What, Me Worry? When Ransomware Gangs Issue News Releases
Welcome to our first SPECIAL EPISODE where we cover breaking news as it happens. Today we catch up with Joe Uchill, senior reporter at SC Media, to discuss the Colonial Pipeline ransomware attack and ransomware gangs making headlines this week and why we continue to see escalating attacks in frequency, ransom demands and high value targets such as critical infrastructure.
Joe shares insights from his many years reporting from the cyber front lines speaking with government, regulatory, industry and hacking groups on what it would take to decrease the financial incentive and increase the criminal risk to make ransomware an undesirable pursuit.
Spoiler alerts… ransomware gangs make mistakes and often hit “accidental” targets, regulating cryptocurrency is just as hard as it sounds, and while ransomware task forces can’t agree on the most effective solution(s) to mitigate ransomware, most agree global cooperation would be at the top of the list!
What, Me Worry? When Ransomware Gangs Issue News Releases
[01:33] Big Theme of the Day: Ransomware Gangs
Rachael: Joe Uchill is here, Senior Reporter of SC Media. Welcome to the podcast, Joe, we have a fun conversation ahead of us today.
Rachael: Where to start, Eric, Joe? So much going on today and I think ransomware is our big theme of the day and, as we know, the latest making the headlines. I know, Joe, you've written a few articles here on the Colonial Pipeline and the ransomware and what a mess. How do we try to rein in this horse, if you will? Where do we even start with that?
Rachael: I know you've written an article recently on some ways that we could look at regulations, sanctions, things that have been talked about. But are there other things that we could be thinking about as well? How do we get to the heart of the purse strings that seem to be really driving this whole need for money? Which, as we know, this ransomware gang actually put a news release out saying, "We're only in it for the money."
Rachael: I'm just jumping right in. It's a jumping-off point.
Joe: I think one of the interesting things with ransomware is the policy options are extremely varied and most of them are discussed in terms of being very detailed, complementary packages that you get five solutions if you get one.
Banning Paying Ransom
Joe: The solutions that get talked about the most, I think, right now, the one that I think captures the public imagination the most appears to be just outright banning paying ransom. There are a lot of problems with doing that. It may very well be a successful approach, but when you talk about something like banning ransom, it adds a level of penalty to the victims that might not want to incur.
#TTP Ep. 133 - In this special #ransomware edition, we talk to SC Media Seniro Reporter Joe Uchill about the Colonial Pipeline attack, ransomware gangs making headlines this week, why ransomware attacks continue to escalate and more.
Eric: Right. Joe, when you're saying banning ransom, you're actually, the payment of?
Joe: Yes, some people have suggested that if you force companies to not pay ransom, it will dry up the economy entirely. The downside of doing that, it's very difficult for companies to imagine not existing. It's difficult to put a company in a position where they are essentially choosing to go out of business, so a lot of people won't.
Eric: Or a government organization, state/local government organization. How do you shut the City of Baltimore down?
Joe: Exactly. I mean, there are situations where you absolutely want somebody to pay, like a hospital. You don't want a hospital to close. There are situations where companies will pay and just try to keep it quiet because no company wants to go out of business. You're adding a level of penalty. It's a double victimization approach to it. You're adding another thing that if you pay once, that means that the people can extort you multiple times over the same issue. Because you've now broken a law and every time you continue to break the law.
A Solution That Gets Discussed
Eric: Well, and there's double extortion, too. They can sell your information, even if you pay them and they unlock. Boom, all of the content they stole, they encrypted and took, potentially took, ends up on the dark web or wherever.
Joe: Yes. There are several other issues with trying to approach this issue that way. A multi-stakeholder group task force run out of the Institute for Security and Technology couldn't reach a conclusion when they were discussing whether or not this is a solution which they think governments should pursue. When you look at solutions that people are less iffy about, some of them include things like trying to use law enforcement or intelligence or military resources to try to break up the infrastructure used in these networks, in ransomware networks. All of them involve the same kind of command and control infrastructure you see in other malware. If you can interrupt those servers, you cut off some of that control.
Joe: One solution that gets discussed is trying to increase global cooperation between countries that harbor a lot of these ransomware groups and countries that would rather not be being hit by ransomware. That can come through in a number of ways. Sanctions was one you mentioned. People have mentioned potentially sanctioning Russia. You could go other routes. You could say tie military aid to being more proactive about investigations with cybercrime. But in a lot of cases, foreign countries do not investigate criminals within their border with the same amount of vigor as we would hope if they're pointing their attacks elsewhere.
