RaaS, the Terrifying Trend Behind the Colonial Pipeline Attack
The biggest cyber attack news story of 2021 may have already happened. Earlier this month, the Colonial Pipeline Company, operator of America's most extensive fuel pipeline system, fell victim to what is undoubtedly a ransomware attack of historic proportions.
The most immediately noteworthy aspect of the Colonial Pipeline ransomware attack is its massive real-world impact. By compromising critical systems for managing pipeline operations, the attack forced the Colonial Pipeline to stop functioning — effectively cutting off almost half of the entire fuel supply consumed on the East Coast of the US. Summing up the profound impact of this attack, Rob Lee, CEO of industrial cybersecurity company Dragos, told Wired that this was "the largest impact on the energy system in the United States we've seen from a cyberattack, full stop."
Perhaps unsurprisingly, Colonial Pipeline paid the ransom demanded from them— $5 million — mere hours after the attack. Nevertheless, the company was still forced to use their backup systems to restart operations as the decryption tool provided by the hackers proved too slow. However, aside from showcasing how ransomware attacks on critical infrastructure can cause outsized disruption, the Colonial Pipeline ransomware attack also highlights another worrying development in today's threat landscape: financially motivated actors are becoming more capable.
In direct contrast to the recent state-backed SolarWinds attack, the Colonial Pipeline ransomware attack was purely money-driven. That profit-motivated threat actors are both capable and willing to shut off fuel supplies for tens of millions of people illustrates a dangerous escalation in the cyber warfare arms race — the growth of ransomware as a service (RaaS).
Ransomware as a service Schemes Are Booming
The growth of ransomware attacks is on track to be one of the most notable cybersecurity trends of the decade. With ransomware attack numbers rising by 485% in 2020 and increasing by a further 102% in the first half of 2021, ransomware is already the biggest threat to organisations globally.
While triple-digit growth rates for ransomware are undoubtedly shocking, behind them are the same market forces driving innovation elsewhere in the software world. Similar to how software as a service (SaaS) has democratised access to enterprise-grade business tools, powerful ransomware is now available on subscription.
Previously the preserve of well-funded or state-backed threat actors, the recent emergence of RaaS means that even inexperienced criminals can now launch attacks capable of crippling both private organisations and state bodies. Far from an isolated threat, more than half (64%) of all ransomware attacks analysed by Group-IB in 2020 were linked to the subscription-based RaaS model, with 15 new public ransomware affiliate programs emerging in the last year alone. Thanks to ransomware provided by malware developer Darkside, the Colonial Pipeline attack is just another victim of this ascendant trend.
As Advanced Malware Becomes More Accessible, Ransom Demands Are Climbing
Under the RaaS model, hackers rent out their ransomware strains to affiliates in return for a share of the profits, increasing the likelihood of affiliates asking for higher ransoms to cover the commission due. Alongside the fact that RaaS enables more threat actors than ever to engage in cybercrime, this profit driver helped grow extortion demands by more than 100% last year, with the average ransom now amounting to $170,000. However, this average hides the increasing frequency of enormous demands. When amoral cybercriminals sense a victim's willingness or need to pay, they’re prepared to demand millions.
But RaaS has a downside for malware developers. RaaS operators may not always be able to control who their affiliates target. DarkSide, the ransomware gang responsible for the attack on Colonial Pipeline, tried to distance itself from the incident, saying, "We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other our motives. Our goal is to make money and not creating problems for society."
DarkSide has since quit the RaaS business, citing disruption to its operations, including lost access to its public-facing portal and even funds that have apparently been transferred to an unknown account. Other ransomware groups, such as Abaddon and REvil, have announced new rules for their affiliates, like a ban on targeting government-affiliated entities, schools, and hospitals. However, whether RaaS operators will be able to enforce these rules is questionable.
