OPINION - Ransomware Groups Unlikely To Attack Critical Infrastructure After Colonial Pipeline

Hacking groups using ransomware to extort money from commercial companies are unlikely to target critical infrastructure like the Colonial Pipeline in the future, after the devastating social disruptions the attack on the key US pipeline caused last week, an expert specializing in tracing such groups told Sputnik

MOSCOW (UrduPoint News / Sputnik - 18th May, 2021) Hacking groups using ransomware to extort money from commercial companies are unlikely to target critical infrastructure like the Colonial Pipeline in the future, after the devastating social disruptions the attack on the key US pipeline caused last week, an expert specializing in tracing such groups told Sputnik.

A ransomware group known as DarkSide was identified by the Federal Bureau of Investigation as the culprit behind the hacking attack on the Colonial Pipeline last week, when the company was forced to shut down operations of the pipeline in response to the attack and triggered major gas shortages in a number of US states along the country's southeastern coast.

One week before the attack on the Colonial Pipeline, another ransomware group known as Babuk said it had stolen 250 gigabytes of data from the Washington DC police department and demanded as much as $4 million in ransom payment.

According to research from DarkTracer, a Darkweb Criminal Intelligence Profiling Investigation Platform, ransomware groups like the DarkSide began to leak internal data from the victim companies as early as May 2019 on the Darkweb.

The latest attacks from DarkSide and Babuk were just the more recent high profile cases that made news headlines, because of the massive social impact of those attacks.

However, as those ransomware groups are profit driven, the media attention and the serious social consequences of the recent attacks may dissuade such groups from targeting similar critical infrastructure in the future, a member of the DarkTacer team who only wished to be identified as "Director Hu" due to the sensitive nature of the issue told Sputnik.

"We believe that general criminals like ransomware groups including Darkside would be unwilling to attempt such big attacks that are large enough to paralyze critical infrastructure. We are expecting attacks on infrastructure by small-medium ransomware group will decrease due to the social pressure," Hu said.

After the Colonial Pipeline attack grabbed news headlines around the world, the DarkSide group issued a statement on its website stressing that the group was not interested in geopolitics or causing major social disruptions.

"We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other our motives. Our goal is to make money, and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future," the statement said.

Nevertheless, state-backed hackers would still be willing to attack critical infrastructure and lead a target nation to a standstill, Hu added.

The DarkSide group's website went offline last week, after the reported $5 million payout. According to an internet security researcher identified as Russian OSINT, the group lost access to its blog, payment server and DOS servers after the attack on the Colonial Pipeline.

In order to quickly resume its operations and halt the gas shortage, the Colonial Pipeline Company reportedly paid the DarkSide group $5 million in ransom payment.

Hu suggested such high payout could encourage more ransomware groups to become more active.

According to the data compiled by DarkTracer, a total of 34 ransomware groups have stolen data from 2187 victim organizations since May 2019.

"Currently, 2 of 34 ransomware groups had seized by law enforcement, while 4 of 34 has retired and ceased activities on their own," Hu said.

According to Hu, April became the most active month for the ransomware groups, when ransom activities increased significantly in some groups and several new groups appeared.

The most active group in April was a group known as Avaddon, which has attacked 132 victim companies.

The ransomware groups usually run a website on the Darkweb with a domain name ending with .onion, which is an anonymous service that is only accessible through the famous Tor Project.