Joe: One of the things you saw in the DarkSide ransomware, as well as with a lot of malware that comes out of Russia. It specifically checks to see if the computer networks it's infecting use the Russian language. That's because there's at least believed to be an unspoken agreement between the FSB and cybercriminals. That if they're not attacking Russia, it's not going to be their priority.
Joe: The bottom line is that there's very little way to necessarily affect a criminal who's in a country that we don't have good relationships with to extradite those criminals. We sometimes capture them when they're on vacation, and that is a legitimate thing to have on the table. Whenever there are indictments of Russian nationals or Chinese nationals, that's essentially what we're saying we want.
Eric: Should the government that they're operating under, who isn't doing anything or isn't doing enough, should they be held responsible?
Joe: There are not a huge number of ways to do that. I mean, there are sanctions. We can keep sanctioning Russia, but those might have a limited end.
Joe: There’s a maximum number of sanctions we can put on Russia or North Korea.
[09:37]Ransomware Is Unique
Eric: Right, and Nigeria is not going to sanction Russia. That doesn't work.
Joe: One thing that you sort of need is a large global coalition who will do whatever you want to do together so you can prevent some of the workarounds that come up through sanctions. A lot of the solutions that you see to ransomware are avoiding the government and the justice issue, too, in different ways. You see some people talking about, say, modifying how cryptocurrencies are handled. Finding ways to intervene in those payments, finding ways to reverse criminal payments. Essentially bringing a sort of shadow financial system into the normal global financial system.
Joe: You also see more efforts to try to raise the base cost of intrusions. Lower the profitability of using ransomware because in the long run ransomware is sort of unique. It is very cheap to produce. It's very cheap to run as an attack, and the results are incredibly asymmetrical to the intentions.
Joe: It's like with the pipeline. Attackers are not necessarily considering that they're not in it to cut off 45% of the oil to the East Coast, they would really just like a payday, but inadvertently they're cutting off oil.
Rachael: Interesting. Exactly, Joe, right? It sounds like it never even occurred to them that, "Oh, hey, we're targeting this pipeline because we want to get paid, but maybe they would shut off the pipeline to mitigate this threat." It's like it never occurred to them, that release they put out. What did they say at the end? "We'll be more mindful next time."
Affiliate Ransomware Group
Joe: They'll be more mindful. They aren't even the ones that did the intrusion. It's an affiliate ransomware group. So what they ultimately do is they sort of lease out the rights to use their ransomware at anywhere you intrude.
Joe: It's like the people who come to your door and sell magazine subscriptions.
Joe: Similarly annoying. They don't traditionally have oversight over who gets attacked and who doesn't get attacked. So occasionally you run into situations where ransomware groups will say like, "We'll try to not do this in the future." This has happened with hospitals before. There are ways to go too far with this, especially during the pandemic. It's a risk to global supply chains that is also a petty crime. And that's a very tough thing to wrap your head around on all levels.
Eric: I have a question for you, Joe. Or Rachael, you might enjoy answering this one. The person who I'm going to say accidentally targeted Colonial Pipeline, I don't know that they even knew what they were targeting. I'm pretty confident from everything I've seen they weren't going after the OT side of the business and they had no expectation whatsoever that 45% of the petroleum delivery to the East Coast of the United States was going to be shut down.
Eric: What do you think happened to the individual who brought the heat of the United States government, DHS, FBI, declares a state of emergency here? What do you think happened to that poor individual who made the mistake of, "Hey, I'm just running a script to make a couple of million bucks here from a company?" Boom, the United States is aiming at them. NSA is looking at them. I can't imagine how you slept that night.
Joe: Well, it may not be the worst mistake somebody has made with ransomware. So far it appears to be WannaCry, and that's going back a few years. It's unlikely the way that was set up in terms of they wanted all payments via email, so they were anticipating being able to handle these things one at a time.
Joe: It did not appear that they thought it was going to get out of control that fast. It was poorly designed. They appeared to be working for the North Korean government. So if there is one person to worry about the effects of screwing up a ransomware campaign, it might have been WannaCry guy.
Eric: I heard in North Korea they executed a conductor, I guess, last week. I didn't even read what he did.
Eric: This is out there, though. Like we pissed off the President of the United States and most of their government agencies.