About the author
Brad Freeman, Head of Threat Analysis, Senseon
Brad is an expert in his field, with over a decade’s experience conducting nationally significant cyber security investigations across the critical national infrastructure and telecommunications sectors. Drawing on his extensive industry experience and knowledge, Brad leads the threat analytics team at Senseon, and specialises in finding and uncovering advanced actors deeply embedded within clients’ infrastructure. Senseon..
Ransom Attacks No Longer End When Ransoms Are Paid and Systems Remediated
Attackers have long realised that just paralysing a victim's operations may not be enough to get a ransom payment — particularly when backups are available. As a result, modern ransomware strains, like DoppelPaymer, don’t just encrypt victims’ data but exfiltrate it prior to an attack being launched. This capability unlocks a new tactic for threat actors known as “double extortion,” where the threat of having sensitive information exposed online can be used to leverage wavering victims. Sometimes, victims even have to pay twice: once to decrypt their data and once to ensure that the data isn’t published online. To put even more pressure on their victims, attackers may overload their websites with DDoS attacks.
These kinds of ransomware attacks surged in 2020, with at least 34 ransomware groups exposing stolen data belonging to over 2,000 organisations to date. As if double extortion wasn’t alarming enough, recently, there have been reports of hackers using triple extortion tactics. In triple extortion, hackers not only steal data from an organisation and threaten to leak it if they don’t pay but also go after the data owners themselves. In October 2020, cybercriminals who hacked a Finnish psychotherapy clinic demanded ransom payments from both the clinic and the patients.
Organisations Need to Prioritise Proactive Defence
As shown by the exponential rise in ransomware incidents and the increasing frequency of headline-making attacks like the one that struck the Colonial Pipeline, today's cybersecurity status quo is not protecting organisations against modern ransomware.
Despite the fact that most enterprises now deploy around 45 cybersecurity tools on their networks, the average security team's ability to contain threats has decreased by 13%.
As a result, increased spending on cybersecurity solutions appears to be giving organisations less rather than more security. Indeed, about 40% of organisations are so overwhelmed by security alerts that they have no choice but to ignore at least 25% of them. Yet 70% of organisations plan on increasing their cybersecurity spending post-pandemic.
What this paradox shows is that as they ramp up cybersecurity budgets, rather than buying more tools, organisations need to take a proactive approach to cybersecurity, which involves:
Providing ransomware-focused cybersecurity training to all employees. Phishing emails — the number one ransomware attack vector — are now so sophisticated that 97% of users are unable to recognise them. Phishing email training is a critical step in patching up the biggest weakness in any organisation’s cybersecurity — employees.
Using multi-factor or even passwordless authentication. Weak passwords can act as entry points to ransomware. Multi-factor authentication on admin accounts can reduce the risk of ransomware by 40%. Passwordless authentication is even better because it removes the need for passwords altogether.
Implementing zero-trust security. Once attackers breach network perimeters, nothing is stopping them from moving laterally through the networks to find valuable data. To prevent this from happening, organisations should consider implementing zero trust architecture, which limits lateral movement and reduces potential damage.
Investing in cybersecurity solutions that work. Most cybersecurity tools rely on rules or signatures to detect ransomware, but signatures are only useful in detecting already known threats. What is needed instead is a solution that focuses on behaviour-based security. A self-driving cyber defence platform, Senseon Reflex works 24/7, monitoring deviations from normal behaviour patterns to detect and stop in-progress threats in seconds — faster than any human analyst.
Final Thoughts
With a growing cybercriminal appetite for profit, the emergence of RaaS, and "triple extortion" tactics now the norm, we are more than likely to see even more ransomware attacks in 2021. Regrettably, as past incidents have shown us, no industry, no matter how vital it is to society, is exempt from these attacks. As cliche as it sounds, at least 60 successful ransomware attacks will have been carried out in the time it takes you to read this blog post. Rather than running down this cyber attack doomsday clock, organisations need to act immediately and proactively against the biggest cyber threat their operations are ever likely to see, ransomware.
