THREAD: The story of the last few weeks in business has been the ransomwear attack that took down the Colonial Pipeline.
On ransomwear-as-a-service, DarkSide, and what happens when publicity becomes really bad for business:
On ransomwear-as-a-service, DarkSide, and what happens when publicity becomes really bad for business:
1/ First, a few definitions...
What is ransomwear?
Ransomware is a type of malware - a software designed to cause harm to a computer, server, or network.
Ransomwear is used to encrypt the files on your system and hold it “hostage” until the demanded ransom is paid.
What is ransomwear?
Ransomware is a type of malware - a software designed to cause harm to a computer, server, or network.
Ransomwear is used to encrypt the files on your system and hold it “hostage” until the demanded ransom is paid.
2/ Ransomwear is not new, but ransomwear attacks are most definitely on the rise.
With the world increasingly moving online, the cyber-attackers have experienced a windfall.
Both the frequency of attacks and the size of the average ransom payments have increased dramatically.
With the world increasingly moving online, the cyber-attackers have experienced a windfall.
Both the frequency of attacks and the size of the average ransom payments have increased dramatically.
3/ The way a ransomwear attack works is really quite simple (even if the underlying technology is complicated).
A would-be attacker scans for vulnerable companies.
They often look for dated systems or weak infrastructure - like an animal looking for injured prey.
A would-be attacker scans for vulnerable companies.
They often look for dated systems or weak infrastructure - like an animal looking for injured prey.
4/ When a target is acquired, the cyber-attacker looks for an entry point.
This could be using a phishing scam or other method to gain access to the network or company data and servers.
Once inside, the cyber-attacker launches a program that encrypts all of the company’s data.
This could be using a phishing scam or other method to gain access to the network or company data and servers.
Once inside, the cyber-attacker launches a program that encrypts all of the company’s data.
5/ Once encrypted, the data and systems become completely unusable without a decryption key.
The company is immobilized.
While this sounds complex, given the range of cybersecurity sophistication at companies, hackers say breaching some companies is “so easy a kid could do it.”
The company is immobilized.
While this sounds complex, given the range of cybersecurity sophistication at companies, hackers say breaching some companies is “so easy a kid could do it.”
6/ After the encryption is complete, the ransom negotiation begins.
The cyber-attackers reach out to the company, offering to provide a decryption key that will return access to the hostage data.
In exchange, the company has to pay a ransom (usually in the form of Bitcoin).
The cyber-attackers reach out to the company, offering to provide a decryption key that will return access to the hostage data.
In exchange, the company has to pay a ransom (usually in the form of Bitcoin).
7/ If ransom isn’t paid, the data may continue to be held (leaving the company immobilized) or sensitive data (credit cards, health records, etc.) may be leaked.
Generally speaking, the company negotiates and pays the ransom, with its cyber insurance footing the bill.
Generally speaking, the company negotiates and pays the ransom, with its cyber insurance footing the bill.
8/ The ransomwear market has operated in the shadows for a long time...until recently.
The story of a high profile attack on the Colonial Pipeline - and the fascinating “ransomwear-as-a-service” entity that enabled it - has shined a light on the industry.
Let’s dive in...
The story of a high profile attack on the Colonial Pipeline - and the fascinating “ransomwear-as-a-service” entity that enabled it - has shined a light on the industry.
Let’s dive in...
9/ Colonial Pipeline is the largest gas pipeline in the U.S.
On May 7, it announced it had been hit by a ransomwear attack and had shut down operations.
This ransomwear attack was different.
It wasn’t an attack on a medium-sized business.
It was much, much bigger than that.
On May 7, it announced it had been hit by a ransomwear attack and had shut down operations.
This ransomwear attack was different.
It wasn’t an attack on a medium-sized business.
It was much, much bigger than that.
10/ With the pipeline out of commission, gas prices spiked, impacting millions and drawing the immediate, full attention of the press (and the FBI).
Suddenly, ransomwear attacks were in the spotlight.
And the services group enabling the attacks - DarkSide - was at center stage.
Suddenly, ransomwear attacks were in the spotlight.
And the services group enabling the attacks - DarkSide - was at center stage.
11/ DarkSide is a so-called “ransomwear-as-a-service” company.
It doesn’t engage in the actual cyberattacks.
Instead, it provides a suite of tools and services that enable would-be cyber-attackers to conduct their business.
It doesn’t engage in the actual cyberattacks.
Instead, it provides a suite of tools and services that enable would-be cyber-attackers to conduct their business.
12/ DarkSide provides the malware that encrypts the data, but also much more.
A communication service - making calls to the victim companies for negotiations.
A hosting site for stolen data.
Customer service.
It can even sell inside info to stock traders for extra profit.
A communication service - making calls to the victim companies for negotiations.
A hosting site for stolen data.
Customer service.
It can even sell inside info to stock traders for extra profit.
13/ Think of DarkSide as a cloud services provider for the modern ransomwear era.
It appears to be the market leader in providing such services!
And it has an impressive economic model: DarkSide takes a 10-25% cut of the proceeds from the ransom payment.
It appears to be the market leader in providing such services!
And it has an impressive economic model: DarkSide takes a 10-25% cut of the proceeds from the ransom payment.
14/ Normally, startups with strong market traction love publicity.
It helps with new customer acquisition and growth!
But the difference here is that when you are a ransomwear-as-a-service market leader, publicity can be really, really bad for business.
It helps with new customer acquisition and growth!
But the difference here is that when you are a ransomwear-as-a-service market leader, publicity can be really, really bad for business.
15/ With the authorities now focused on them, DarkSide issued a statement:
“Our goal is to make money and not create problems for society. From today, we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”
“Our goal is to make money and not create problems for society. From today, we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”
16/ DarkSide learned the hard way what banks learned long ago: you have to know your customer!
The Colonial Pipeline shutdown lasted about a week.
Operations were restored after a rumored ransom payment of ~$5m (75-100 BTC).
DarkSide’s cut was hefty - but it came at a cost.
The Colonial Pipeline shutdown lasted about a week.
Operations were restored after a rumored ransom payment of ~$5m (75-100 BTC).
DarkSide’s cut was hefty - but it came at a cost.
17/ In the months to come, with the spotlight shined on the sophistication of the ransomwear market - as well as the devastating nature of the attacks - companies will step up their cybersecurity infrastructure to defend themselves.
This may be bad for ransomwear profits...
This may be bad for ransomwear profits...
18/ So is this just a classic market cycle?
The ransomwear market had predictable, large profits.
This led to a rush of activity to exploit them.
Now the market gets squeezed, making it less attractive to do ransomwear attacks.
Free markets at work...?
The ransomwear market had predictable, large profits.
This led to a rush of activity to exploit them.
Now the market gets squeezed, making it less attractive to do ransomwear attacks.
Free markets at work...?
19/ That is the story of DarkSide, the Colonial Pipeline hack, and the fascinating ransomwear-as-a-service business model.
For more, check out the below resources:
bloomberg.com/news/articles/…
bloomberg.com/news/articles/…
For more, check out the below resources:
bloomberg.com/news/articles/…
bloomberg.com/news/articles/…
20/ Follow me for more threads demystifying the world of business and finance. You can find all of my threads in the meta-thread below.
https://twitter.com/SahilBloom/status/1284583099775324161
21/ And subscribe to my newsletter, to receive my threads, audio versions, and other weekly curated content directly to your inbox! sahilbloom.substack.com
Please insert *ransomware* in place of ransomwear.
Cannot wait for Twitter Blue...
Cannot wait for Twitter Blue...
• • •
Missing some Tweet in this thread? You can try to
force a refresh