Joe: If you're working for organized crime in Russia, that might not be your first concern is whether people in the United States are upset with you. We're big and frightening, but not as much to an individual who is outside of our grasp.
Eric: No, I'm looking at it a little differently. I'm looking at it more as you just brought attention to everything we're doing, to everything we're about. We're on the world stage right now where we don't want to be. We just want to quietly operate under the cover of darkness and, boom, you put the spotlights on us. Because you targeted a pipeline by accident.
Joe: It's true. I mean, it does seem like that would not be, but certainly you don't want to accelerate the process of creating strategies to stop the business that you're in.
Eric: Exactly, or come after me.
Joe: At the same time, DarkSide has been incredibly visible in the past. Like you said, they put out a press release. They talked to the media. They are incredibly comfortable. They're not the kind of criminals that you expect in the United States who are trying to stay entirely hidden.
Eric: Well, here's my perspective. We know President Biden was briefed on Saturday morning about this. I suspect DarkSide's never been briefed to the President before specifically. That's where it's like world stage. You kind of came out of the shadows, and I'm not sure you wanted to do that when you're skimming your millions off the top.
Joe: You certainly don't want to be in a scenario where the President is going to send Cyber Command on a criminal mission to try to intervene on something. Once you become a national security threat, there's a different level of aggression.
Eric: Well, and your host nation now has attention on them, which I'm sure is less than favorably looked upon, right?
Joe: You would imagine so. I'm not sure how you tell the difference between the relationship between the United States and Russia before something goes wrong and after. That isn't a relationship they've tried particularly hard to maintain and foster.
Eric: No, I get that, but just sometimes for me it's like we just didn't need this. It's almost like when your kids do something stupid and you have to deal with it. It's like, "Look, you know what, I didn't need Biden all over me right now and NSA escalating and Cyber Command looking at how are they going to deal with this. Could you have just picked a small town in Florida? Could you have just picked a pizza shop in Oklahoma?"
Medical Institutions Were Attacked by Accident by Ransomware Gangs
Joe: They will continue. I mean, one of the problems with, especially in affiliate service, but with targeting in general, there are a lot of well-documented mistakes in targeting that get made. A lot of times when you see ransomware that attacked, say, medical institutions, and not a lot of times. But there have been recorded instances where medical institutions were attacked by accident. Because they thought they were educational institutions like ones that are attached to universities.
Joe: Having never targeted one of these campaigns myself, I can't really speak to it. But I get the sense that it's not the precision science on all levels all the time that you might hope. They're not necessarily doing a full threat. No one's anticipating that they're going to do a full-threat analysis, like fully appreciate what's going to happen after they deploy something. You do get the sense from reading negotiations that they are very well prepared on a lot of fronts. They know what your policy is so that they can ask for the maximum amount of insurance payout right away. I can't speak to whether how precise it's reasonable to expect them to be.
Rachael: What did we see with the whole SolarWinds? It was a kind of spray and pray, kind of, "Let's cast a wide net, see what we get, and then like start figuring out the whale targets that we got and go after those." It was kind of like that-ish?
Spray and Pray
Joe: A lot of times with ransomware, you see people purchase access to specific systems that there are multiple phases in that kind of economy. Where there's one group of people doing the physical breaching, one group of people buying the access to put in the malware. I don't know that this was a spray and pray kind of issue. Especially with an affiliate program since there's many different actors who were operating on it. I don't know what's normal for the group in general and I don't know what's normal for the specific person who was leasing the ransomware from the group.
Joe: I'm not in the position to draft a night evaluation of the quality of the ransomware prospect.
Eric: Right, the targeting.
Eric: What if it ended in significant loss of life? It was a mistake. Criminal group going after a couple million bucks of money. We almost talk about it like it's petty crime, not that serious. It's not on the same level as nation state attacks. What if something happened that killed a hundred people in America? How do we think about it differently?
Eric: It was an accident. "Well, we didn't really target." They probably didn't target. It wasn't their intention, but it's not money anymore. Now, it's somebody, a criminal group, state-authorized. The state's looking the other way, reaching into our country and I don't know. Something happened in a hospital and all of a sudden the medical systems you know, people died. Do we think about it differently? Is it more serious?
Joe: You would hope that the more severe the outcome, the more seriously it will be taken on a global level. At the same time, you sort of hope that we will reach some kind of stasis where the enterprise in general is being treated like that. Where it won't take the bad outcome to look into the prevention.
