Late last week, as the United States was still struggling to recover from a ransomware attack on Colonial Pipeline that led the company to shut down its pipeline network along the East Coast, hospitals in Ireland were sending surgery patients home because of a ransomware attack that crippled computers.
The attack in Ireland began on Friday with Ireland’s Health Service announcing that it had shut down its network as a precaution. Soon, hospitals and clinics across the country reported losing access to their networks, forcing them to cancel routine surgeries.
The attack on Colonial Pipeline was by a group calling itself DarkSide, according to the FBI, and the Irish attack was perpetrated by a group called Conti. Both criminal groups are said to operate from Russia, although neither group is actively backed by the Kremlin, officials have said.
President Joe Biden, for instance, has said that although the group operated out of Russia, Moscow was not behind the attack.
Security researchers studying ransomware attacks and criminal gangs say the operations are mimicking multilevel marketing programs, the most well-known of which is the Tupperware party that began in the 1950s as an informal network of housewives who sold plastic storage boxes to friends and family.
Lawmakers have said that U.S. state and local governments, hospitals and schools hit by ransomware in 2020 paid about $350 million in ransoms.
“You have to think of ransomware as a service, as like multilevel marketing for bad guys — like, instead of Tupperware parties you have ransomware parties,” said Allan Liska, a ransomware expert at Recorded Future, a security research firm.
“Ransomware as a service has become really, really popular because it’s a chance for a whole lot of people to make a lot of money,” Liska said Friday in an online briefing by Recorded Future.
Typically, a small-time online criminal who gets by on stealing credit card information, usernames and passwords online but wants to make more money connects with a group such as DarkSide or Conti and provides his or her credentials to say, “Look, you know, here’s all the bad guy stuff I have done,” as a form of gaining credibility, Liska said.
If accepted as an “affiliate” of the group, the criminal then pays a fee of between $500 and $1,000 and gains access to an entire online infrastructure, which is just like any other legitimate software as a service that resides on the cloud.
The group gives the new affiliate a version of a ransomware tool that’s unique, Liska said. The criminal then deploys the tool using whatever technique he or she is familiar using, whether it’s through a phishing campaign targeting companies in an industry or using techniques to exploit known vulnerabilities in computer networks, he said.
Once the ransomware is successfully executed or has found its victim by encrypting their computer network, the tool then connects to the criminal group’s home infrastructure and the group’s leaders handle negotiations for ransom with the victim, Liska said.
The group then splits the ransom by giving the individual criminal affiliate 15 to 20 percent and keeping the rest, he said.
DarkSide operates like any other legitimate business would, Liska said. When a security firm called BitDefender published a decryption key for DarkSide’s ransomware tool in January, DarkSide fixed the flaw and published a 2.0 version of its software in March, Liska said.
The multilevel marketing model of the ransomware as a service business means that the top 20 ransomware groups in the world between them could be hosting 200 to 250 affiliates who are looking to break into computers and make money from it.
Colonial Pipeline is said to have paid a $5 million ransom to recover its network, after initial reports said the company had no intention of paying off the criminals.
Liska and other researchers have said that even if companies have a good, current backup of their network and can rebuild their systems without having to pay a ransom to decrypt files locked up by ransomware, criminals often further threaten them with exposure of stolen information.
Unlike ransomware incidents four years ago, when attackers typically disabled a network and then enabled it after getting paid, criminals today not only encrypt a network but also steal highly sensitive information from a company to force the victim to pay.
The global health care industry, for example, “faces a significant threat from criminal groups deploying ransomware, the consequences of which can include the disruption of critical care facilities,” according to a February report from security research company CrowdStrike. “Along with the possibility of significant disruption to critical functions, victims face a secondary threat from ransomware operations that exfiltrate data prior to the execution of the ransomware.”
Criminals steal data from victims and threaten to leak it to get around steps taken by companies to restore their computers from backups without paying ransoms, Adam Meyers, senior vice president of intelligence at CrowdStrike, said in an interview in February.
The proliferation of ransomware as a service is fueling an “extortion ecosystem,” Liska said.
Criminals often search a victim’s computer network to see if the company has a cyber insurance policy and grab a copy if they find one, telling the victim during negotiations, “Hey, according to the policy you have, they’ll pay up to $1 million in ransom, and that’s what we want now,’” Liska said.
Criminals also threaten to expose other sensitive, nonpublic information, such as a merger and acquisition plan, or expose financial details to the stock market, or steal and publish confidential information from a company’s CEO or other top officials, Liska said.
The U.S. government and others around the world are cracking down on criminal affiliates and their overlords.
On Friday, a rival ransomware group known as Unknown was claiming in underground forums that DarkSide’s servers and bitcoin wallets used to collect ransomware were seized, Liska said.
The group claimed that the U.S. government had shut it down, but “take it with a grain of salt. This just could be that DarkSide is trying to get himself cover as he is ducking and running,” Liska said.
DarkSide is said to be run by a criminal who uses the handle darksupp on underground forums.
Usually, ransomware operators are not deterred by much, but “when the president of the United States mentions you on a nationally televised speech,” as Biden did when he called out DarkSide for the attack on Colonial Pipeline, “you tend to realize you have screwed up bad.”