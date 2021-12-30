Motorists drove for hours from pump to pump in vain. Or they joined long lines at the back at the gas stations that hadn’t run out of supplies, and loaded the back of their pickup with jerry cans of gas.

It all started on the early morning of May 7. An extortion note from the hacker collective DarkSide, probably operating from Russia, appeared on a screen in the control room of the American company Colonial Pipeline. Colonial Pipeline’s files were encrypted. Only against payment of 75 bitcoins (at that time about 4.4 million dollars) the hostage-taking of the files would be ended.

Colonial Pipeline operates a 3,000-mile pipeline that carries gasoline and other fuels between refineries on the Gulf of Mexico and the Port of New York—up to three million barrels per day. Nearly half of all fuel on the US East Coast goes through these pipes to ports, airports and thousands of gas stations. Just over an hour after the hack was discovered, the company shut down the entire fuel line as a precaution.

CEO Joseph Blount would same day payment, but it took almost a week for the pipeline to be fully operational again. Hoarding motorists caused fuel shortages in many places and gasoline prices hit their highest level in nearly seven years. A state of emergency was declared in several states.

Attacks with ransomware also caused major social disruption in the offline world in 2021. Western authorities have stepped up the hunt for the gangs behind it, leading to successes here and there in the form of arrests or “recapture” of the extorted ransom. It remains much more difficult to hold accountable the governments that shelter or even direct these criminals – Russia first. Tackling digital hostage actions will therefore be on the agenda of world politics more often in 2022, if it is up to the US and its allies.

‘They are looking for me’

A week after the attack, it was DarkSide itself that had to shut down its activities “due to pressure from the United States,” according to a Russian statement published by the hacker collective. The group had lost control of the blog DarkSide published on the dark web, and more importantly, the system by which victims had to pay their ransom. In June, the American justice system announced that the FBI had intercepted almost 64 of the 75 bitcoins paid by Colonial Pipeline – worth about $2.3 million due to an intermediate price drop.

That was not the only success of the investigative services. For example, services from different countries managed to penetrate the servers of the infamous REvil during a joint operation in the autumn. This gang, which probably also operates from Russia, is held responsible for attacks on meat processor JBS and IT company Kaseya, among other things. “The server has been hacked, and they are looking for me. I’m off,” a top figure from the gang wrote on a Russian hacker forum.

“This year alone there have been eighteen operations by investigative services. That’s more than in the past five years combined,” Allan Liska, an analyst at US security firm Recorded Future, said on the phone. “It is very clear that a coordinated, global campaign has been launched to tackle ransomware gangs. In the second half of this year, attacks on healthcare facilities and schools worldwide have decreased significantly.”

A Swedish supermarket chain temporarily closed hundreds of branches

The increased interest of investigative services in ransomware is not surprising. The Colonial Pipeline hack wasn’t the first, and it certainly won’t be the last disruptive hack in 2021. By March, hackers had demanded $40 million from a major Florida school district for the decryption of its files. When the district refused to pay, the hackers put the personal details of 50,000 students and employees on the internet. Another ransomware gang did the same in May with data from hundreds of Washington DC police officers.

Shortly after the attack on Colonial Pipeline slaughterhouses in the US and Australia, the world’s largest meat processor JBS had to shut down due to ransomware. And when hackers found a leak in July in the software VSA of the company Kaseya, which enables IT service providers to manage their customers’ systems remotely, at least 1,500 companies worldwide were affected. A Swedish supermarket chain temporarily closed hundreds of stores.

plague

The ransomware plague involves huge amounts of money. According to Numbers The US Treasury Department reportedly paid $560 million in ransom in the first half of 2021 alone. Worldwide, it is many billions.

Colonial Pipeline ($4.4 million) and JBS ($11 million) both quickly transferred the requested ransom. After all, the economic damage of a long-term hostage-taking is much greater. Liska is therefore not in favor of a ban on ransom payments, an often advocated measure that should remove the breeding ground for ransomware: “If you don’t have good backups, and your company is in danger of going down, or if you have a hospital and are afraid if your patients die, I can’t blame you if you pay.” Moreover, a ban could be counterproductive, he fears. Many companies will then look for ways to still pay through intermediaries. “We don’t want to give blackmailers anything else to blackmail their victims with.”