Joe: I phrase that but in order to successfully reduce ransomware, we're going to need systems in place that exist and take seriously instances that don't result in the loss of life or result in a cutoff of petroleum to the East Coast. The bar is going to have to be lower not higher for us to be disturbed in order to successfully address the problem.
Eric: We're not that disturbed today. We're kind of okay with it as a society. We're not doing a whole lot.
[23:21] We Are Spared by Ransomware Gangs
Joe: I think it may be different for the United States than in other countries just solely based on our time zone, of all things. With WannaCry and NotPetya, we were sort of spared because the attacks could be cut off. The attacks started on European time, not on American time. By the time we woke up, a lot of it had been.
Joe: If you had lived through NHS in the UK, having to shut down hospitals. Or if you were in the Ukraine where a substantial number of industries entirely businesses went bankrupt. You've seen a much more robust range of damage that ransomware can cause. In the United States, we haven't really had that same scale of damage. And we do a bad job in general converting what the equivalent of the financial damages to companies would be in terms of physical damage.
Joe: One time I went through just the reports for public companies in losses from WannaCry. We're about the same as like a medium-sized hurricane hitting the United States. While you don't get the same loss of life and you don't physically see devastation, and I don't want to minimize either of those things.
Joe: The chance for ransomware to be devastating and shutting down a factory for a week or a port for a day is a substantial financial impact that has a substantial ripple effect to the people who are involved. It's hard to feel that. It's hard to see what that did the way that it is with other types of crime.
Substantial Financial Impact
Eric: No, you're right. I was just trying to look up like with WannaCry, FedEx was impacted pretty severely. We're talking tens of if not hundreds of millions of dollars as I recall. Maersk, same thing, but I like what you said. Well, I don't like it, but I agree with you. We kind of rode it out like it was a mid-sized hurricane or maybe even a small one, and I don't think the government even got involved like FEMA wasn't activated or anything else. They just dealt with it.
Joe: There were investigations behind the scenes. They tried to name and shame the people involved. Obviously, there were press conferences, but I don't think it was something that the people within the U.S. felt the same way that Europe did.
Joe: Well, no one felt like the way that Ukraine did.
Eric: Right. I keep going back to Steve Grobman, CTO of McAfee. He always talked about the probability of cyber, which I think it's incentive divided by risk. Probably of cyber equals incentive divided by risk, and you're talking about the incentive, right? They're skimming millions of dollars off of organizations. They understand what the insurance payout is, so they know exactly what to ask for. Most organizations, from everything I've seen, actually pay, and the risk is pretty low. The nation-state that they're represented from isn't going to do a whole lot. The United States or the free can't reach into those countries very easily to do a whole lot, so why stop?
A Nonprofitable Crime
Eric: I think that's the problem. Why stop?
Joe: Yes. That is the problem, and you see a lot of solutions that they're trying to interrupt either the payment systems that go into it, trying to introduce financial system-like regulations to cryptocurrencies to make it more difficult to get payments. If you make it impossible to pay or if you disincentivize payment, it makes it a nonprofitable crime, and nonprofitable crimes are not real crimes, or they're not crimes that exist.
Joe: When you look at the ways that people have tried to approach that with cryptocurrency, it's that's by adding in traditional banking regulations. Like know your customer, where exchanges and other places where you would cash out, convert the cryptocurrency back to normal currency. Would have to be able to track the customers that they're involved with. Some people have suggested that in order to list your cryptocurrency with an exchange that works in the United States, you would need to have some function to either recover funds or freeze accounts.
Eric: Right. Can you do that with crypto? I mean, today, that seems technically difficult.
Joe: Today, no.
Joe: The thing is with cryptocurrency is, part of the appeal is beyond it just being this weird speculative economy that it isn't very good at being a currency right now. Beyond that, people do value the anonymity and the ability to transfer funds across borders without paying taxes.
Eric: There's no governing authority really.
Joe: There is by design.
Joe: The government. The governing authority are a bunch of people who own the currency and would have to vote for it to be changed.
Eric: I'm saying till it's changed, part of the design is that distributed nature.
Joe: Yes, and until they are specifically changed, but the United States might have the ability to do is make it harder for exchanges to trade those currencies, and so that would incentivize them to change them. Or, they could make it harder to have an anonymous account with one of the exchanges, so it would be harder to purchase or cash out those.
