DarkSide Ransomware Hit Colonial Pipeline—and Created an Unholy Mess

Callow and other researchers emphasize, though, that it’s difficult to produce meaningful deterrence when it comes to ransomware and cyberattacks in general. Even after repeated wake-up calls and ransomware-related disasters, governments have not shown enough urgency in trying to solve the problem.

“One of the biggest challenges in cyber deterrence is attribution, and you can see that in this situation,” Red Canary’s Nickels says. “There are the ransomware developers, their affiliates and clients, and host countries that are ignoring their behavior. Who’s at fault? Who do you have to deter?”

DarkSide was illustrative of that enforcement problem even before the Colonial Pipeline attack. It almost exclusively targets English-speaking organizations and is widely thought to be a criminal group based in Russia or Eastern Europe. The DarkSide malware is even built to conduct language checks on targets and to shut down if it detects Russian, Ukrainian, Belarusian, Armenian, Georgian, Kazakh, Turkmen, Romanian, and other languages associated with Russia’s geopolitical interests. The Kremlin has historically let cybercriminals operate unfettered within its borders as long as they don’t go after their countrymen.

DarkSide’s rent-a-ransomware business model makes it difficult to determine who, specifically, is behind any given DarkSide attack, convenient insulation for all involved. And the very existence of ransomware-for-hire services shows just how popular—and profitable—these attacks have become. Members of DarkSide focused on point-of-sale credit card data theft and ATM cashout attacks for years, says Adam Meyers, vice president of intelligence at the security firm CrowdStrike, which tracks DarkSide’s activity under the name Carbon Spider. “They’ve transitioned to the ransomware game because there’s so much money in it,” Meyers says.

The Biden administration has signaled in recent weeks that it plans to focus real attention on addressing the threat of ransomware. The White House has been hiring for key cybersecurity policy and response roles and participated in a public-private ransomware task force aimed at generating comprehensive recommendations to curb the problem. The Colonial Pipeline incident now gives the White House a renewed motivation to turn policy proposals into action.

“We’re taking a multipronged and whole-of-government response to this incident and to ransomware overall,” deputy national security adviser Anne Neuberger said in a White House briefing on Monday. “We’re aggressively investigating the incident and its culprits.”

Neuberger said that the administration believes DarkSide is a criminal actor only but that the intelligence community is looking into the possibility of government ties. On Monday, President Biden called on the Russian government to stop harboring cybercriminals.

“I’m going to be meeting with President Putin,” Biden said. “So far there is no evidence … from our intelligence people that Russia is involved, although there is evidence that the actors’ ransomware is in Russia. They have some responsibility to deal with this.”

One question that dogs ransomware response is whether governments should make it illegal for victims to pay ransoms. In theory, no more ransom payments would mean no more incentives for criminals to continue. But members of the public-private ransomware task force say that the group was unable to reach a consensus about firm recommendations to that end; the trade-offs aren’t easily navigable.

Steps that could work in the near term? Requiring that victims disclose ransomware incidents, and creating a cyber incident review board in the US, says Rob Knake, a senior fellow at the Council on Foreign Relations and a former director for cybersecurity policy at the National Security Council. Currently most victims keep ransomware attacks quiet when possible; a full accounting of these rolling crises could spur a response. “Notification is essential, because cyber incidents are not like plane crashes—the investigating agency may never find out that they have happened,” Knake says. “So for the cyber incident review board to be successful it will need to be notified of incidents and then have the authority to investigate. Voluntary will not work.”

In the meantime, cybersecurity professionals say that they hope the Colonial Pipeline incident really will finally spark action in the fight against ransomware. Given how many other dire attacks have failed to act as this catalyst, though, they are wary of being too hopeful.

“We’re at a point where only systemic improvement will have any meaningful impact,” Crowdstrike’s Meyers says. “And organizations don’t necessarily have the bandwidth, funding, and personnel to do that. But this should be a wake-up call to any organization: You need to do better or you’re going to suffer the same fate.”

More Great WIRED Stories