Ransomware-as-a-Service: Fueling the Latest Large-Scale Attack

Another week and another headline about ransomware groups shutting down a major corporation. On May 7, 2021, Colonial Pipeline Company, the largest US fuel pipeline, which provides 45% of the fuel for the East Coast, turned off the taps after an attack by ransomware group DarkSide.

This caused a gas shortage throughout the Northeastern United States. DarkSide hacked the company’s system, which prompted a blunt “I told you so” from Richard Glick, the chairman of the Federal Energy Regulatory Commission (FERC).

While most of the power grid has been subject to strict cybersecurity protocols for 10 years, oil, natural gas, and hazardous liquid pipeline operators were under voluntary compliance, leaving actual measures to the discretion of individual owners.

“Simply encouraging pipelines to voluntarily adopt best practices is an inadequate response to the ever-increasing number and sophistication of malevolent cyber actors,” said Glick.

Let’s go over two things to understand about this event, followed by next steps.

Ransomware-as-a-Service

Unlike the recent state-sponsored ransomware attacks, the DarkSide hacking group operates as a ransomware-as-a-service model, which means they license out their ransomware encryption technology to any group willing to pay for access to that technology.

They provide the technology, training, and best practices advice to attackers who want to extort money from companies. In return, DarkSide collects a fee and a portion of the ransom payments.

In a 21st century twist on the criminal with a conscience, DarkSide has even put out statements reinforcing their apolitical nature, expressing regret for causing a human impact, and stating their sole focus is making money, not geo-politics. It’s not personal, it’s just business. (Cue the Al Pacino voice.)

That stark admission of a sole focus on money is exactly why every company should consider themselves a target of ransomware.

Attackers will research your business for vulnerabilities and to evaluate the ROI of teaming with a hacker-for-hire, including reviewing your financial statements, business relationships, and yes, even searching whether you have a cyber insurance policy.

Difference Between IT and OT

Another takeaway is the difference between information technology (IT) and operational technology (OT).

IT is your corporate network, the place that connects the various aspects of your business functions and deals with all of the information passing throughout your company. OT is the technology that controls a physical process or operation of something tangible.

Understanding the crucial difference between these two sets of networks helps you evaluate and understand your risks—especially those in the manufacturing space. If you don’t focus on them, the hackers will.

Back to Colonial Pipeline. The company’s OT included logic controllers that regulated how much gas flowed through the physical pipeline. And this OT network is where the real damage can be done during a cyber attack—moving the losses from a financial problem to a physical, real-world problem.

To minimize the risk potential, creating firewalls between these two networks is crucial—it can prevent an attacker that gets access to your IT network from moving over to your OT network and really causing damage.

Next Steps for Your Cyber Security

As you think about this latest case, here are some next steps to consider:

• Remember size doesn’t matter: groups like DarkSide don't care about the size of your company, they just care that they can get in and get a ransom. Their goal is to make money.
• Make sure your IT and OT networks have firewalls built in to prevent attackers from infiltrating one and impacting both.

For more insights like this, check out the Cyber Notebook or get more Cyber Dan insights by subscribing to our YouTube channel.