Eric: Let's say we find a way with cryptocurrency. What prevents them from just doing an account in the Cayman Islands?
Eric: Wire some money to this unknown account and we'll unlock your gear?
The Other Cash-Out Method of Ransomware Gangs
Joe: I think to an extent it's still more difficult to do. There's more friction involved in that. People have this image of Swiss banks, but I don't think that there's the same level of anonymity within the global banking system there had been in years past.
Joe: Swiss banks are no longer Swiss banks, basically. But the other cash-out methods that criminals have used over the years are things like buying gift cards, and that's very hard to do in multi-million-dollar denominations.
Eric: I go like a $52 here. I would lose them. It's a mess.
Joe: Your $250 million Applebee's gift card.
Eric: Yes. I think you'd lose it. It's almost like losing your Bitcoin.
Joe: There are other ways to try to tamp down a little bit on this. One of the things that have been mentioned and have been required is reporting of cryptocurrency payments so that companies can't do it in secret.
Eric: They're still doing it.
Joe: They'll still do it, but it adds a level of infamy to it, or even just requiring the risk analysis to make sure that they are actually saving money by doing the payout.
Joe: Because in some instances you're not. In many instances, you are, but in some instances you are not. There's a legitimate business case to be made for paying ransomware in many situations, but by requiring people to look into whether there's a decryptor key that's already available or the backups they have, will it be cheaper to restore from that than it will be to go one by one and unlock systems?
[32:13] Speed and Lack of Friction
Joe: Doing that kind of analysis isn't currently part of the process. A lot of times with insurance companies, they go for speed and lack of friction over that kind of consideration. Doing that might reduce the amount of times people pay.
joe: What you need to see is a multi-faceted solution that both attacks the economy of ransomware and creates. You need to see something that works on a geopolitical level, on an individual level, on a business level, and a financial system level. It's not a thing that a single solution will fix.
Eric: Go back to the incentive and the risk and you've got to lower the incentive and increase the risk essentially.
Joe: Or at least that's based on the approaches that I've heard. One of the things that the RTF report, the IST group is very clear on is that we need complementary solutions. Covering a variety of different phases of the attack working in concert with each other. It's not a problem that can be It's not just that there's no silver bullet. I am struggling to come up with a good metaphor.
Eric: There are no silver bullets.
Joe: You need both like a gun and a bayonet. I'm really not doing good with the metaphor. It isn't working well, but the point is that you might need a multi-layered or a multi-faceted approach.
Joe: Even then you will likely see a lot of the people who are involved in these crimes go to other types of crime. In the past, you've seen things like when one aspect of crime has reduced, other aspects of crime increased.
What Ties Businesses to a Railroad Track
joe: You'll see the same thing here, but hopefully not in a way that ties businesses to a railroad track. Hopefully not in a way that risks closing a company.
Eric: I think about the team at Colonial Pipeline. We only know what's publicly available. It seems they did the right thing to protect the business once they were compromised. I think about all of the businesses that don't have the publicity.
Eric: Don't have the support of the President of the United States, of NSA, of CISA, you name it, the Department of Transportation. Sometimes I think about all of those little businesses. The City of Baltimore, we've got to write a check. What do we do, what do you do?
Joe: People tend to believe a common narrative that paying ransom is both risky and a moral failing. Sometimes there are a lot of instances where you can debate the moral failing. There are a lot of instances where it is not risky. It is probably the best business decision a company can make.
Eric: In fact, they talk about the majority of companies pay and the majority of companies get their data back.
Joe: Companies that pay through using a negotiator. Using somebody who knows the player and is able to vet whether this is a company that will vet.
Eric: It's legitimate.
Joe: Yes, but whether they will give you your data, give you the key back.
Eric: A legit hostage negotiator.
Joe: About 98% of the Baker Hostetler clients use one of those. About 99% of them retrieve their data. It works.
Eric: I'm going to tell you to pay me or you lose everything. You say, "Well, okay."
The Mechanism of Entry for Ransomware Gangs
Eric: You pay me and you get it back and I go do it to the next person.
Joe: There are considerations that need to you to consider. If you pay, you encourage other payment, you encourage the crime to continue. You still do need to fix your networks so that no one uses the same mechanism of entry.
Rachael: That's the thing. There was the company that got hit by the same ransomware gang twice. They paid, they got it back, they didn't fix it. The gang like poked around, "Hey, the door's still open." Got them again. They had to pay ransomware twice.
