Are we overestimating the ransomware threat?

On Monday afternoon, the U.S. Justice Department said it has seized much of the cryptocurrency ransom that  U.S. pipeline operator Colonial Pipeline paid last month to a Russian hacking collective called DarkSide by tracking the payment as it moved through different accounts belonging to the hacking group and finally breaking into one of those accounts with the blessing of a federal judge.

It’s a feel-good twist to a saga that began with a cyberattack on Colonial and resulted in a fuel shortage made worse by the panic-purchasing of gasoline last month after the company shut down one of its major pipelines (and later suffered a second pipeline shutdown owing to what it described as an overworked internal server). But Christopher Alhberg, a successful serial entrepreneur and the founder of Recorded Future, a security intelligence company that tracks threats to the government and corporations and runs its own media arm, suggests that Americans have overestimated DarkSide all along. He explained a lot about the way its operations work last week in an interview that you can hear here. Shorter excerpts from that conversation follow, edited lightly for length.

TC: Broadly, how does your tech work?

CA: What we do is try to index the internet. We try to get in the way of data from everything that’s written on the internet, down to the electrons moving, and we try and index that in a way that it can be used for for people who are defending companies and defending organizations. . .  We try to get into the heads of the bad guys, get to the where the bad guys hang out, and understand that side of the equation. We try to understand what happens on the networks where the bad guys operate, where they execute their stuff, where they basically transmit data, where they run the illicit infrastructure — all of those things. And we also try to get in the way of the traces that the bad guys leave behind, which could be in all kinds of different interesting places.

TC: Who are your customers?

CA: We have about 1,000 of them in total, and they range from the Department of Defense to some of the largest companies in the world. Probably a third of our business is [with the] government, one third of our businesses are in the financial sector, then the rest [comprise] a whole set of verticals, including transportation, which has been big.

TC: You’re helping them predict attacks or understand what happened in cases where it’s too late?

CA: It can go both ways.

TC: What are some of the clues that inform your work?

CA: One is understanding the adversary, the bad guys, and they largely fall in two buckets: You’ve got cyber criminals, and you’ve got adversary intelligence agencies.

The criminals over the last month or two here that the world and us, too, have been focused on are these ransomware gangs. So these are Russian gangs, and when you hear ‘gang,’ people tend to think about large groups of people [but] it’s typically a guy or two or three. So I wouldn’t over estimate the size of these gangs.

[On the other hand] intelligence agencies can be very both well-equipped and [involve] large sets of people. So one piece is about tracking them. Another piece is about tracking the networks that they operate on . . Finally, [our work involves] understanding the targets, where we get data on the potential targets of a cyber attack without having access to the actual systems on premises, then tying the three buckets together in an automated fashion.

TC: Do you see a lot of cross pollination between intelligence agencies and some of these Russian cutouts?

CA: The short answer is these groups are not, in our view, being tasked on a daily or monthly or maybe even yearly basis by Russian intelligence. But in a series of countries around the world — Russia, Iran, North Korea is a little bit different, to some degree in China — what we’ve seen is that government has encouraged a growing hacker population that’s been able, in an unchecked way, to be able to pursue their interest — in Russia, largely — in cyber crime. Then over time, you see intelligence agencies in Russia — FSB, SVR and GRU —  being able to poach people out of these groups or actually task them. You can find in official documents how these guys have mixed and matched over a long period of time.

TC: What did you think when DarkSide came out soon after the cyberattack and said it could no longer access its Bitcoin or payment server and that it was shutting down?

CA: If you did this hack, you probably had zero idea what Colonial Pipeline actually was when you did it. You’re like, ‘Oh, shit, I’m all over the American newspapers.’ And there are probably a couple of phone calls starting to happen in Russia, where basically, again, ‘What the hell did you just do? How are you going to try to cover that up?’

One of the simplest first things you’re going to do is to basically say either, ‘It wasn’t me’ or you’re going to try to say, ‘We lost the money; we lost access to our servers.’ So I think that was probably fake that whole thing [and that] what they were doing was just to try to cover their tracks, [given that] we found them later come back and try to do other things. I think we overestimated the ability of the U.S. government to come rapidly right back at these guys. That will just not happen that fast, though this is pure conjuring. I’m not saying that with access to any inside government information or anything of the sort.

TC: I was just reading that DarkSide operates like a franchise where individual hackers can come and receive software and use it like a turnkey process. Is that new and does that mean that it opens up hacking to a much broader pool of people?

CA:  That’s right. One of the beauties of the Russian hacker underground is in its distributed nature. I’m saying ‘beauty’ with a little bit of sarcasm, but some people will write the actual ransomware. Some will use the services that these guys provide and then be the guys who might do the hacking to get into the systems. Some other guys might be the ones who operate the Bitcoin transactions through the Bitcoin tumbling that gets needed . . . One of the interesting points is that to get the cash out in the end game, these guys need to go through one of these exchanges that ended up being more civilized businesses, and there might be money mules involved, and there are people who run the money mules. A lot of these guys do credit card fraud; there’s a whole set of services there, too, including testing if a card is alive and being able to figure out how you get money out of it. There are probably 10, 15, maybe  20 different types of services involved in this. And they’re all very highly specialized, which is very much why these guys have been able to be so successful and also why it’s hard to go at it.

TC: Do they share the spoils and if so, how?

CA: They do. These guys run pretty effective systems here. Obviously, Bitcoin has been an incredible enabler in this because there is a way to do payments [but] these guys have whole systems for ranking and rating of themselves much like an eBay seller. There’s a whole set of these underground forums that have historically has been the places that these guys have been operating and they’ll including include services there for being able to say that somebody is a scammer [meaning in relation to the] thieves who are among the cyber criminals. It’s much like the internet. Why does the internet work so well? Because it’s super distributed.

TC: What’s your advice to those who aren’t your customers but want to defend themselves?

CA: A colleague produced a pie chart to show what industries are being hit by ransomware and what’s amazing is that it was just super distributed across 20 different industries. With Colonial Pipeline, a lot of people were like, ‘Oh, they’re coming from the oil.’ But these guys could care less. They just want to find the slowest moving target. So make sure you’re not the easiest target.

The good news is that there are plenty of companies out there doing the basics and making sure that your systems are patched [but also] hit that damn update button. Get as much of your stuff off the internet so that it’s not facing out. Keep as little surface area as you can to the outside world. Use good passwords, use multiple two-factor authentication on everything and anything that you can get your hands on.

There’s a checklist of 10 things that you’ve got to do in order to not be that easy target. Now, for some of these guys — the really sophisticated gangs — that’s not enough. You’ve got to do more work, but the basics will make a big difference here.