U.S. finally flexes ransomware muscle
There’s always a lot of high drama whenever a ransomware attack has been successfully launched against any organization. Thus far most of those spectacles have ended in one of three ways. Either the demand for ransom is ignored and data is lost, the ransom is paid, or the organization was lucky enough to be able to restore a pristine copy of the data that has been encrypted.
The ransomware attack against Colonial Pipeline that crippled the flow of gasoline is adding a new twist to what has become a somewhat stale production. It appears the U.S. government is finally marshaling its resources to combat the ransomware scourge. The organized cybercrime syndicate known as DarkSide that is accused of being either an enabler or possibly instigator of the attack against Colonial Pipeline has announced it is shutting down because of unspecified pressure from the U.S. government.
A statement attributed to the operators of a platform allegedly operated by DarkSide revealed that the public-facing portion of its online system, including its blog and payment server, has already been shut down and that funds had been withdrawn to an unknown account. It said the group’s main web page and other public-facing resources would as a result go offline. Presumably, the funds that were withdrawn include $5 million in bitcoin that Colonial Pipeline reportedly paid to regain access to the systems that operates its pipelines. Whether DarkSide still controls those funds or if they were removed by another entity is unclear. The Biden Administration last week said it would not rule out a retaliatory strike against DarkSide but has refrained from commenting further. Executives at Colonial Pipeline are not commenting either.
Of course, some suspect this is all a ruse. DarkSide will simply reconstitute itself in some other form. In the meantime, cybercriminal “affiliates” of DarkSide have lost access to a source of the toolkits they employ to launch a variety of attacks. Unfortunately, there are still many alternative sources for those toolkits. Nor is it clear whether the Biden Administration can bring additional pressure to bear to possibly shut down those as well.
Regardless of the ultimate outcome, the cybercommunity can take solace in the simple fact that somehow government agencies have found a way to disrupt the operations of cybercriminal syndicate in a few days. They may have not yet been able to arrest anyone just yet, but operators of rival organized cybercriminal syndicates are probably wondering what might be coming next. Some may even take their next cue from DarkSide and quietly retire in the hopes that government agencies will eventually tire of looking for them.
In the meantime, it’s clear those government agencies are putting together some type of new cybersecurity playbook that revolves around the capabilities of the U.S. CyberCommand rather than just the investigative prowess of the Federal Bureau of Investigation (FBI). That playbook seems to include tools for taking down malicious sites that have enabled cybercriminals to launch more attacks than they might be able if they had to develop every tool they use themselves. Ransomware and other forms of malware are not likely to ever disappear any time soon, but there is hope that the amount of malware flowing through systems may finally be curtailed.