No one ever got anywhere in cybersecurity by relying on the kindness of cybercriminals. So it was bewildering and not in the least bit reassuring to see DarkSide, the criminal group responsible for providing the necessary tools and infrastructure to launch the ransomware attack on the Colonial Pipeline, claiming it hadn’t meant to target critical energy infrastructure. From now on, DarkSide said in a statement after the pipeline temporarily shut down, it will “introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”
That meaningless promise of stricter scrutiny for its illegal dealings seems to have been too little too late to save DarkSide. Last week, it announced it would be shutting down in light of losing its access to infrastructure and its cryptocurrency accounts. It’s unclear which countries or companies were responsible for seizing DarkSide’s servers and cryptocurrency assets, but it’s at least a little bit promising to see private and/or public entities taking such forceful actions against a ransomware group. (Though Dmitry Smilyanets at Recorded Future speculated that the group might simply be faking its shutdown as a way to avoid paying out to its affiliates their portion of the $5 million in cryptocurrency that it reportedly collected from Colonial Pipeline.)
In the meantime, Brian Krebs reports, the Colonial Pipeline attack drew so much attention and backlash that “some Russian cybercrime forums began distancing themselves from ransomware operations altogether.” For instance, Krebs reports that Russian forum XSS is banning all discussion of ransomware programs on its platform because, according to the forum administrator, “The word ‘ransomware’ has been put on a par with a number of unpleasant phenomena, such as geopolitical tensions, extortion, and government-backed hacks. This word has become dangerous and toxic.”
What’s really incredible is not that people are trying to distance themselves from the ransomware business but rather that it took this long for ransomware to be widely viewed as dangerous and toxic. To be clear: There’s no version of distributing ransomware that is remotely ethical, virtuous, or even morally ambiguous. In the aftermath of the Colonial Pipeline shutdown, several ransomware groups, including REvil and Avaddon, are announcing that they will stop attacking critical infrastructure and other targets, including health care facilities, schools, and government agencies. It’s all very reminiscent of the moment at the beginning of the COVID-19 pandemic when a few ransomware operators announced they would not target hospitals during the health crisis. Then, to no one’s surprise, ransomware attacks on the health care sector increased during the pandemic.
It’s unclear whether anyone ever really bought into the idea of cybercriminals with a conscience—besides the criminals themselves. The pledges seem aimed not at law enforcement or public sentiment, both of which are unlikely to soften on ransomware purveyors, but instead at the infrastructure operators these criminals rely on. If, as in the case of DarkSide, your business model is so widely hated that no one will even sell you server space or manage your cryptocurrency wallets for you, then it becomes much more difficult to operate a cybercrime organization. To that end, even if criminal organizations didn’t make good on their pledges not to attack certain types of targets, just putting those promises in writing might have been enough to give their service providers an excuse to keep doing business with them. And as the Colonial Pipeline incident demonstrates, violations of those self-imposed codes of conduct could then be used as a reason for other companies to sever those contracts and distance themselves from groups like DarkSide (or, alternatively, a reason for the criminals to fake their own demise and make off with all the profits).
But such pledges were never more than window dressing. The idea of cybercriminals with a strict moral code—especially ones who extort their victims for millions of dollars and threaten to release the information they’ve stolen unless those payments are made—is laughable. The “code of conduct” that DarkSide posted for customers looking to purchase its ransomware-as-a-service tools apparently specified that the company would not target hospitals, schools, nonprofit organizations, or government agencies, among other protected entities. DarkSide also insisted that it donated some of the profits of its extortion efforts to charity. “No matter how bad you think our work is, we are pleased to know that we helped change someone’s life,” its recent statement said of the donations.
It’s hard to imagine anyone ever took these claims as anything other than a weak attempt at window dressing a criminal enterprise. But just in case any of the infrastructure providers that were renting server space or operating cryptocurrency accounts for these groups took any comfort in these empty promises, the Colonial Pipeline attack lays bare just how ridiculous the idea of a ransomware Robin Hood truly is.
There’s no such thing as a ransomware group that steals from the rich and gives to the poor, or targets only the computer systems that we don’t really need and avoids all of the victims providing crucial services or without enough cash to make large extortion payments. For one thing, malicious code like ransomware is not always easy to target. Criminals may be able to exert some control over which people and devices their programs are initially sent to (though often they just want to distribute it as widely as possible in hopes of infecting lots of victims) but they often can’t control how widely it spreads across interconnected networks. Moreover, critical infrastructure operators like Colonial Pipeline or hospitals are often the organizations most susceptible to paying ransoms because they need to get their systems back up and running as quickly as possible to minimize the consequences of an attack and may not have time to fully reboot the infected computers. So of course ransomware groups are going to target those companies if they want to make money. And now that Colonial Pipeline has revealed it’s willing to pay millions of dollars to regain control of its computer systems, odds are good that more groups will come after it—not fewer.
No one—not Colonial Pipeline, not the companies that provide infrastructure to criminal groups, and certainly not anyone else worrying about the threat of ransomware—should trust a word that cybercriminals say about who they will or will not target, what their charitable activities are, or any other half-hearted attempts to justify their fundamentally mercenary and inexcusable crimes. If the Colonial Pipeline attack can make clear that there are no good ransomware groups, no grey areas of ethical online extortion or acceptable lists of victims in this space, then that will be a small step in the right direction towards reinforcing just how toxic and dangerous every single last one of these groups truly is, code of criminal conduct or no.