Eric: The door is always open. I can go here, I can go there. You'll always be able to get in.
Joe: The Ransomware Taskforce, the Institute, The Security and Technology Group. One of the things they suggest is coming up with a fund to help restore companies that don't pay. To provide some financial incentive not to pay and make it easier for companies take some of the incentive to immediately pay away
Eric: Take the incentive from the attacker?
Joe: Yes. Or at least it changes the economics of It changes the demand.
Eric: That almost takes the incentive to protect yourself and lowers that incentive. It's like insurance. I'll be okay.
Joe: It might need to be something that would be done in concert with raising regulatory levels. Increasing the regulation bare minimums of cybersecurity. That might be something that needs to be done anyway even without it. It's a whack-a-mole game.
Promoting the Activity of Ransomware Gangs
Joe: Anytime you increase the involvement of either law enforcement or the government in trying to prevent it, you disincentivize people from protecting themselves. Anytime you incentivize people to protect themselves.
Eric: You're promoting the activity.
Joe: It's something that most people believe you need multiple layers of to accomplish.
Eric: It's a hard problem. Joe, you've spoken with people at the policy level. You've spoken to people on the attacking side, on the defending side. Are you hearing a lot of organizations really step up their game in protecting themselves? Or are they just like, "Look, it's whack-a-mole. I'm going to do what I'm going to do and if we get hit, we'll deal with it when it happens?"
Joe: One of the things with businesses is it's a wide and terrifying tapestry of stances toward cybersecurity. When you look at some of small businesses, businesses that are very concerned with growth oftentimes neglect cybersecurity. You don't tend to see a cybersecurity guy in the first five hires of a company. It's not the first concern that you have.
Joe: There are certainly companies that are better situated to handle an attack than others. Companies that are good at evaluating risks will know that this is a risk. It's a fairly substantial risk because it's not just the risk of the ransom that you have to pay.
Joe: It's a risk of the factory floor may be shutting down. Sending your employees home for the day, bad press, potentially having files leaked. Who knows? Even depending on some instances it might be a cover for a different type of attack. Who knows?
[41:08] The Key to Retrieve the Files
Joe: Even though almost everybody received the key to retrieve their files again in that law firm report.
Eric: In the study.
Joe: You don't want to be counting on someone else's ability to code a decryptor when it's your files. You don't want to be in the situation where you're hoping someone else is technologically capable of solving the problem they've created.
Eric: Well, let's take it up a level. If I'm Russia, if I'm a China, some of the great disruptors out there who like the United States to be disrupted. They can do what they want to do, what a great next example here where if I want to, I don't know.
Eric: If I want to do something against my population. I don't want it to be on the front page of the press. I'm going to have the DarkSide boys in my backyard going, "Hit another pipeline next time." Or, I want to invade the Ukraine? Boom. "Hey, DarkSide, go kick this off on May 12th.
Joe: That is essentially what happened with Sandworm, with the NotPetya attack.
Eric: NotPetya, exactly.
Joe: It’s massive It was by some accounts the largest cyber attack in history. It’s disguised, and was put on under the guise of a ransomware attack. It presented as a ransomware attack. That is yet another reason to try to solve the problem.
Joe: If you can eliminate a lot of the actual ransomware, you also make that a less attractive cover. Not that other governments will give up and go home. But you cut down some of the bushes that you could be hiding in.
Eric: Power, oil and gas. There's some critical industries here where the government does end up holding the bag. Maybe Colonial Pipeline did a good job on cybersecurity, maybe they didn't. You know, I certainly don't know. But the government ends up to some extent having to deal with the people who don't have gasoline heating fuel.
Rachael: And all of the hoarding that's happening.
Eric: There are downstream consequences. It'll be interesting to see. Did they pay it? Are they going to pay it? What's the influence they get from the government to pay it or not now that they're on the national stage, international?
Joe: They have said that they could. Some of the issues, at least according to them. Some of the shutdown was precautionary. They try to prevent a problem on their IT networks from converting to their OT networks. So going from their business networks to the principal.
Eric: Well, they're keeping it from spreading
Joe: They're keeping it from spreading.
Eric: That makes sense.
Joe: It's said that if they needed to if they were willing to be risky, they could open the pipelines again. They just don't want to. It's not a test they want to run on the fly.
Eric: Because their IT/OT networks are connected. Their OT networks are connected to the internet, which is horrible. It happens everywhere, but horrible practice.
