Hackers appear to have developed a conscience, but they are unlikely to disappear forever.
Ransomware, a sort of malware that threatens to issue or block access to a victim’s personal data permanently unless a ransom is paid, has long had disastrous consequences for businesses.Organizations have lost critical business data as a result of such attacks, as well as significant financial harms if revenue-producing operations are blackout.
Ransomware, on the other hand, has recently spread further into the public eye.The latest attack on Colonial Pipeline, e.g., not only enforced the US’s leading fuel pipeline to blackoutpost hackers did stole 100GB data, but also drove up fuel prices to their highest level since 2014, prompting four states to declare states of emergency.
This came after a ransomware attack in May, which forced Ireland’s Health Service Executive (HSE), which oversees healthcare and social services in the country, to shut down all of its IT systems. As a result, the HSE warned patients that while essential services such as COVID-19 vaccinations would continue, they might face delays or cancellations of appointments.
Social conscience
Following these attacks, which had devastating, possibly unintended societal ramifications, it appears that hackers are developing a morality. The hacking groupof DarkSide, which was responsible for Colonial Pipeline’s six-day closure, has since scattered and released decryption tools for all the companies whose data has been detained to redemption but have yet to recompense.In a statement posted on its website, the criminal hacking group stated, “Our goal is to make money, not create (sic) problems for society.”
“By directingserious national infrastructure, the Darksideransomware operators elevated their head above the stockade and bare their operations to a distant greater level of inspection from both media and law enforcement,” Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows, tells IT Pro.If they had continued to solely target private sector companies, which has brought continued success across the ransomware landscape, this level of scrutiny would not have occurred.”
As a result of the increased scrutiny, DarkSide isn’t the only ransomware group to call it quits in recent months.Maze, one of the most notorious hacking groups in the world, announced its disbandment in a “retirement” note on its darknet site, whereasAvaddon announcedrecently it was suspending operations and releasing decryption keys for nearly 3,000 of its victims.
Furthermore, in the aftermath of these conspicuous attacks with shockingoutcomes, the cyber crimeportal Exploit.in publicized that ransomware-connected chatter and activity would be prohibited.
Is ransomware as we know it dead, or will these gangs rise from the ashes?
Branding exercise
The recent actions of DarkSide, as well as REvil – the Russian hacking gang whichdirected Brazilian universal meat supplier JBS earliermaking distance from itself from the attack – show that “a sea-change is underway,” according to Christopher Budd, senior global threat communications manager at Avast.
“Both Darkside and REvil took steps to distance themselves from the unprecedented impact of the attacks attributed to them. DarkSide’s operations have been disrupted, its funds have been taken, and it is dealing with affiliates who claim they are owed money, according to Budd.
“Other ransomware creators have taken notice and responded.The Avaddon group, for example, announced some limitations on the types of attacks they’ll carry out or allow their affiliates to carry out, including a prohibition on targeting government-affiliated entities, hospitals, or educational institutions. REvil was one of the operators who stated that certain attacks would be banned prior to the JBS attack.This backs up their claim, implying that the JBS attack’s outcomes were not what they expected.”
While this is a positive step, few believe it should be interpreted as a sign that the threat of ransomware is diminishing.While some might have [been] exited among the publicity, numerousransomware gangs use to be simply ratcheting or re-grouping down their marcommaction (advertising on forums) and reverting to a private modus operandi.
“Larger campaigns (such as REvil or Avaddon) can continue their business by leveraging an already healthy affiliate network. Smaller organisations may have been forced to close as a result of the forum bans because they lack the resources to maintain such a supply chain.”
While smaller ransomware groups may feel the heat of increased law enforcement scrutiny, Paul Robichaux, senior director of product management at Quest, believes that larger groups will simply rebrand.
“These gangs are rebranding, not dissolving.A comparison can be made to small furniture stores that operate for a few years before having large “going out of business” sales before reopening two weeks later under a new name, in the same location, with the same inventory. It’s the same situation.
“A successful parasite does not kill its host too rapidly – ransomware gangs which draw too much devotion by attacking the wrong targets will face increased scrutiny and be forced out of business by law enforcement. The more astute will choose their targets more carefully, both in terms of industry and geography.
“The most astute will concentrate all of their efforts on areas where there is unlikely to be any significantintelligence community or law enforcement reaction.”
What’s next?
What should businesses be on the lookout for now that ransomware gangs are unlikely to shut down their operations for good? Attacks will only get more sophisticated, according to Kevin Curran, a senior IEEE member and professor of cyber security at Ulster University.
He tells IT Pro, “Cyber-crime has become an industry, and attackers happen to be becoming far more organisedmost certainly.”“Many have cybercrime units, such as partner networks, associates, resellers, and vendors, which are typical of any large legitimate business. They even have dedicated call centres, which are typically used to assist ransomware victims with their requests.
“Of course, they use sophisticated obfuscation techniques such as dark web forums, encryption, VPNs(virtual private networks), and other obfuscation techniques to remain hidden. They also sell franchises that allow other hackers to copy their botnets and compromise vectors, as well as provide training.”
