White House deputy national security adviser Anne Neuberger said Wednesday that the Biden administration thinks recent comments by a representative of a ransomware gang linked to the May attack on the Colonial Pipeline could amount to a “commitment” the group would not target critical infrastructure or other sensitive industries.
Neuberger suggested the pledge by ransomware group BlackMatter, coupled with recent comments by Russian officials following President Joe Biden’s summit with President Vladimir Putin in June, was evidence the administration’s warnings about disruptive ransomware activity against US critical infrastructure are being heard.
“We think we’re seeing a commitment, and we will look to see the actions that follow on that commitment,” she told the Aspen Security Forum when asked about an interview posted by cybersecurity firm Recorded Future late last month in which an individual representing BlackMatter said critical infrastructure was among the few areas the group considers off limits.
Neuberger’s comments, referring to cybercriminals who try to extort millions of dollars in ransom payments from their victims, raised eyebrows from experts who track the groups.
“Certain ransomware groups pinky-promised not to attack healthcare providers during the pandemic but, unsurprisingly, they didn’t adhere to that,” said Brett Callow, a threat analyst at Emsisoft. “There’s absolutely no reason to believe that untrustworthy bad faith actors will stick to their word or that they can even necessarily control their affiliates. The fact that a single group has said it will avoid attacks on critical infrastructure is neither a good sign nor a bad one. It’s a meaningless nothing-burger.”
In May, a criminal group called DarkSide believed to operate out of Russia attacked the Colonial Pipeline, leading to gas shortages and long lines at gas stations in the southeastern US. Colonial paid a ransom of $4.4 million in bitcoin to DarkSide, more than $2 million of which was later recovered in an FBI operation. DarkSide said it was shutting down because its infrastructure was attacked and because of pressure from the US. After the attack, Colonial shut down its operations, resulting in gas shortages along the East Coast.
Three months later, researchers believe the DarkSide attackers are back, under the new banner of BlackMatter. The blockchain analysis group Chainalysis reported Tuesday that it found financial links between the two groups, and others have found identical technical aspects to those DarkSide used.
Analysts at information security blog BleepingComputer have also reported BlackMatter has already targeted multiple victims demanding ransom payments of $3 million to $4 million.
BlackMatter has denied that they are a reincarnated DarkSide, but Allan Liska, a threat researcher with Recorded Future, says the financial and technical connections between the two groups makes that denial hard to believe.
“In this case there are a number of technical similarities between the DarkSide ransomware and DarkMatter, including the libraries they call, the encryption algorithms used and the layout and design of both ransomware extortion sites,” Liska said.
“And of course,” Liska added, “ransomware groups are known to be lying bastards.”
In BlackMatter’s interview with Recorded Future, the group’s representative said: “We also moderate the targets and will not allow our project to be used to encrypt critical infrastructure, which will attract unwanted attention to us.”
On Wednesday, Neuberger did not directly address the question of whether BlackMatter is simply a revival of Darkside, but struck a cautiously optimistic tone, saying BlackMatter’s comments were “remarkable” in that they provided rare insight into this group’s state of mind and approach to ransomware.
“The proof is in the pudding,” Neuberger also acknowledged, noting that it remains to be seen whether the comments from a single, anonymous representative of the ransomware group mark a substantive shift in behavior from criminal cyber actors or the Russian government.
Neuberger also revealed on Wednesday that the administration initially believed banning ransom payments was the right approach to stemming such attacks, but input from the private sector and a ransomware task force made clear that such a move would only drive activity underground, thus making it more difficult to disrupt.
Banning ransom payments also fails to address the root causes of the problem, she explained, adding that changing the perception of foreign governments and these criminal actors is critical to the broader ransomware strategy.