RaaS gangs go “private” after stirring a hornet’s nest

After a decade or so of ransomware attacks against sometimes very prominent targets, the recent Colonial Pipeline ransomware attack by the Darkside gang has been the proverbial straw that broke the camel’s back, as the attack was followed by a temporary shut down of the pipeline, which then led to widespread fuel shortages in the Southeast United States and the government issuing a state of emergency for 18 states.

The Darkside gang, which operates a Ransomware-as-a-Service, realized they had stirred up a hornet’s nest and tried to ameliorate the situation by stating they are not politically motivated and that they will, in the future, check each company that their partners want to encrypt “to avoid social consequences.”

Soon after, the gang said that they lost access to the public part of their infrastructure and that they will be releasing decryption tools for all of the companies that have been hit but haven’t paid the ransom. Also, that the funds they stashed on the payment servers have been “withdrawn to an unknown address.”

According to Intel 471 researchers, other ransomware gangs reacted with changes to their RaaS programs. Some said they will be going “private” – a decision that must have been partly made because several Russian-language hacking forums (XSS, Exploit.in, Raid) banned ransomware-related ads and activity. Some, like the Avaddon RaaS group, said that they will be barring affiliates from targeting government, healthcare, educational and charity organizations.

In the meantime, various ransomware gangs hit and disrupted the Irish health service, four European subsidiaries of Toshiba, a German chemical distribution company (Brenntag SE), several branches of insurance giant AXA (after the company recently announced that it will stop writing cyber-insurance policies in France that reimburse customers for extortion payments made to ransomware criminals), and likely many other less prominent targets.

I think that no-one is under the illusion that the threat is going away soon.

Combating the threat of ransomware

In late April, the Institute for Security and Technology’s Ransomware Task Force (RTF) released a comprehensive strategic framework to help worldwide organizations fight against ransomware.

Put forth by 60+ experts from top tech and cyber security companies, government agencies, law enforcement, civil society groups, cybersecurity insurers and other international organizations, the recommendations are meant to be implemented by various entities across the globe, including governments, to tackle the threat holistically.

Time will tell whether these will be implemented, but one thing is sure: this is not a problem that can be solved by a single government / nation, nor by taking just some steps and not others.

In the meantime, organizations are largely left to fend for themselves, though advice from governments and experts is available.