The US government's move is changing the ransomware landscape

Christopher Budd 15 Jun 2021

While the government has released cybersecurity requirements many times in the past, it's the first time we’ve seen them issued so quickly in response to a known attack

Are ransomware attacks on the rise? It would certainly seem so. From the Colonial Pipeline to JBS to Ireland’s Health Service, the effects of ransomware are being felt far and wide. At the same time though, the US government has responded to these attacks in new ways that are already having an impact on ransomware operators and could signal a new, positive phase in the battle against ransomware.

Colonial Pipeline was hit with a ransomware attack that shut down their pipeline system for nearly a week in early May of this year. The company said that while the pipeline system itself was not affected, their internal networks were, leading to the shutdown. Colonial Pipeline is a major fuel supplier to the United States East Coast, supplying 45% of fuel to the region. As a result, the shutdown had immediate effects, which were worsened by panic-buying induced shortages. 

Then, in early June, a ransomware attack against JBS the world’s largest meat processor shut down processing at nine beef plants and disrupted operations at pork and poultry plants across the US. JBS was able to return to operation within a week.

The timing of these significant attacks, one after the other, has garnered a lot of attention and concern. But what hasn’t gotten as much attention and is at least as important is the response from the US government and the impact that appears to be having on the ransomware operators and the ransomware industry. We may be entering a new phase in the ransomware crisis that sees, finally, progress in stopping this problem.

New US government responses to ransomware attacks

While the Colonial Pipeline attack was still underway, the US government moved quickly to declare a state of emergency for the affected sector: a first in terms of speed and scope of response. 

Then, within days of the attack, the FBI attributed the attack to the Darkside ransomware group, commonly believed to be Russian, though not part of the Russian government. While the FBI has made public attributions about cyberattacks before -- such as their attribution of the Sony Pictures attack in 2014 to North Korea -- this is the first time it was done this quickly.

Before the end of May, the US government released new cybersecurity requirements for pipeline operators. While the US government has released cybersecurity requirements many times in the past, this is the first time we’ve seen requirements issued so quickly in response to a known attack.

As the JBS attack unfolded, we saw another series of fast, unprecedented responses from the US government. The FBI moved quickly to publicly attribute the attacks to a specific ransomware group within days of the attack, this time naming REvil/Sodinokibi ransomware group. Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technology, then released a memo urging business leaders to take the threat of ransomware seriously and providing specific guidance on steps they can and should take to help prevent these attacks.

Most significantly, we learned that the US Department of Justice released a memo to U.S. attorney's general offices across the country, telling them to prioritize ransomware attacks at the same level as terrorism cases. This is a truly unprecedented move that puts ransomware literally at the top of the list for US law enforcement.

To underscore how seriously the administration is taking these ransomware attacks, on Monday, June 7, 2021 the US National Security Adviser, Jake Sullivan said that the administration was planning to address ransomware “at every stop” of President Biden’s planned first international trip. He said they hoped this would lead to the US and allies developing an “action plan,” clearly indicating a goal of strong coordination to combat the problem.

That same day, the US Department of Justice announced that they had recovered $2.7 million of the $4.4 million ransom Colonial Pipeline had paid. Another action unprecedented in speed and scope. 

Taken altogether, these actions constitute a significant change in posture by the US government and federal law enforcement towards ransomware. And we can see that some of these actions are already having an impact on the ransomware “industry.”

Impact of actions on ransomware groups

To see the impact of at least some of these actions, we can look at the Darkside ransomware group behind the Colonial Pipeline attacks.

First, it’s notable that within just a couple of days of the Colonial Pipeline attack, the Darkside ransomware group issued an unprecedented statement that appeared intended to put distance between themselves and the impact of the attack. The Darkside group actually operates with an affiliate model, meaning that others launch the actual attacks using Darkside’s technology and infrastructure for a fee. The tone of the statement and the fact that they blame the attack on a “bad affiliate” appears calculated to try and diffuse any potential retribution. 

This is consistent with Darkside, whose ransomware specifically checks the language of the system before installing so as not to install on systems in Russian, countries in Russia’s “near abroad” and Syria (where Russian troops are stationed). Our researchers have verified this in recent versions of their ransomware and it’s widely believed this is a tactic to ensure they don’t cause domestic law enforcement and government to shut them down. This initial statement would seem to be another tactic in that playbook to keep “the heat” of law enforcement and government action against them low.

However, it appears that tactic failed. By the end of the week, as Colonial Pipeline was resuming operations, we learned that Darkside had lost control of their infrastructure and payment systems and was shutting down its affiliate program due to “pressure from the US.” They also indicated that their funds had been withdrawn to an unknown account. Presumably at least some of this represents the partial recovery of Colonial Pipeline’s ransom.

At about the same time, we learned that two major underground forums which host ransomware ads, XSS and Exploit, were banning those ads. That move dealt a blow to the business side of the ransomware business by making it harder to advertise to possible affiliates and buyers of ransomware services.

And about two weeks after Darkside announced they were shutting down, we learned that some of Darkside’s affiliates were going to “hacker court” to try and recover funds they were owed by Darkside. 

Finally, just days after the FBI named REvil as behind the JBS attacks, REvil released their own statement seeming to try and distance themselves from the impact of the attack, similar to Darkside’s statement.

Ransomware groups facing a new reality

When we look at what the Darkside and REvil groups have done, what has happened to them, and how others are responding, it’s clear there is a sea-change underway.

Both Darkside and REvil tooks steps to try and distance themselves from the impact of the attacks attributed to them, which was unprecedented.

Darkside has seen its operations disrupted, their money taken, and is dealing with affiliates who say they are owed money. Right now it appears they’re out of business.

Two major forums for ransomware advertising have banned those ads, which will have an impact on all ransomware operators, making it harder to carry on business as usual.

And other ransomware operators have noticed and taken action. For example, the Avaddon group announced certain restrictions on what types of attacks they’ll carry out or allow their affiliates to carry out, banning the targeting of government-affiliated entities, hospitals, or educational institutions. Interestingly, REvil was one of the operators who said they would ban certain attacks prior to the JBS attack. This gives credence to their statement, implying that the results of the JBS attack weren’t what they expected.

Meanwhile, the Darkside’s loss of their funds and the recovery and return of at least some of the ransom Colonial Pipeline paid calls into question the economic viability of ransomware as a business. Or, at least, it increases the risk part of the risk-versus-reward calculus.

When we look at all of this, it’s reasonable to conclude that the vigorous, robust response from the US government is already having clear, direct, and positive impacts.

That’s not to say that the ransomware problem is going away. These are significant developments, but the scale and scope of the problem is huge. That said, the US government’s action and the impact it appears to be having shows real promise of changing the current ransomware environment, especially if other governments and agencies around the world follow suit. And the administration is clearly looking to bring allies on board for more vigorous, coordinated responses to this problem.

Darkside may not be out of business for good: They could reform at some point. But history shows us that success in combating organized crime comes through many victories, large and small, on multiple fronts, over time. And the US government has shown it’s ready to open more fronts in the fight.

Meanwhile, there is still a ransomware problem here today. Businesses and individuals should heed the advice from Anne Neuberger and keep your systems updated, run security software, don’t click links, and make good backups. And, most of all, if you experience a ransomware attack, don’t pay the ransom: You’re only helping keep these groups carry out future attacks that will affect you directly or, as we saw in these three attacks, indirectly.

Learn more about how Avast Business Solutions can help protect your company from ransomware. 

--> -->