Joe: It's one of those things. If we lived in a world that all wealthy industrialists also worked in information security, it would probably not work that way. But you see things like the pandemic, where if you need to run a work-from-home operation with your industrial equipment.
Eric: Turn it on.
Some Level of Connectivity Among Ransomware Gangs
Joe: Yes, you can't do that unless you have some level of connectivity. COVID made it almost impossible for most-
Eric: I don't want to get into a sales pitch, but there are technologies out there. DarkSide, on their website on Monday, I'm going to read it here. They didn't directly refer to the Colonial Pipeline, but they had a heading about latest news. They noted, "Their goal is to make money, not create problems for a society."
Eric: Why do you think they didn't just decrypt the ransomware? They let Colonial Pipeline get back to business safely and securely. Is it because there goal is to make money? And they despite "Sorry about that targeting mistake, but we'll at least make money off of it?"
Rachael: Well, yes. They're here to make money. That first and foremost is kind of like, "Oops, sorry about the shutdown.”
Eric: So, "We're on the world stage, sorry about that, but we still want our money."
Rachael: "But if you pay us, we promise we'll give you your stuff back."
Joe: Not too altruistic here, but they did say to avoid social consequences in the future.
Rachael: They would be mindful.
Joe: They're going to do checks on their fellow cybercriminals. That was a great saying. I felt much better going to bed that night. They're nice cybercriminals, the ones that you can bring home.
Eric: They have a heart. They still want the money, though, to turn things back on for poor old Colonial Pipeline.
Joe: Based on what we can see, that does seem to be the case.
Rachael: At this point, you might as well get paid. If it gets all of this attention, you don't want to walk away empty-handed.
A New Name
Joe: You would need a new name. I mean, LightSide.
Rachael: Maybe you could start a Twitter campaign for suggestions and let them know.
Eric: Collect money that way. They could probably make some money on that, too.
Rachael: A GoFundMe for renaming DarkSide.
Eric: Where do we go from here, Joe? We've got policy issues, we've got a lot of options. A lot has to happen, a lot has to come together. Do you see material change after this? Or this is just yet another one of the many ransomware attacks. The many industrial control system attacks that we've seen. We're just going to continue to see more until something bad happens?
Joe: If you watch the government here, if you watch the federal hearings right now, you see a lot of representatives and senators. They’re discussing ransomware attacks on either local businesses or even more frequently on local governments. It's clear that the status quo can't be maintained.
Eric: The number of attacks are going up, so the problem is growing. At some point, we have to do something.
Joe: Right now, it does seem like there's an appreciation that that is a problem. The other issue right now that they are working on is also supply chains. In the past, there have been some problems with Congress working on two cybersecurity issues at the same time.
Joe: But part of that has always been that their expertise and exposure. We might be at a point right now where it's reasonable to expect some kind of action at some point on it.
[48:57] Some Kind of Action From Ransomware Gangs
Eric: When you say some kind of action, are you talking material? Or Cyber Command may do something to make a statement?
Joe: Before all of this, before the pipeline attack. I already heard some rumbling about Cyber Command becoming more involved in these kinds of criminal enterprises. And ransomware enterprises that might be of danger to the national security.
Rachael: Like more offensive strategies type of thing?
Joe: Because that's military. Well, there are ransomware gangs that have some ties to the Russian government. Obviously, North Korea has had their hand in ransomware before. There's been talk that they might do more with let's call them the private sector, but privatized ransomware.
Joe: But at the same time, you get the sense in Congress that they see the economic harm that can be caused. they see the government harm that can be caused. Every one of these instances brings that back.
Joe: From the discussions I've seen, there doesn't seem to be a singular idea that they're coalescing around. One of the reasons that I keep bringing up The Ransomware Taskforce Report, they have praised that. A number of the people from the report were called into a hearing last week.
Joe: Sorry, one of the effects of COVID is I have no sense of time anymore. They've received good press from that. It was a report that was done in conjunction with several government agencies within the United States and abroad. But it seems like there's an appreciation that this isn't a theoretical problem right now. That's almost always the start of something better.
Joe: In the past, certainly after Equifax. We didn't see the massive changes that people expected after the Russian attack on the elections. So who knows? There's reason to be optimistic from a policy standpoint, at least.
Joe: There's even more reason to be optimistic. Businesses understand that there's a problem but they might want to stop standpoint. Hopefully, between the two of them, between all of that, there's a good solution that comes out of it.
