Yesterday, I predicted that slugging taxpayers in the wallet would inspire some action against cybercrime. I may have been right.
Score 1 far Colonial Pipeline’s competent IT department, rotten tomatoes to the management team that decided to knuckle under.
First, Bloomberg reported that the ransom had been paid, but the decryption tool, which was bought with a nearly $5 million ransom, was slower than restoring the system from backups. Score 1 far Colonial Pipeline’s competent IT department, rotten tomatoes to the management team that decided to knuckle under.
I must note that Bloomberg’s statement that the backups were faster has not been confirmed that I can find in other sources. Bloomberg has argued that paying ransomware pirates is bad policy. I agree.
Paying ransoms encourages criminals to go back for more. Recovering from backups is often cheaper and more effective.
A well-prepared IT department that encourages good security practices, like strong passwords and phishing awareness, is stronger enterprise protection than funds set aside to pay ransoms.
Think about this: after the ransom is paid, what incentive does a hacker have to develop a quick and efficient tool to reverse the damage? I expect hacking shops have a quality assurance program as good as any development shop for the shut down side of the business, but I’ll also bet that untested code straight from a developer’s desk is good enough for a recovery tool. That buggy recovery tool is what the ransom pays for. Doesn’t sound like a good deal to me.
Solid basic IT administration is based on disaster preparedness. A well-prepared IT department that encourages good security practices, like strong passwords and phishing awareness, is stronger enterprise protection than funds set aside to pay ransoms.
“We’re also going to pursue a measure to disrupt their ability to operate. And our Justice Department has launched a new task force dedicated to prosecuting ransomware hackers to the full extent of the law.”
President Joe Biden, remarks on pipeline incident, 5/13/21
The news I found most interesting came from Bruce Krebs (no connection with the former homeland security cybersecurity policy director, Christopher Krebs.) Krebs was not the only source of the information, but he gathered up the reports from several sources.
Apparently, DarkSide, the outfit behind the Colonial hack, has been closed. The story is a bit confused yet, but it starts with DarkSide posting on their site or the dark web that they will be nicer in the future. Right. Not long after, their bitcoin account was emptied and several of their servers were shut down, effectively putting them out of business.
Who shut DarkSide down is not clear. They may have done it themselves out of fear of government reprisals. Or the shutdown may have been a government reprisal. If it was a reprisal, previously unknown techniques were used.
We will have to wait to find out. However, I note this line in President Biden’s remarks Thursday on the incident: “We’re also going to pursue a measure to disrupt their ability to operate. And our Justice Department has launched a new task force dedicated to prosecuting ransomware hackers to the full extent of the law.”
If the shutdown of DarkSide was in fact the result of U.S. Department of Justice actions, we are finally seeing a serious federal response to cybercrime.