Digital extortion attempts are returning to their pre-Colonial Pipeline levels, according to data and interviews with some incident responders, suggesting that the upheaval around the hack that paralyzed a major U.S. fuel conduit has yet to curb cybercriminals’ appetite for ransoms.
Ransomware incidents are usually shrouded in secrecy, with victim companies and criminals alike eager to prevent the eye-watering extortion payments from becoming public. But indirect data suggests that the global publicity around the hack of Colonial Pipeline (COLPI.UL), which paralyzed the company for nearly a week and led to fuel shortages on the U.S. East Coast, did little or nothing to puncture the thriving industry.
There was a dip in the number of companies whose data was uploaded to ransomware operators’ name-and-shame sites in the days following the Colonial intrusion, said Allan Liska, a researcher with cybersecurity firm Recorded Future.
But the sites, which the hackers use to pressure their victims into paying up by leaking reams of sensitive data, are now “back to normal,” he said, with 10-15 victims posted daily.
Data privately tracked by ID Ransomware – a ransomware identification site run by Emsisoft researcher Michael Gillespie – shows that submissions of extortion software dropped sharply in the days following news of the Colonial hack, only to rise higher than before.
Gillespie’s colleague Brett Callow said that one possible explanation for the dip is that some hackers put their operations on pause amid the pipeline chaos and are now clearing the backlog.
“I think the groups got back to business as usual,” Callow said.
Another possible explanation is that there was a period of confusion as underground forums banned the advertisement of ransomware partnerships, said David Nides of consultancy KPMG.
“The threat actors quickly adjusted,” he said.
Other analysts saw no change whatsoever.
“We didn’t really notice any uptick or downtick,” said Mark Manglicmot of cybersecurity firm Arctic Wolf.
Some ransomware operators, including DarkSide, the group blamed for the intrusion at Colonial, have either disappeared from the web or announced new restrictions, statements that have been met with skepticism from experts.
Manglicmot said he too doubted the disappearances had any real impact.
“There’s a big enough market for it that if one provider goes down there are others they can go to pretty quickly,” he said. “The attackers remain undeterred by the publicity.”
That may in part be due to the extraordinary amounts of money involved. In a blog post published on Tuesday, digital currency-tracking firm Elliptic said that DarkSide had extracted $90 million worth of bitcoin in ransoms from 47 victims.
Whether Colonial itself paid a ransom has not yet been publicly disclosed. Last week Reuters and other media reported that Colonial was not planning to pay a ransom. But Bloomberg and some other news outlets later reported it had paid nearly $5 million. The reporting was corroborated by Elliptic, which said it had identified the payment itself on the publicly visible ledger of bitcoin transactions.
Repeated attempts by Reuters to reach the hackers have been unsuccessful and Colonial itself has declined comment on whether it paid.
U.S. Representatives Carolyn Maloney and Bennie Thompson, the chairs of the House Committees on Oversight and Reform and Homeland Security respectively, said on Tuesday they were disappointed by Colonial’s refusal to discuss the reported ransom.
“In order for Congress to legislate effectively on ransomware, we need this information,” the pair said in a joint statement.