Ransomware as a Service (RaaS) and the Colonial Pipeline Attack

On the 6th of May 2021, the Colonial Pipeline Company, operator of America’s most extensive fuel pipeline system, fell victim to what is undoubtedly a ransomware attack of historic proportions. Just over 100 gigabytes of data was stolen after hackers gained access through a VPN account.

By compromising critical systems for managing pipeline operations, the attack forced the Colonial Pipeline to stop functioning — effectively cutting off almost half of the entire fuel supply consumed on the East Coast of the US. Summing up the profound impact of this attack, Rob Lee, CEO of industrial cybersecurity company Dragos, told Wired that this was “the largest impact on the energy system in the United States we’ve seen from a cyberattack, full stop.” 

Perhaps unsurprisingly, Colonial Pipeline paid the ransom demanded from them— $5 million — mere hours after the attack. Nevertheless, the company was still forced to use their backup systems to restart operations as the decryption tool provided by the hackers proved too slow. However, aside from showcasing how ransomware attacks on critical infrastructure can cause outsized disruption, the Colonial Pipeline ransomware attack also highlights another worrying development in today’s threat landscape: financially motivated actors are becoming more capable.

In direct contrast to the recent state-backed SolarWinds attack, the Colonial Pipeline ransomware attack was purely money-driven. That profit-motivated threat actors are both capable and willing to shut off fuel supplies for tens of millions of people illustrates a dangerous escalation in the cyber warfare arms race — the growth of ransomware as a service (RaaS).

Ransomware as a service Schemes Are Booming 

The growth of ransomware attacks is on track to be one of the most notable cybersecurity trends of the decade. With ransomware attack numbers rising by 485% in 2020 and increasing by a further 102% in the first half of 2021, ransomware is already the biggest threat to organisations globally.  

While triple-digit growth rates for ransomware are undoubtedly shocking, behind them are the same market forces driving innovation elsewhere in the software world. Similar to how software as a service (SaaS) has democratised access to enterprise-grade business tools, powerful ransomware is now available on subscription. 

Previously the preserve of well-funded or state-backed threat actors, the recent emergence of RaaS means that even inexperienced criminals can now launch attacks capable of crippling both private organisations and state bodies. Far from an isolated threat, more than half (64%) of all ransomware attacks analysed by Group-IB in 2020 were linked to the subscription-based RaaS model, with 15 new public ransomware affiliate programs emerging in the last year alone. Thanks to ransomware provided by malware developer Darkside, the Colonial Pipeline attack is just another victim of this ascendant trend.

As Advanced Malware Becomes More Accessible, Ransom Demands Are Climbing 

Under the RaaS model, hackers rent out their ransomware strains to affiliates in return for a share of the profits, increasing the likelihood of affiliates asking for higher ransoms to cover the commission due. Alongside the fact that RaaS enables more threat actors than ever to engage in cybercrime, this profit driver helped grow extortion demands by more than 100% last year, with the average ransom now amounting to $170,000. However, this average hides the increasing frequency of enormous demands. When amoral cybercriminals sense a victim’s willingness or need to pay, they’re prepared to demand millions. 

But RaaS has a downside for malware developers. RaaS operators may not always be able to control who their affiliates target. DarkSide, the ransomware gang responsible for the attack on Colonial Pipeline, tried to distance itself from the incident, saying, “We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other our motives. Our goal is to make money and not creating problems for society.” 

DarkSide has since quit the RaaS business, citing disruption to its operations, including lost access to its public-facing portal and even funds that have apparently been transferred to an unknown account. Other ransomware groups, such as Abaddon and REvil, have announced new rules for their affiliates, like a ban on targeting government-affiliated entities, schools, and hospitals. However, whether RaaS operators will be able to enforce these rules is questionable. 

Ransom Attacks No Longer End When Ransoms Are Paid and Systems Remediated

Attackers have long realised that just paralysing a victim’s operations may not be enough to get a ransom payment — particularly when backups are available. As a result, modern ransomware strains, like DoppelPaymer, don’t just encrypt victims’ data but exfiltrate it prior to an attack being launched. This capability unlocks a new tactic for threat actors known as “double extortion,” where the threat of having sensitive information exposed online can be used to leverage wavering victims. Sometimes, victims even have to pay twice: once to decrypt their data and once to ensure that the data isn’t published online. To put even more pressure on their victims, attackers may overload their websites with DDoS attacks.

These kinds of ransomware attacks surged in 2020, with at least 34 ransomware groups exposing stolen data belonging to over 2,000 organisations to date. As if double extortion wasn’t alarming enough, recently, there have been reports of hackers using triple extortion tactics. In triple extortion, hackers not only steal data from an organisation and threaten to leak it if they don’t pay but also go after the data owners themselves. In October 2020, cybercriminals who hacked a Finnish psychotherapy clinic demanded ransom payments from both the clinic and the patients

Organisations Need to Prioritise Proactive Defence

As shown by the exponential rise in ransomware incidents and the increasing frequency of headline-making attacks like the one that struck the Colonial Pipeline, today’s cybersecurity status quo is not protecting organisations against modern ransomware.

Despite the fact that most enterprises now deploy around 45 cybersecurity tools on their networks, the average security team’s ability to contain threats has decreased by 13%.

As a result, increased spending on cybersecurity solutions appears to be giving organisations less rather than more security. Indeed, about 40% of organisations are so overwhelmed by security alerts that they have no choice but to ignore at least 25% of them. Yet 70% of organisations plan on increasing their cybersecurity spending post-pandemic.

What this paradox shows is that as they ramp up cybersecurity budgets, rather than buying more tools, organisations need to take a proactive approach to cybersecurity, which involves:

Final Thoughts

With a growing cybercriminal appetite for profit, the emergence of RaaS, and “triple extortion” tactics now the norm, we are more than likely to see even more ransomware attacks in 2021. Regrettably, as past incidents have shown us, no industry, no matter how vital it is to society, is exempt from these attacks. As cliche as it sounds, at least 60 successful ransomware attacks will have been carried out in the time it takes you to read this blog post. Rather than running down this cyber attack doomsday clock, organisations need to act immediately and proactively against the biggest cyber threat their operations are ever likely to see, ransomware.

Sign up to our newsletter

Join thousands of like-minded professionals who are already 
receiving our blog updates and best practice guides.