Ransomware and the Colonial Pipeline
On May 7, the Colonial Pipeline Company discovered that they were the victim of a ransomware attack, as noted in an archived press release. The company responded to the threat by proactively taking systems offline to contain it, thus temporarily halting pipeline operations. They also reached out to a third-party cybersecurity firm and several federal agencies to investigate this attack on America’s infrastructure. The 5,500-mile pipeline stretches from Texas to New Jersey, and the company produces roughly 45% of the petroleum products used by the East Coast, including gasoline, diesel fuel, jet fuel, and even fuels used by the military. The company is working to restore their systems safely and incrementally. James Williams of WTRG Economics told MarketWatch that if they are not fully restored by the end of the week, the fuel shortage will become a “critical” situation for the market. However, the situation has already started to become a serious problem because citizens are hoarding gasoline. On May 9, a Regional Emergency Declaration was issued to temporarily lift restrictions on fuel transportation to address the shortage, and on May 11, Governor Northam declared a state of emergency for Virginia. Ben Popken of NBC News reported that demand for fuel jumped over 30%, and gas stations along the East Coast are suffering from fuel shortages. The ransomware attack created a problem that could become a disaster.
The attack has been linked to a Russian cybercriminal gang called DarkSide. DarkSide offers Ransomware-as-a-Service (RaaS). RaaS is like Software-as-a-Service (SaaS) in that people pay for a license to use software, but in this case, that software is ransomware that is used against the customer’s victims. Ken Dilanian and Kelly O’Donnell of NBC News note that although Russian cybercriminal gangs tend to do freelance work for the Kremlin, the attack on the pipeline was purely criminal and not sponsored by a nation-state. As reported by DISSENT of DataBreaches.net, DarkSide released a press statement on May 10 which says that they are “apolitical” and that their “goal is to make money, and not creating problems for society.” In recognition of the fact that their actions did not align with their public goals, the gang stated that they will “introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.” According to Stefano De Blasi of DigitalShadows, DarkSide is part of a rising trend in ransomware called Ransomware-as-a-Corporation (RaaC). This trend attempts to make ransomware seem respectable even though it is entirely criminal. Gangs following this trend use “a corporate-like method of communication throughout their attacks.” They publish press releases to give victims “the impression of dealing with a professional body” to convince them to pay the ransoms, and the trust the gangs build with victims and other cybercriminals is what helps them grow. A screenshot shared by De Blasi shows that DarkSide claims to avoid targeting schools, hospitals, non-profit organizations, and government organizations. However, although gangs like DarkSide may present themselves as relatively socially responsible, the use of ransomware is inherently socially irresponsible.
It is easy to think of ransomware attacks as isolated events that do not harm the public, but this is far from the truth. A variety of organizations who play a vital role in society have been victimized by ransomware in the past, including hospitals, schools, and power plants. Last year, Dan Goodin of Ars Technica reported that in Duesseldorf, Germany, the treatment of a woman with a life-threatening condition was delayed by one hour due to a ransomware attack against a hospital. The woman died. The attackers apparently thought they were attacking a university instead of a hospital. They provided a decryption key when the police informed them the truth about their target, but it was too late. Although ransomware gangs may try to be “socially responsible” when they choose their targets, this does not guarantee that their attacks will not directly lead to negative consequences for society.
By carrying out ransomware attacks that result in payment, ransomware gangs prove that ransomware is profitable to other cybercriminals. As long as ransomware is considered to be profitable in the underworld, ransomware gangs will continue to intentionally or unintentionally target organizations that are important to the public. Thus, by supporting a practice that harms society as a whole, every ransomware attack leads to negative social consequences regardless of intentions.