Eric: We certainly need to do something. We're trending in the wrong direction. Joe, once again, your Colonial Pipeline attack up on scmagazine.com on the 10th of May. It really had some thought-provoking ideas in there. Some of the people you interviewed, the way you wrote it, I do appreciate it. I wish there were a better answer here.
Rachael: My favorite quote was, "Would the mafia ever put out a news release?"
Joe: I believe that was Jim Lewis from CISA. But his point is ransomware gangs are very comfortable. They will not be in any real jeopardy while they are still within Russia.
Eric: It's not like the FBI can just go after organized crime in New York or New Jersey or whatever. They're not in New York or New Jersey.
Joe: It's not like it was a crime group out of England where we could ask for help. If you look into it, there’s been a surprising amount of people who have been arrested going on vacation, more than you’d think.
Joe: Probably not enough that it would... It doesn't seem immediately like there's been obviously. It's a crime that's been growing and it doesn't affect everyone. The arrests have not stopped everything and there needs to be more done, but I don't want to-
Getting the Tourism Industry Involved in Ransomware Gangs
Rachael: We need to get the tourism industry involved here is what you're saying.
Joe: Yes, we need to. If you can call the Seychelles, and I believe Mallorca is another place which they've had some arrests.
Rachael: Carnival Cruise Lines.
Joe: You get big bargains.
Eric: They should run special programs. Any computer IT personnel, really skilled at malicious whatever, 20% off next month.
Joe: The combination capture the flag airline ticket promotion, and that was all Francis. I think we've solved it.
Rachael: That's it right there.
Eric: That's the answer. I'm worried that the next one has second- or third-order consequences that are a lot worse than what we're even seeing here. I hope you're right. I'm not sure it's quite on target, but you're close. We definitely need to do something. It's time for the government to step up and help out.
Rachael: Final question. Optimism for the cyber path ahead?
Joe: Do I have it? Yes. There are so many ways that things have gotten better since I started covering this. It's hard not to be optimistic. There are a lot of ways that things have gotten worse. When I started covering cybersecurity, if I didn't show up, no one would notice. That's not really an option now.
Eric: It's so critical to our lives. It's embedded in every facet of our livelihood.
Joe: There was a time when everything we were writing about was like, "This is a thing that could happen soon." We've reached that soon. Everything that we were writing about as an option is now happening.
Things Have Gotten Better
Joe: We're reaching the point where things that we weren't considering happening are happening. That might have been 2016 when that started. To me, it's things have gotten better even as things have gotten worse. But the things that have gotten better are things like awareness. There is a problem and the desire to spend money to fix it. Those are kind of things that seem like a good foundation. Worse case scenario, I'll still have a job in 15 years.
Eric: Yes, that's not a great situation, no offense. For all of us to be unemployed and employed in a different industry.
Joe: My very employment is a sign of failure. Here's to hoping that I'll be unemployed. Yes. No, it's a problem that will obviously always be there. But it's no longer just a problem that you see. It's not the kind of thing that is only in science fiction movies right now.
Acknowledging the Problem
Eric: They're only with the experts who are trying to get some acknowledgment that this is a problem. When we're hitting the gas when we're hitting shipping with NotPetya and the like. The banking ability in Ukraine, the common person is talking about it. They definitely know. You see it in very common publications even. Yes, big problem.
Rachael: We'll figure it out.
Joe: I'm hoping we do.
Rachael: I think we just need one more podcast, the three of us, and then we'll have it.
Eric: You think that's it?
Joe: We've got ransomware, so we just need to do what, denial of services and people defacing websites, and we're done.
Eric: Yes, nation-state attacks, and we've got a few others out there. Joe Uchill, thank you so much for spending time with us.
Rachael: To all of our listeners out there, be sure to smash that Subscribe button. You get a fresh episode every week delivered right to your inbox. Until next time, stay safe out there, everybody.
About Our Guest
I’m Joe Uchill. I’m a long-time cybersecurity reporter who has written for places like Axios and Motherboard. I founded Axios’ Codebook cybersecurity newsletter and also wrote cybersecurity newsletters for The Hill and Christian Science Monitor. Newsletters are something of a specialty.
In my spare time, I work on coding projects to bolster journalism. I ran a Washington D.C. area group of hackers, analysts and reporters who collaborated on that until COVID-19 put an end to in-person meetings.
Listen and subscribe on your favorite platform