The hack occurred when the group DarkSide, thought to be based in Eastern Europe, carried out a ransomware attack on the Colonial Pipeline company. The hack led to service disruptions that impacted people primarily in the southeastern region of the U.S. There were long gas lines and many gas stations were out altogether. From what we currently know, Colonial Pipeline ended up paying the DarkSide group $5 million, and they are working on restoring operations. The concept of ransomware attacks isn’t new, but these attacks are becoming more prevalent, and they are also becoming more severe. For example, attackers are demanding much higher amounts of money. Many companies are now putting in place a zero-trust architecture, which is largely considered one of the best ways to combat the most common cyberthreats right now. Along with the general concept of ransomware, there’s another term that is being discussed with the Colonial Pipeline situation, which is ransomware as a service or RaaS. Below is more information about what that means and how it generally affects cybersecurity.
DarkSide and Ransomware As a Service
We don’t currently know the specific vulnerability the DarkSide group targeted to access Colonial Pipeline, but we are learning more about this group of cybercriminals. They first became well-known in the cybercriminal underground world in 2020. DarkSide debuted its ransomware on a Russian-language hacker forum in November 2020. The DarkSide representative was advertising that they were looking for partners so they could use an affiliate as a service model. Intel471, a group that researches and analyzes cybercriminal groups, spotted the ransomware in the U.S. and Europe later on, typically attacking law firms and manufacturers. The DarkSide was advertising features like enhanced encryption settings. They were also offering a feature that would let affiliates make calls that would put pressure on victims to pay ransoms and to launch distributed denial-of-service attacks. The affiliates initially worked by gaining access to software vulnerabilities, and then once they did that, they could move laterally to exfiltrate data and ultimately deploy ransomware. To get initial access to networks, the cybercriminals would often purchase credentials on the dark web and then conduct brute-force attacks or use spam campaigns. All of the features that DarkSide was offering to gain affiliates show the sophistication now used to carry out ransomware attacks.
What is Ransomware as a Service?
Ransomware as a service is used by ransomware developers. The model is similar to what software developers do with their SaaS products. They’re leasing variants of ransomware. Even if someone doesn’t have much technical know-how, they might still be able to launch a ransomware attack, and this is one of the scariest facts about RaaS. A RaaS attacker doesn’t need the skill or time to create their own variants, and they can launch attacks not just quickly and easily but with little money. Customers of RaaS can go on the dark web and find what they’re looking for, which is typically advertised just like anything else is on the legitimate internet. If someone buys a RaaS kit, they’ll get user reviews, forums, support, bunded offers, and all the things you would see if you were to buy legitimate SaaS products. A kit can range from $40 a month up to several thousand a month, and since the average ransom demanded is in the hundreds of thousands of dollars, that can be a massive ROI. A cyberattacker doesn’t always have to be successful, but they can still get rich even if they’re only successful sometimes.
How Does RaaS Work?
There are a few different revenue paths for RaaS. There’s a monthly subscription where a flat fee is paid. There are affiliate programs, which are like the monthly fee model, but then the RaaS operator gets a percentage of the profits. It’s believed that’s how DarkSide was operating. There’s a one-time licensing fee but without any profit-sharing, and then there’s just a profit-sharing model. To use RaaS, a customer could log into their portal and make an account. They then pay with Bitcoin, and they decide on the type of malware they want. Subscribers can then get automatic feature updates, support, and more. There are operators that have portals so that subscribers can see the status of their infections, information about their targets, and even the total files encrypted. RaaS is a huge and competitive marketplace. There’s product marketing content like any other business, and their revenues in 2020 were around $11.5 billion more than they were the year before. The primary way that victims are targeted in ransomware attacks is through phishing. Phishing means that the attackers can steal sensitive information, and human error and emotion are a big part of why phishing can work so well despite the fact that it’s far from new. When a victim clicks the link sent by a RaaS affiliate, they are directed to download something or maybe to a website. Then, the ransomware can move through the system. Ransomware has the ability to disable antivirus software If there’s even one endpoint that’s vulnerable, it can be exploited to provide access to the entire network. What that means is that ransomware can take an entire organization hostage. The ransomware tends to operate under the shield of processes that are legitimate, so it’s tough to have any idea that there is a breach. Then, once the files are encrypted or inaccessible, the hackers can begin to extort their victims. The victim will usually receive a note, and then it tells them they have to pay a ransom for a decryption key. If all of this sounds scary, it is. It’s so important for organizations and individuals to understand how easy it is for a RaaS attack to be launched. Having the right cybersecurity measures in place is critical to protecting your business, and keeping up-to-date with the growing threats is essential.