Recent ransomware attacks against U.S. critical infrastructure, which includes the energy sector’s production of oil and natural gas, and other sources of electricity and power, have shed a spotlight on the importance of staying updated on sector-specific techniques, tactics and procedures (“TTPs”), and preventative and remediation actions.
This Client Alert will: (1) provide a brief background on the nature and risks of ransomware on critical infrastructure; (2) discuss the current ransomware threat landscape; (3) note legal considerations companies should take into account when determining how to respond to ransomware attacks; (4) discuss recent calls for cybersecurity oversight; (5) provide an overview of recent public ransomware incidents; and (6) set forth potential steps companies can take to mitigate the risks of ransomware.
RANSOMWARE IMPACT ON CRITICAL INFRASTRUCTURE
Ransomware is defined by the U.S. National Institute of Standards and Technology (“NIST”) as a “type of malware that attempts to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker who deployed the malware, until a ransom is paid.” Often, the ransom is requested for payment through cryptocurrency or blockchain methods that provide for anonymity on behalf of the recipient of the payment.
Ransomware attacks directed against critical infrastructure systems are relatively rare, but the impact could be significant. If a threat actor gained access to the control network, a skilled threat actor could then upload exploits and/or entirely new firmware, which could allow the hacker to cause physical damage to components of the infrastructure at will. In other words, the threat actor could potentially take complete control of an entire system or device.
Another strategy used by ransomware threat actors is to threaten to “brick”—destroy beyond repair—the software and hardware that control the infrastructure in addition to corrupting the data stored on the system using malicious encryption. This is similar to the Ukrainian power grid attack in 2015 where the threat actors corrupted the firmware of devices controlling various power substations.1 In such an instance where control components are “bricked,” a victim must physically change each bricked component by replacing it.
The Federal Bureau of Investigation (“FBI”) has identified several key threat actor collectives emerging from the recent attacks, including a malware variant attributed to Darkside.2 The Darkside developers, Carbon Spider, operate as a Ransomware-as-a-Corporation (“RaaC”)3 provider, thought to be located in Eastern Europe.4 The FBI also notes that Darkside actors are encouraged by the malware developers to use Monero cryptocurrency in the demands because it uses privacy-enhancing technologies to provide users with greater anonymity compared to more traditional cryptocurrencies.5 The Darkside TTPs, and those of similarly sophisticated collectives such as Viking Spider, Graceful Spider and Pioneer Kitten, have been identified as early as December of 2019 with at least 16 new collectives and their malware emerging in 2020.6
Darkside-related ransomware variants have been in the threatscape since at least September of 2020. This variant is typical of those used by many ransomware collectives today, but also shows some innovations, namely the use of custom-designed executables for each target. The Darkside group follows the RaaC paradigm, and thus strives to appear professional, offering press releases and corporate language in its communications and executables. Like many modern ransomware collectives, in addition to seeking to deny a company access to its own data, Darkside often attempts to exfiltrate personally identifiable information and other data on finances, business partners, and operations, and posts it on its dark web “leak site” if its ransomware demands are not met. The Darkside group is…