The top question for my inbox in May was, “How can this happen?” How can a computer virus take down the biggest fuel pipeline in the country? The answer in the Colonial Pipeline case is consistent with most hacks, big and small; apathy. And in cybersecurity, like so much else in life, apathy is a killer.
The nature of cybercrime is less tangible than with traditional risks, and cyberspace is more abstract compared to “real life.” For these reasons, many still don’t grasp the realities of digital threats, and avoidance behavior isn’t uncommon with people and organizations.
Here's how apathy came to roost at Colonial Pipeline:
“We found glaring deficiencies and big problems ... I mean an eighth-grader could have hacked into that system.”
Robert F. Smallwood, whose consulting firm delivered an 89-page report in January 2018 after a six-month audit. May 13th, APNews
And this from the Wall Street Journal:
Colonial Pipeline Missed Security Review Before Hack
"Colonial ... didn’t undergo a requested federal security review of its computer networks when hackers hit on May 7."
More and more hackers today find it easier to hack people than technology. Apathy and the "human element" are cybersecurity's weakest links, and every good hacker on the planet knows it. That's why email is usually the primary target of attacks - the inbox is a direct vector to their next potential victim.
Look at any of the most notorious hacks, and you’ll find email is likely to be the root of the problem. Even when you look more broadly at the hacks you don't read about; it's the victim's inbox where the trouble begins.
✓It takes a self-starting initiative to break the bonds of apathy with digital risk, and the best place to start is by privatizing and securing personal email. Also, this is critical; always enable the email box's multiple-factor authentication (MFA) feature.
Ransomware - the evolution of extortion
Before the Colonial hack, businesses and individuals have been paying ransoms for years without making the front-page news or getting help from federal and local governments. And while recent headline events include eye-popping amounts, we've seen victims extorted for payments as low as $10,000.
Let's look at DarkSide, the ransomware gang that extorted $4.4 million from Colonial Pipeline (with credit to cyber sleuth Krebs.)
DarkSide is a ransomware-as-a-service platform including all the tools and services anyone can use to be a hacker.
Franchisees, or 'affiliates,' use the platform to conduct their attacks and pay DarkSide a cut of the extorted funds.
DarkSide's platform includes a "call service," which enables a franchisee to call and pressure victims into paying ransoms directly from the management panel.
Stolen information is published on DarkSide's victim-shaming blog.
DarkSide made over $90 million over nine months before hacking Colonial.
Another ransomware-as-a-service platform bragged it had extorted over $2 billion before closing shop in 2019.
"... much the same way McDonald's Corp. supplies local store owners with pre-made soft serve and frozen hamburger patties."
Bloomberg - May 12th, describing the business arrangement between criminal syndicates and their affiliates.
According to cybersecurity firm FireEye, DarkSide's affiliates fees worked with a sliding scale - 25% of ransoms under $500,000 down to 10% for ransoms over $5 million.
✓To understand the risk of ransomware is to understand it as less as a virus and more as a business model.
Ransomware as a business model
Cybercrime has been big business for a while now, and we've been writing about "the evolution of extortion" since 2014. But recently, ransomware has taken on a life of its own.
"In just a couple of years, cybersecurity experts say, ransomware has developed into a tightly organized, highly compartmentalized business."
What the New York Times describes as' tightly organized and highly compartmentalized businesses' are in reality gangs of criminals enabled by a syndicate to push their malware around the world.
The syndicate scales its profits by arming affiliates of gangs with the best tools and services they need to be successful, including call centers and help desks.
"“Any doofus can be a cybercriminal now. The intellectual barrier to entry has gotten extremely low.”
Sergei A. Pavlovich, a former hacker who served 10 years in prison in his native Belarus for cyber crimes.
The outcome is predictable - AI coupled with the ransomware-as-a-service business model will drive growth in cybercrime and damages to unprecedented levels. Here's why.
First, AI doesn't approach problems as humans do. AI software used on stolen personal information will yield criminals with strategies and exploits they would have never found themselves.
Second, using AI to increase the effectiveness of the attack itself, anyone unsuspecting and unprotected is a ridiculously easy victim.
Bruce Schneier, one of cybersecurity's top gurus, says:
"When AIs start hacking, everything will change. They won’t be constrained in the same ways, or have the same limits, as people. They’ll change hacking’s speed, scale, and scope, at rates and magnitudes we’re not ready for."
While the future holds many challenges, cyber risk is still manageable. Defensive technology is effective, getting better all the time, and AI is also on the side of good and enabling the cybersecurity industry to level the field.
✓ Nothing can eliminate cyber risk, but you can avoid most of it if you are thoughtful, prepared, and use best-in-class protection for your email, devices, and networks.
Ransomware - there's been a big rise in double extortion attacks as gangs try out new tricks
"These attacks have become extremely successful – and lucrative for cybercriminals ... as more and more cyber-criminal groups move towards this form of extortion."
May 6th - ZDNet
Feds break up alleged site with 200k passwords from Netflix and others
" (the suspect) stole and sold more than 200,000 customer account credentials — for streaming services including Netflix, HBO Max, and Spotify Premium."
May 13th - the Verge
DarkSide Ransomware Gang Extorted $90 Million from Several Victims in 9 Months
"DarkSide, the hacker group behind the Colonial Pipeline ransomware attack earlier this month, received $90 million in bitcoin payments following a nine-month ransomware spree, making it one of the most profitable cybercrime groups."
May 13th - The Hacker News
Apple's head of software admits Macs have an unacceptable amount of malware
“Today, we have a level of malware on the Mac that we don’t find acceptable and that is much worse than iOS,”
May 18th - Craig Federighi, Apple’s head of software, in court on Wednesday.
CNA Financial Paid $40 Million in Ransom After March Cyberattack
Heading
“CNA is not commenting on the ransom,” spokeswoman Cara McCall said. “CNA followed all laws, regulations, and published guidance, including OFAC’s 2020 ransomware guidance, in its handling of this matter.”
May 20th - Bloomberg
FBI Analyst Charged With Stealing Cyber Threat Info
"The breadth and depth of classified national security information retained by the defendant for more than a decade is simply astonishing,"
May 22nd - Alan E. Kohler, FBI
For previous CyberAdvisor Letters:
To view Blog posts:
Total Digital Security, 7777 Glades Rd, Suite 100, Boca Raton, Florida 33434, United States, 877-643-6391