In April, a crippling ransomware attack hit U.S. oil producer Colonial Pipeline, paralyzing operations and forcing a shutdown of its 5,500-mile-long pipeline, which accounts for nearly 50% of all the gasoline shipped to fuel stations on the U.S. East Coast.
The incident unleashed a wave of panic buying, closure of gas stations, hoarding, and a rise in gasoline prices. Colonial Pipeline eventually had to fork over 4.4 million USD in Bitcoin to DarkSide, a well-known ransomware group, in exchange for the decryption key. Gasoline shortages, however, persisted even three weeks after the payment.
It turns out this cyberattack that wreaked so much havoc was launched using Ransomware-as-a-Service (RaaS). Let’s take a look at how this security threat works.
[Stay up-to-date with privacy and security developments. Sign up for the ExpressVPN Blog Newsletter.]
How ransomware-as-a-service works
DarkSide initially surfaced in August 2020 and went on a global ransomware spree, targeting various organizations in more than 15 countries. With ransomware (also called cryptolockers), hackers attack companies and individuals by locking their computer files from them, compelling the owners to pay large ransoms—often as Bitcoin—for the decryption key to regain access to their data. The attackers often also threaten to release the breached data online.
The hackers, however, eventually altered their attack model, using affiliates to broaden their reach. They chose to keep working on their tech capabilities while outsourcing the attacks and negotiations to other organizations. The software in the Colonial Pipeline hack could be attributed to DarkSide, but it was actually a leased variant contracted out to an outside party who would identify the target and lead the negotiations.
This model, called Ransomware-as-a-Service (RaaS)—a play off the term Software-as-a-Service (Saas)—involves profit-sharing between DarkSide and the contractor according to the terms of the deal.
DarkSide also shared negotiation tactics with the affiliate, including threatening to release details about the hack to short sellers, who could in theory send Colonial’s stock plummeting even before the news of the infiltration was made public.
DarkSide and its affiliates have bagged at least 90 million USD in ransomware payments. The size of each payment has varied but is generally in the vicinity of 1.25 million to 6 million USD.
But the Colonial Pipeline hack seemed to have been too ambitious for its own good: The resulting media attention and scrutiny from the U.S. government likely caused DarkSide to shut down. Security researchers believe that the group will resurface under a different name.
Selling ransomware kits on the dark web
But Ransomware-as-a-Service isn’t going anywhere. Criminals that lack the technical skills to develop their own ransomware kits can buy the services off the dark web for a one-time fee or a monthly subscription. Perks of paid plans include access to customer support, communities, technical documentation, and feature updates, akin to how a regular software company might facilitate its users.
RaaS developers, too, aggressively market their services on the dark web, investing in case studies, white papers, videos, infographics, user testimonials, and captivating web design to differentiate themselves from each other. They offer upsells such as portals that let their subscribers see the status of infections, total payments, total files encrypted and other information about potential targets.
Almost two-thirds of all ransomware attacks in 2020 came from actors deploying a RaaS model, with affiliate schemes swelling to 15 new opportunities. Competition among ransomware developers could lead to increasingly sophisticated malware loads and inflexible demands. Ransomware is big business; total payouts were 20 billion USD in 2020, and the “democratization” of cyber espionage is likely to increase the size of the pie.
Protect yourself from ransomware
There are a few ways to stay safe from malware.
- Update your devices. Don’t delay updates, because they might have important patches to bugs and vulnerabilities.
- Beware of phishing. Ransomware is sometimes downloaded via a link sent to you by someone purporting to be a friend, colleague, or family member. Only open links you’re absolutely sure are from trusted sources.
- Only download software from the official source. You’re much less likely to download software that has been infected with malware if you are getting it from a software maker’s official website.
- Use a firewall. A firewall prevents incoming connections to your computer. You probably already have one on your computer, as well as on your router. A VPN can also act as a firewall.