The Rise of RAAS

Last week the reality of the cyberwar we’re in hit home for many with the shut down of a major oil pipeline in the southeast US by an attack from a ransomware variant called DarkSide. This isn’t the first time a cyberattack has caused economic disruption, and the bad news is, it’s not going to be the last. In this particular instance, the company paid the $5MM ransom and they’re in the process of restoring full functionality. The dirty little secret here is it’s almost impossible to be certain the hackers didn’t leave themselves backdoor access, meaning the threat it will happen again will remain. Right now the best way to clean up after a ransomware attack is a full wipe of all systems, a move many companies and government agencies cannot entertain.Oil Refinery Cyberattack Ransomware

An interesting twist to this story is the culprits behind this attack immediately published a statement saying they have no desire to be political or to cause this kind of disruption, they’re only in it for the money. As of now, they’re on the run after their servers and their bitcoin wallets were seized (as of this writing who conducted the raid is unknown). The problem is they really weren’t the direct culprits, rather, they supplied the tools for other miscreants to conduct the attack, for a percentage of the loot. Known as Ransomware as a Service (RAAS), this distribution model provides for rapid expansion and reduced risk to the hosts. What it also means is anyone with intent and a computer can launch a ransomware attack like the pipeline shutdown or worse. Employers beware – your disgruntled ex-employees are an Achilles heel. 

For those who have followed our past reminders, it may be interesting to know the group behind DarkSide has also been tied to REvil and Gandcrab, meaning they’re likely all one and the same, all originating from Russia or Ukraine, and all protected by those governments. And that leads us to another twist.

It turns out, the leading ransomware criminals, at least those originating out of the former east block, don’t attack their home turf. Meaning before their ransomware is deployed, it checks to see what language is running on the prospective device. If it’s running any number of Russian languages (also including Syria), it won’t deploy. This appears to be the detente these criminals have with their governments that has allowed them to continue their crime spree. 

That leads us to an interesting trick that may presently be one of the best ransomware deterrents we have – installing an additional language on your machine may prevent a ransomware malware program from being installed, and thereby thwart the attack. In fact, Lance James of Unit221B has developed a Windows batch script to automate the registry edits ransomware malware is currently looking for. Here’s a link to the script – GitHub – Unit221B/Russian: Russian Keyboard Registry Script. Please share this with your IT professionals, we don’t recommend making registry edits on your own. It’s sort of a running with scissors thing. Thanks to Brian Krebs for bringing this short-term patch to light. 

We’re going to continue to face these challenges for some time to come. The pipeline attack showed us all how serious the problem is. The truth is there is no silver bullet, but there is one thing you and your staff can do – train on cybersecurity continuously. 

Call us for your training needs and your HIPAA compliance requirements.

If you have any questions or if you are concerned about your organization’s cybersecurity, give us a call at (800) 970-0402. We’ll be happy to help.


For more HIPAA information, download our ebook – The Ultimate HIPAA Compliance Handbook.

The HIPAA Security Rule requires the implementation of a security awareness and training program for all members of its workforce (including management). Have your team sign up for a weekly HIPAA Security Reminder to help stay compliant.