Article by Darktrace.
In 1988, a Harvard graduate began an experiment to see how many computers were connected to the Internet. 24 hours later, 10% of all computers around the world had been taken down and the damages soared into the millions. Robert Tappan Morris had inadvertently created the first ever computer worm.
Fast forward to the present day, and we’re facing the most recent example of a cyber threat miscalculation. The DarkSide ransomware group most likely only intended to hit the IT system of Colonial Pipeline, but the consequences were disastrous, halting the supply of fuel across the East Coast, leading to gas shortages, hoarding, and spikes in gasoline prices around the world.
In an apparent show of social responsibility, the DarkSide group issued an apology for the attack on social media:
From today, we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.
The motivation behind this statement is clear: self-preservation. The aftermath of the attack affected not only Colonial Pipeline but the DarkSide group themselves. They fell into the direct firing line of the full force of the US Government, as well as becoming pariahs among other criminal groups for the attention they had drawn. In less than a week, DarkSide announced that they would close their operations for good.
Misjudging the impact of a cyber attack can lead to a range of unintended ramifications, from a cybercrime group feeling increased heat from law enforcement to a nation state escalating a conflict greater than they intended.
It is for this reason that many ransomware groups historically have tended to keep their affairs under the radar. Over 70% of ransomware attacks target SMBs. Following the incident at Colonial Pipeline, and no doubt in the fear of moving up the FBI’s Most Wanted list, a major Ransomware-as-a-Service (RaaS) group, REvil, announced the following policy:
- Work in the social sector (health care, educational institutions) is prohibited;
- It is forbidden to work on the gov sector (state) of any country.
Organized cybercrime groups often stress that they are apolitical and motivated solely by financial gain, but the effects of a cyber attack are becoming increasingly difficult to predict and control. The reason for this is twofold. The first is interconnectivity. We live in a digitized world which is so interlinked that an attack on one server can have global consequences, whether that’s reverberations down the supply chain, IT converging with OT, or a cyber threat against one country affecting the world.
The second reason is easier access to more sophisticated tools. The commercialization of cybercrime has enabled less advanced actors to rent state-of-the-art malware and launch campaigns with speed and with ease.
As far as we know, DarkSide itself was not a state-sponsored APT, merely a private criminal franchise. Yet they advertised their ransomware as the fastest in the world and managed to pull off one of the most disruptive critical infrastructure cyber attacks of all time.
Ransomware is no longer a human-scalable problem. Organizational resilience depends not on throwing more people into the mix, or even upskilling existing teams – machine-speed attacks need a machine-speed response. As such, Self-Learning AI technology proves critical in tackling the volatility and speed of the threats of today, and of tomorrow.