Lately, gas has been a hot topic in the news. In the crypto media, it’s been about Ethereum miner’s fees. In the mainstream media, it’s been about good old-fashioned gasoline, including a short-term lack thereof along the East Coast, thanks to an alleged DarkSide ransomware attack on the Colonial Pipeline system, which provides 45% of the East Coast’s supply of diesel, gasoline and jet fuel.
In cases of ransomware, we generally see a typical cycle repeat: Initially, the focus is on the attack, the root cause, the fallout and steps organizations can take to prevent attacks in the future. Then, the focus often begins to move toward cryptocurrency and how its perceived anonymity helps to increase ransomware attacks, inspiring more cybercriminals to get into the game.
However, taking a look at the macro picture of cybersecurity attacks, we see some trends that have been emerging. For example, losses from cyberattacks increased by 50% between 2018–2020, with the global losses adding up to over $1 trillion. It’s an unavoidable conclusion that speaks to the pervasiveness of security vulnerabilities available to exploit.
The rise in cybercrimes is also spurred on by the availability of ready-made, off-the-shelf malware easily found on the dark web for those with little skill, but who still want to profit off of the free-money opportunities unsecured organizations present. Importantly, criminals themselves have continued to evolve their strategies to evade defensive security tactics, techniques and procedures (TTPs) to ensure they can continue to be profitable. Should cryptocurrency no longer be a viable option for payment, attackers would almost definitely pivot to a different payment approach. The thought that they would simply stop attacking these organizations without crypto defies credulity.
The “root cause,” if you will, of these events is not the payment method used to reward the criminals, it is the security gaps that allowed them to breach the enterprise and, obviously, the fact that there are criminals out there committing these crimes.
With ransomware trending itself (and within the DarkSide attack), we see this ever-shifting modus operandi demonstrated. In the early days of ransomware, it was relatively cut and dry: A cyberattacker finds a way into the enterprise — most often via a social engineering attack, such as a phishing email or unsecured remote desktop protocol — and encrypts the victim’s files. The victim either pays the ransom via a wire transfer or crypto, and in most cases, gets the decryption key, which usually (but not always) decrypts the files. Another alternative is that the victim chooses not to pay and either restores their files from a backup or just accepts the loss of their data.
Cyber attack’s tactics
Around late 2019, more enterprises were prepared with backup strategies to meet these threats and declined to pay. Ransomware actors, such as the Maze ransomware group, emerged, evolved and shifted tactics. They began to exfiltrate data and extort their victims: “Pay, or we will also publically publish sensitive data we stole from you.” This greatly escalated the costs of a ransomware attack, effectively turning it from a company issue to a notification event, requiring data discovery, even more legal counsel and public scrutiny, while demonstrating the attacker’s determination to find ways around impediments to payment. (DarkSide, which is believed to have been the group behind the Colonial Pipeline attack, is an extortionate group.) Another trend, as cited in the report above, is the increased targeting of victims, finding those who are able to pay higher dollar amounts, as well as those with data they would not like to see shared publicly.
Cyberattackers will keep evolving their tactics as long as there is someone or some organization to attack; they have been doing so since the beginning of hacking. Before crypto and even cybercrime, we had dropping cash in a bag at night and wire transfers as options for anonymous payments to criminals. They will keep finding ways to be paid, and the benefits of crypto — financial freedom, censorship resistance, privacy and security for the individual — far outweigh the downside of its attractiveness to criminals who may find its convenience appealing. Vilifying crypto will not eliminate the crime.
It may be difficult, even (likely) impossible, to plug every security gap in the enterprise. But too often, security fundamentals are overlooked , such as regular patching and security awareness training, which go a long way to reduce the risk of ransomware. Let’s keep our eye on the target — the enterprise — and not the prize — crypto. Or, we may be blaming fiat for all other financial crimes next.