In the United States, Justice Offers Ten Million Dollars for Information on the Leaders of REvil and DarkSide

Addressing the ransom – in addition to better security, detection and “hacking back” – is a key pillar of the ransomware offensive. This is how Washington set up a Russian company on the sanction list that would help cybercriminals to exchange and launder their extorted bitcoins. A good move, Liska thinks: “If we can disrupt the infrastructure of ransomware gangs, that’s good, but if we can make sure they can’t spend their money, all the better.”

The increased interest from investigative services is also causing unrest in ransomware gangs. In the United States, the Justice Department offered $10 million in November for information about the leaders of REvil and DarkSide. Liska: “It is already a paranoid group of people, and they now also have to worry that their neighbours, one of their subcontractors or someone they once had an argument with in high school, will extradite them for that reward. to justice.” Several REvil leaders and subcontractors have been charged or arrested in recent months.

Russian state hackers

Still, the identification and prosecution of ransomware ringleaders remains a problem. Most of the detainees so far have been subcontractors who ‘rent’ the ransomware in exchange for a percentage of the proceeds – the business model of most major ransomware gangs. Those so-called ‘affiliates‘ can be found all over the world – three suspects were recently arrested in Canada – but the leaders of the hacker organizations remain out of the picture.

In most cases, they are believed to be in Russia, where they are left undisturbed as long as they do not inflict domestic casualties. While there is no solid evidence that the Kremlin is directly involved in ransomware attacks, there is much evidence that the Russian government at least tolerates them.

Security companies found in various to investigate numerous personal links between cybercriminals and intelligence agencies, as well as striking similarities in the programming code of some ransomware and malicious software used by Russian state hackers. The Russian surveillance apparatus has sufficient insight into and control over ransomware gangs to take them out if it wanted to, the researchers also found.

Suspected leaders of ransomware attacks openly lead luxurious lives in Russian cities

But suspected leaders of ransomware attacks openly lead a luxury life in Russian cities. And in one of the most prestigious skyscrapers in Moscow, Federation Tower Vostok, according to Bloomberg and The New York Times At least four crypto companies that US authorities believe are involved in laundering ransom money extorted by ransomware gangs. Co-founder Denis Dubnikov of one of those companies, EggChange, was killed in November arrested at Schiphol and handed over to the Americans.

According to Dmitri Alperovitch, co-founder of the cybersecurity firm CrowdStrike and of the Silverado Policy Accelerator, a US think tank, the Russian Kremlin ransomware industry serves “a strategic goal: to disrupt the US economy and sow fear among US entrepreneurs,” it wrote. he in the magazine in december Foreign Affairs. “In addition, the cyber criminals are valuable as change in international negotiations. Russia can offer action against ransomware in exchange for concessions, rather than action against strategically more important state-backed hacking activities.”

“Allowing hackers to improve their skills and technology provides the Kremlin with an advantage it can use when it sees fit,” said researcher Michael John Williams of Syracuse University in a statement. Foreign Policy. Indeed, there is evidence that cyber criminals being recruited by Russian services, voluntarily or not.

Summit meeting

That also makes ransomware a geopolitical issue. While touring Europe in June, President Biden sought to find allies to take on Russia, both visiting NATO and the G7 summit in Cornwall.

When meeting President Putin in Geneva, Biden presented him with a list of 16 critical sectors, such as hospitals, drinking water supply, energy utilities and other critical infrastructure. Cyber ​​attacks on those sectors could count on countermeasures. “How would you feel if ransomware shut down your oilfield pipelines?” he told Putin in their own words asked.

According to Biden, the two agreed to continue to discuss the approach to ransomware. But Putin reiterated at a press conference afterwards his denial that Russian authorities had anything to do with the attacks, claiming that most of the hacks come from the United States. A Russian healthcare facility is said to have been hit by American ransomware.

Three months after the meeting, Deputy FBI Director Paul Abbate at a conference that the ransomware gangs in Russia continue as usual, and that US legal assistance requests have been fruitless. While hacking attacks on major companies such as Colonial Pipeline and JBS failed to materialize in the second half of the year, security firms are reporting an increase in other places. “Ransomware attacks in, for example, Germany and France are increasing,” says Liska. “That may indicate that hackers are turning their attention to victims outside the United States.”

In October, the White House invested a virtual summit conference with the European Union and thirty individual countries, including the Netherlands, to improve international cooperation in the fight against ransomware. These agreements focus on better prevention and intervention and on tackling the money flows related to ransomware, but also on diplomacy. Russia was not invited.

A version of this article also appeared in NRC Handelsblad on 31 December 2021