Ransomware-as-a-service: How DarkSide and other gangs get into systems to hijack data
Expert says all companies are at risk, but especially smaller ones who may not have very secure systems. Not all attackers are after large amounts of ransom.
TechRepublic’s Karen Roby spoke with Marc Rogers, vice president of cybersecurity at Okta, about ransomware. The following is an edited transcript of their conversation.
Karen Roby: I’ll point out just because before we were recording, I said, “Well, today’s Friday. We’re heading into the weekend.” As you made clear to me, when you’re in cybersecurity, you don’t have much of a weekend. I mean this is a 24/7 concern and operation for companies. I mean there’s just so much going on with this Marc.
SEE: Security incident response policy (TechRepublic Premium)
Marc Rogers: Yep and actually bad guys tend to like the time when there’s less people in the office. So, that’s why they’re thriving during the pandemic because there’s a lot of opportunity now that things are less watched and people are more scattered. And weekends when people like to go and relax are a great opportunity for them to try and attack you.
Karen Roby: Yeah, that’s when they find those vulnerabilities certainly, when we’re not really on our game I’m sure. Obviously Marc, one of the biggest incidents here of ransomware that we’ve seen in a long time with the Colonial Pipeline, and this is making the everyday person get a closer glimpse at what really happens when this type of thing occurs. Talk a little bit about that type of incident. We don’t know the specifics exactly with the Colonial Pipeline and what went wrong, but in general, what triggers these attacks? How do they happen?
Marc Rogers: The challenge is that there’s a huge ecosystem of ransomware out there. What people probably don’t realize is it’s not just one gang doing this. There are loads of gangs, and it’s now evolved to a point where in fact groups like, for example DarkSide who were responsible for this most recent attack against Colonial, aren’t even the attackers. They’re offering a service and they sit somewhere on the darker side of the internet and they offer what’s called ransomware-as-a-service. They recruit affiliates or essentially sub-contractors who come in, who use their platform and then attack companies. And in the case of DarkSide, if you actually logged into the infrastructure and take a look at it, which is something we in the research community actively do, they had a very polished operation. They provide technical support for their affiliates who are breaking into companies. They provide monetization controls so that an affiliate can go in and see how much has been paid and what’s outstanding and manage the money and all that.
They’re basically like companies and that’s the challenge with ransomware now is it’s moved from this sort of opportunistic thing where there were a few criminals scattered around the world doing this, to being these as-a-service operations that basically mean any enterprising criminal can get access to ransomware for, I’ve seen it for less than $100, and then use that to infect stuff. And obviously at the lower end, you’re talking about things that aren’t very sophisticated. The problem is it doesn’t need to be sophisticated. The group behind Colonial, the DarkSide group, they don’t do anything very sexy in terms of their attacking. They usually break in through brute-force attacks on passwords or through leaked passwords that get found from breaches or from well-known software vulnerabilities that have been long disclosed and probably should have been patched. So they’re basically preying on the weak.
Karen Roby: Yeah, and when they do this Marc, it’s something where it’s like shooting fish in a barrel. I mean they’re just going out and just to see where they can infiltrate.
SEE: How to manage passwords: Best practices and security tips (free PDF) (TechRepublic)
Marc Rogers: That’s exactly right and we have a lot of evidence that the affiliates behind DarkSide literally scan the internet, looking for companies that have open systems with well-known old vulnerabilities. Because they know the moment they find a company with a well-known old vulnerability, it tells them a lot of things. It tells them, A, there’s a way in, but it also tells them, B, likely the company has bad practices inside. And it tells them, C, that that company is going to be completely unprepared for their attack. And so then the last piece of the equation is they judge whether or not it’s a high-value target. And if it’s a high value target, they go in, they infect the network. They try to get in as far as they can throughout the network and take over as many systems as possible. They seek backups and they encrypt the backups. And then they lock, well actually, they also steal data because they like to apply pressure by bribing you, blackmailing you with the data they’ve stolen. And then they encrypt the network and put out the demand.
Karen Roby: Whew, it’s a lot. It’s a lot, Marc. We talk about our supply chain for instance, I mean there are so many layers here, places that could be just disastrous all the way around.
