… it is time we recognize that the cyberthreat landscape has reached a point-of-no-return that humans alone cannot defend against.
In 1988, a Harvard graduate began an experiment to see how many computers were connected to the Internet. 24 hours later, 10% of all computers around the world had been taken down and fiscal damages had soared into the millions. Robert Tappan Morris had inadvertently created the first ever computer worm.
Fast forward to the present day, and we are facing the most recent examples of ‘cyber-threat miscalculations’: a situation where hackers simply did not understand or intend the full impact their attack would have.
The DarkSide ransomware group most likely only intended to hit the IT system and corporate business operations of Colonial Pipeline and underestimated the full impact of the attack. The consequences were disastrous, halting the supply of fuel across the East Coast, leading to gas shortages, hoarding, and spikes in gasoline prices around the world.
In an apparent show of social responsibility, the DarkSide group issued a seemingly heartfelt apology for the attack on social media:
“We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other motives. From today, we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”
As a result of the blowback and possible direct actions against them and their operating infrastructure, in less than a week, DarkSide announced that they would close their operations for good. They could however resurface under a different name, or join another group, if allowed in.
The aftermath of the attack had affected not only Colonial Pipeline but the DarkSide group themselves. They fell into the direct firing line of the full force of the US government, as well as becoming pariahs among other criminal groups for the attention they have drawn. It also appears they lost whatever formal or informal state supervision or protection they may have held.
Misjudging the impact and collateral damage of a cyberattack can lead to a range of unintended ramifications, from increased heat from law enforcement to unintended escalations of nation state conflicts. It is for this reason that many ransomware groups historically have tended to keep their affairs under the radar.
Over 70% of ransomware attacks target small- and medium- sized enterprises, and many cybercrime groups have pledged to avoid larger bodies like hospitals and critical infrastructure. Unfortunately, the allure of fast payouts for record-breaking ransoms has led to the healthcare sector, even vaccination efforts, being a heavy target for ransomware actors.
This eventually led to a major Ransomware-as-a-Service (RaaS) group, REvil, announcing the following policy:
- Work in the social sector (health care, educational institutions) is prohibited
- It is forbidden to work on the gov-sector (state) of any country.
When a cyberattack gets out of control
Organized cybercrime groups often stress that they are apolitical and motivated solely by financial gain. However, thanks to today’s extensive and interconnected digital systems, attacks can easily boil-over into geopolitical tensions, encouraging governments to issue executive orders and pushing cyberthreats into the headlines—all of which can be bad business for criminal groups.
And if threat actors get in over their heads, they either need to lay low and rebrand in what is known as an ‘exit scam’, as ransomware groups such as Maze and Jokeroo have done in the past. Or they decide to shut down completely, as seen in the disruption of the Emotet botnet at the beginning of this year.
Increasingly, the effects of a cyberattack are becoming difficult to predict and control. The reason for this is two-fold. First, the world is so interconnected that an attack on one server can have global consequences. Second, easier access to more sophisticated and commercialized tools has enabled less- advanced actors to launch campaigns with speed and with ease.
In fact, the Colonial Pipeline attack was likely orchestrated by someone who had bought the DarkSide malware as a turnkey solution. This makes it far more challenging to monitor who is being targeted. When it comes to RaaS, even the developers probably do not know for certain how their malware will be used.
Given that inexperienced attackers seldom have ground intelligence about the target environment when planning their campaign, the intention to impact a single component of a bank, for example, may escalate into a nearby hospital on the same electrical grid being affected. The same goes for any low-skilled attacker with little regard or understanding of what a high-powered hacking tool can do: miscalculations become alarmingly easy.
Using AI to contain miscalculated intentions
As far as we know, the DarkSide group itself was not a state-sponsored advanced persistent threat, but merely a private criminal franchise.
Yet they advertised their ransomware as the fastest in the world and managed to pull off one of the most disruptive critical infrastructure cyberattacks of all time.
As history has shown, when malware is fast and designed to propagate, it becomes unpredictable and nearly impossible to be put back into the Pandora’s box.
As more cybercriminals and malicious actors take advantage of automation and AI for their attacks, the threat landscape is set to increase exponentially: ransomware is no longer a human-scalable problem.
No matter how many IT teams are upskilled and assigned to defend the network, machine-speed attacks will need a machine-speed response that can adapt as fast as an attack propagates. With the US government throwing its weight on the problem, ransomware is now both a board-level issue and a national security concern.
As such, self-learning AI technology will prove critical in tackling the unpredictability and speed of threats now and in the future.