Pipeline Ransomware: All Alarms and No Surprises

May 11, 2021

By Dr. Wesley McGrew, Senior Cyber Fellow;

Colonial Pipeline Co. was compromised by the DarkSide ransomware cybercrime group recently and had to temporarily halt pipeline operations to address and recover from the compromise. Pipelines are critical infrastructure, so the impact of this disruption goes way beyond the company itself. This leads to a lot of speculation about ties between the DarkSide group and the Russian government, the motivations behind targeting sensitive and critical organizations, and the publicly stated ethical boundaries of cybercrime groups. While the impact of this disruption makes the story newsworthy and interesting to analysts, it should not be surprising that this happened, and more attacks with greater disruption in the future shouldn’t be surprising either. It is the nature of cybercrime.

When conducted for profit, cybercrime operates on the same basic principles as a legitimate business. If you are operating for profit, you may seek out work that gives a large return. Time and resources spent doing the work cut into that return. Cybercriminals profit—like any of us do—by maximizing work and minimizing the cost in time and resources.

Ransomware operators maximize work through automation. It would be inefficient for them to select a target, and then attempt to find a vulnerability that would give them a foothold suitable for a ransomware infection. At any given moment, there may not be a vulnerability in a selected target and finding that vulnerability among all the potential holes in the target’s attack surface is labor-intensive. It is more efficient to identify one potential vulnerability and scan many organizations, which can be automated. It may also be more efficient to send phishing emails to many organizations at once.

This means that targets are selected opportunistically. A group like DarkSide will choose to conduct ransomware campaigns against organizations from the set that is identified as vulnerable–in automated attacks and mass phishing. Once a foothold has been set, there is little motivation to abstain from conducting a full campaign, so more effort is likely spent figuring out a ransom amount than in any kind of decision process about the ethics or pragmatism of disrupting a specific target.

DarkSide specifically has claimed that they will not attack healthcare, education, nonprofit, or government targets. Public statements such as these are a red herring. It is foolish to ascribe “honor among thieves” to cybercrime operators that are focused on maximizing profits. The automation and efficiencies implemented by ransomware groups prevent them from being as selective or ethical as they might outwardly claim.

DarkSide is not alone. There are a large and growing number of similarly capable ransomware operators. If an organization is vulnerable in a way that opens them to a ransomware attack, it is not a matter of “if”—it’s “when” will a group identify that vulnerability and decide to conduct a malicious campaign. If DarkSide had not infected Colonial Pipeline, we would be talking about an identical attack on their operations days, weeks, or months from now from a similar criminal organization. A decision by one group to be ethical in targeting only delays the inevitable.

Some analysis of the recent news has focused on the question of the Russian government’s responsibility for the attack. This gets “fuzzy”, as, in Russia and China, there is not as clean of a designation between “state-sponsored” hacking groups and cybercriminal organizations as we have here in the United States. Foreign intelligence organizations have been known to use cybercrime enterprises to conduct non-attributable/deniable operations. Those groups, in addition to state-directed operations, also pay the bills with opportunistic cybercrime. Usually, these groups are very careful to not target Russian-speaking countries (a lot more careful than they are in avoiding critical infrastructure). There isn’t any clear benefit to the Russian government to disrupt this pipeline’s operations in this way at this time, and it seems likely to have been carried out on DarkSide’s own time and direction.

When it comes to ransomware and extortion (threatening to leak stolen data), questions about targeting, motivation, and victim selection are interesting but rarely productive. Nothing is surprising when it comes to profit-motivated cybercrime attacks:

  • If you are vulnerable, you will be targeted.
  • Cybercrime operators will not be selective based on ethical concerns. If one is, the next one will not be, and there is a very long line.
  • You’re not being targeted because of who you are or where you are. You’re being targeted because you have the capacity to pay a ransom, and you’re the next in line of “most vulnerable targets identified”.

There’s a saying, “You don’t have to be faster than the bear to get away, you just have to run faster than the guy next to you.” While this holds in cybersecurity to a certain extent, there are an awful lot of very fast “bears” coming after you. You are better off identifying these vulnerabilities that would lead to compromise sooner, with a trusted partner capable of using offensive testing effectively, communicating those results to you in an actionable way, rather than spending much more later on disruption, incident response, and recovery. Nothing is surprising about the targeting of organizations by ransomware operators, and it will continue as long as there are vulnerable targets. There are no “off-limits” targets. Don’t let them take you by surprise in your organization.