In our ransomware report from late 2020, we explained how some ransomware groups were offering their services to others. Ransomware-as-a-Service (RaaS) has become popular and generated much discussion on the criminal underground. It represents an easy and accessible way for malicious actors to earn a few dollars.
In our report, we mentioned that ransomware groups were wary of the attention that hacking into sensitive organizations generated. These groups, for example, wanted nothing to do with malicious actors hacking into hospitals, government computers and schools. Public hacks brought bad publicity, attention from law enforcement, and were ultimately bad for business.
Colonial Pipeline Hacking
The attack against a major American pipeline, Colonial Pipeline, brought this issue to the forefront of news and cybersecurity discussions over the past weeks. The company was severely crippled by a ransomware attack that left it with no other choice but to shut down its pipeline, creating a massive inflation on gas pump prices. The pipeline remained closed for a few days, until a USD$4.4 million ransom was paid, and operations could be resumed.
Government agencies recommend that companies do not pay ransoms, no matter what the costs of not paying are. This is in line with the traditional ‘no negotiation with terrorists’ that we have heard so many times. It is believed that if companies stopped paying ransoms, then the ransom problem would go away. Malicious actors would move on to new activities that generated a better pay day.
Cancelling Ransomware Services
In the wake of the Colonial Pipeline attack, three large forums from the criminal underground decided to ban discussions and advertisements related to ransomware. This ban impacts ransomware-as-a-service advertisements, but also all other discussions of ransomware for sale in a more traditional sense. These forums effectively acted to make the RaaS disappear, and go even deeper underground, erasing a significant part of its recent history.
This is a significant but not unprecedented move. The criminal underground had in the past canceled advertisements and the sale of child pornography, weapons, poisons and hard drugs like fentanyl. It was believed these would not only draw too much attention from the media, legislators and law enforcement, but also to be too small of a market to generate revenue significant enough to compensate for the trouble they created.
Integrate the world’s easiest to use and most comprehensive cybercrime database into your security program in 30 minutes.
Cancelling certain products made them much more difficult to find, even on the dark web. They also eliminated many of the regulations afforded by dark web marketplaces. As such, buyers and sellers now have to enter riskier transactions where they can more easily be taken advantage of. This ends up creating a lemon market, where lots of activity still happens, but in a more chaotic environment.
Looking Ahead at New Opportunities
These cancellations suggest that the media can influence the criminal underground. This is a major development, as social pressure could help us get rid of some of the most harmful aspects of the criminal underground.
Future news reports that would, for example, concentrate on small and medium business payday fraud could help draw malicious actors away from this practice, and prevent creating more victims of this extremely damaging fraud. Indeed, most small and medium businesses have no insurance or recourse when their lines of credit and bank accounts are emptied by malicious actors, and sometimes even have to go bankrupt because of the hack. We often feel powerless against malicious attacks, but this is a clear sign that organizing a response to attacks can help make them more difficult in the future.
Whether it comes as a service or from direct attacks, it is clear that ransomware is not a problem that is going away anytime soon. The Colonial Pipeline attack has shown that it was possible to make millions of dollars in a matter of days with this attack. This is simply too good of an opportunity to pass, and we expect malicious actors to continue their ransomware attacks. Access to this malware may now be more difficult however, and only be provided through chat rooms with little moderation. Access could also move to decentralized marketplaces and private markets.
In a sense, the media has managed to make it more difficult for unconnected malicious actors to get into the ransomware game. This may not change the focus of cybersecurity teams in the future, but it will at the very least reduce the number of opponents they have to face, and may make their job just a little easier.