Marc Rogers: I completely agree. And I think for me, Colonial was interesting because it shows a little bit of the mismatch we have about what is critical infrastructure. The Colonial industrial systems were unaffected. They were protected from the company’s network and so the ransomware didn’t get in there and cause any problems. But what wasn’t taken into account is that without the actual company being able to function, it doesn’t matter if you have these control systems safe, there’s nobody there to operate them and so it can’t work. And so by taking out all of the operational part of Colonial, they crippled the company’s ability to operate and that forced the company to shut down. And that means we have to reassess what we consider critical infrastructure. We now have to include things like anything that is critical to running something that’s critical is also critical infrastructure. And I think we’re going to have to go back to the table and start to look at a lot of different systems that tie into other systems with new light now.
Karen Roby: So what do we do, Marc? We talk about oftentimes if you’re saying a password’s leaked or this or that, there are humans on the other end of a lot of this, and there’s only so much you can do to hope that they have a strong password or that they change it or two-factor authentication. I mean there’s still humans involved in this, people make mistakes. What do we do? How do we best protect ourselves?
SEE: Ransomware attack: Why a small business paid the $150,000 ransom (TechRepublic)
I think the next thing is that even small companies should recognize they can be victimized by these ransomware gangs because the affiliates who operate off the back of this ransomware-as-a-service don’t care who they’re attacking. Some of them want to get the big bucks, like the DarkSide affiliates who go after five, 10 million plus ransoms, but others don’t care. They just want a couple of tens of thousand dollars or a few thousand dollars. Anyone can be targeted so recognize that you could be a victim.EE:
And the next thing is, realize that actually basic security hygiene can make a huge difference. You mentioned changing passwords and stuff, that’s part of it. Every company needs some kind of information security program. So, making sure that your employees’ passwords don’t fall out in breaches, they aren’t being reused. Just some simple things like that go a long way. Turning on multi-factor authentication or two-factor authentication actually would make the job of a group like DarkSide incredibly difficult, because then they can’t brute force passwords so it is going to have a meaningful effect. And patching vulnerabilities.
The challenge we have though is I think big companies have the resources to do this easily, but the small companies, they’re going to find this hard. If you’re a 10-person or a 20-person company that doesn’t even have a security team, how do you deal with this? And what I would say is reach out and find resources that can support you because ultimately the cost of dealing with one of these instances is going to far outweigh the cost of having, say, a managed security services provider on retainer.
Think of it like you would a legal problem. You have lawyers on retainer for your business, get security people on retainer, too.
Karen Roby: We’ll switch, mainly focusing on bigger companies. Do you feel like at that level, when it comes to cybersecurity, are more of them bringing on board CSOs or putting a CSO or at least a cybersecurity expert of some sort on their boards? I mean in the C-suite, are we seeing more of that?
Marc Rogers: We are, but it’s fragmented. And so if you look across the whole ecosystem, you’ll see there are industries that are light-years ahead. Like the internet industry and all of the companies that operate in that space tend to be much further ahead because they’re very software-engineering centric and they’ve learned from brutal experience of the past. But there are industries like construction for example, where they really don’t see themselves as being threatened by this kind of stuff. But what we have to accept is now with the internet of things, even your building management system is likely connected to the internet in some shape or form and that means it can be victimized.
SEE: Apple supplier Quanta hit with $50 million ransomware attack from REvil (TechRepublic)
The automotive industry went through exactly this same experience. Back in 2015, I hacked the Tesla Model S to demonstrate that it’s possible to break into a car electronically and take control of it. The automotive industry has done a huge amount of work to improve what it’s doing and it’s moving forward. But I fear there are many other industries out there that don’t recognize that. So, we all need to come together and recognize that anyone can be a victim and that we need to have a holistic approach to security. And the same applies inside our companies. You can’t fragment security and expect a disjointed program to provide good coverage.
Karen Roby: Marc, there’s so much to this obviously, a lot of bad guys out there making good money off of doing this. And like you mentioned, it can be a small company. I mean a $10,000 ransom or a $100,000 ransom. In most cases, a lot of cases, it’s easier for them to pay it than it is for them to even attempt to fix the situation. They need access to their systems, they need their data. I mean it’s really scary.
Marc Rogers: Yeah, it is very scary. One of my side jobs is I’m one of the founders of the CTI League, which is an organization that’s been defending healthcare during the pandemic. And we saw a number of facilities, medical facilities hit by ransomware, and you’re literally talking life or death there. When a hospital gets shut down and is forced to operate off of pencil and paper, people’s lives hang in the balance. And so I can understand that companies need to make tough decisions.
And that’s one of the reasons why I’m glad to see that the current administration is putting effort on this and seeing it as a top priority, because it really is the scourge of our modern industry. We need to come up with a way to tackle this and end it and make it so that it’s so painful for the criminals, they go off and try something different.