybersecurity firm Foraliance and a former U.S. chief information officer in the Bush administration, said DarkSide doesn't have to conduct the attacks itself anymore.
"They've now created ransomware as a service. They are a commercial enterprise. They're basically franchising DarkSide," Payton told CBS News. "It's almost like a digital mafia pyramid scheme."
Payton described ransomware as the "carbon-monoxide poisoning of our cybersecurity" in that its recent growth has been "silent" and "deadly." She added that it will take "days and weeks" of investigation before authorities can determine if the original operatives at DarkSide carried out the attack on Colonial Pipeline — or whether a third-party contracted their services.
In an announcement posted on the Russian blog XSS and obtained by Intel471, DarkSide said on Thursday that it would immediately cease operations of its RaaS program. The group also informed its affiliates that its blog, ransom-collection website and "breach data content delivery network" were all seized by an unspecified law enforcement agency. Funds were also allegedly exfiltrated from their cryptocurrency wallets.
According to Intel471 and the cybersecurity firm Flashpoint, numerous cybercrime syndicates last week claimed they have taken their online infrastructure offline and are abandoning ransomware altogether because of the negative attention directed toward them.
"Too much attention for these groups is not [necessarily] a good thing," Tom Hoffman, senior vice president of intelligence at Flashpoint, told CBS News. He said it wouldn't be a surprise if they shut down operations only to congregate with another group.
"From their perspective, it is easy to reemerge at a later date and reconstitute their operations," Hoffman said.
"Too much money to be made"
One reason turnkey ransomware programs have grown is the soaring popularity of cryptocurrencies, which criminal groups often use to launder money, experts say. Payton said that prior to cryptos, payments were more difficult to launder and often involved gift cards or services through legitimate venues like Western Union and PayPal.
Nearly $350 million worth of cryptocurrency was spent in transactions involving ransomware last year, according to a review from cybersecurity firm Chainanalysis. While ransomware accounted for less than 10% of all crypto funds received by criminals last year, the amount of funds transferred has dramatically increased, jumping more than 300% compared to 2019.
Cybersecurity experts believe that number is much lower than the actual figure because many companies end up paying the ransom without reporting the breach to officials. Arena said if companies are ever required to report any ransom payments they make, "people will discover pretty quickly that it's significantly bigger than what's going public."
Regardless of the claims by some RaaS groups that they are ceasing operations, Hoffman said at this point, the business of ransomware is here to stay.
"If these groups go into retirement, there's just going to be the next generation of criminals that step into their place," Hoffman said. "It's not going to go away; there's too much money to be made. It is too valuable from a criminal perspective to allow this to not continue," he added.