Posted by: Heather Shy on May 14, 2021 at 8:00 am
The Colonial Pipeline ransomware situation from last week seems to have a satisfactory ending. The IT system was fixed, the fuel supply chain restored, gas crisis averted.
And they all lived happily ever after, right?
Looking at certain news items, it could seem that the hacker group, DarkSide, had a change of heart. After all, once they received the $5 million ransom, they turned over the decryption key as promised.
DarkSide also semi-apologized, saying they were in it for money, not social disruption. According to Krebs On Security, an update to their blog stated: “Our goal is to make money, and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.” (Side note: That link also shares an interesting look at negotiations between DarkSide and another recent victim.)
In addition, a major hacking forum has apparently banned all ransomware activity.
Wow, have hackers turned over a new leaf? Will they now use their powers for good and not evil? Not so fast.
Don’t Believe the Bad Guys
First of all, the fact that DarkSide produced the decryption key as promised means nothing. For one thing, they pride themselves on this “honor among thieves.” As quoted at the Krebs On Security link above, “DarkSide says it targets only big companies, and forbids affiliates from dropping ransomware on organizations in several industries, including healthcare, funeral services, education, public sector and non-profits.”
Secondly, Bloomberg reports that the decryption key was super slow. Even after paying the ransom, Colonial Pipeline had to continue their own restoration efforts. So what was the point of paying the ransom?
Thirdly, DarkSide’s apparent sudden remorse over “creating problems for society” didn’t stop them from accepting the $5 million bribe or rethinking their life’s purpose.
And the hacking forum? Infosecurity Magazine reports that the Russian forum, XSS, has contributed to the success of several ransomware as a service (RaaS) groups, including DarkSide. (RaaS means anyone able to pay can order a ransomware attack — no technical knowledge needed.) In addition, this supposed change of heart seems to stem solely from increased negative geopolitical attention and interest from international law enforcement.
So, no. Not one of these statements is good news for business or society at large.
In addition, the actions of Colonial Pipeline may have set us all back as well. How so?
Why Colonial Pipeline’s $5 Million Ransom Payment Makes Ransomware Worse
Let’s be honest. Receiving a $5 million payment seems like a pretty good incentive to keep doing something, right? Since DarkSide received $5 million after causing a major disruption, how much incentive do they have to stop ransomware activities? After all, it worked this time (and many other times).
In fact, paying ransomware demands goes against FBI recommendations. Why?
- There’s no guarantee the hackers will provide the decryption key even if the ransom is paid.
- Paying the ransom “emboldens current cyber criminals to target more organizations.”
- Paying the ransom gives other criminals an incentive to get involved in ransomware.
- The organization paying “might inadvertently be funding other illicit activity.”
In other words, the more ransomware demands that get paid, the worse the problem will get.
DarkSide received a huge payday that they can use to perpetuate their illegal, disruptive activity.
So, what can a small business owner do against the ransomware juggernaut?
Colonial Pipeline Ransomware Attack Lessons for Small Business Owners
Upgrade your computers away from Windows XP and Windows 7. (And any pre-2016 Windows Server. And Vista, and Windows 8, if anyone actually uses them still). While we don’t know the exact method used to attack Colonial Pipeline, we see enough small businesses still using outdated operating systems on desktops — and even servers — that this point merits emphasis. You MUST plan to migrate away from outdated systems, or, at the very least, prevent them from any connection to the internet.
Upgrade your network security. Obviously, once you know the security gaps in your network, take steps to mitigate these.
Look into cybersecurity insurance. Cybersecurity insurance can help pay for recovery services, and other costs such as payroll if your staff cannot work while your network is down. However, be aware that it’s not as simple as calling your agent and signing up. Most cybersecurity insurance providers want to be sure that your company meets certain standards before providing coverage — or a payout.
Finally, every cyberattack that hits the news teaches valuable lessons for prevention. Even small businesses can benefit from these lessons. Awareness is the first step; taking the threat seriously is the second. TAZ Networks can help with the rest. Contact us today to get started.