The latest on ransomware gangs and their strategies.
Welcome to Cyber Security Today. It’s Monday May 17th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
Is the Darkside ransomware gang dead or temporarily going quiet? Has ransomware suddenly got a bad name among crooks? This is what many cybersecurity experts are wondering after Darkside said it had lost access to the public part of its blog, payment server and content delivery server. Not only that, Darkside is releasing its decryption keys so anyone hit by its ransomware could get their scrambled data back for free. In addition cryptocurrency funds were also taken by someone from the gang’s payment sever, which is where victims made ransomware payments. This came after U.S. President Joe Biden urged Moscow to take action against the reportedly Russia-based group for its attack on the Colonial Pipeline in the U.S., and Biden promised the U.S. would disrupt the gang.
On top of this, one Russian cybercrime forum suddenly banned all discussion threads about ransomware, saying the topic is now toxic. And the REvil gang has been quoted as saying it will keep a closer eye on affiliate crooks who want to use its ransomware platform to make sure they stay away from attacking what it calls the social sector and governments.
Are ransomware gangs disbanding, afraid of aggressive law enforcement? Or is this smoke and mirrors? First of all, note that REvil is merely saying it’s going to be more selective in targets. Apparently it thinks that will cool things off. As for Darkside, perhaps some of its money is gone but the gang still has its expertise and source code. And many experts think Darkside linked to REvil.
There’s too much money in ransomware for security professionals to think these attacks are going away. Organizations need to ensure if they allow access to their corporate network through Windows Remote Desktop Protocol or a virtual private network that access is tightly controlled. These are entry points recently favoured by any attacker. And multifactor authentication must be added to deny access to attackers who only have a username and password.
Brett Callow, a British Columbia-based threat researcher for Emsisoft, told me why Darkside went dark isn’t clear. There’s no confirmation any law enforcement agency seized its sites and money. Callow suspects that Darkside simply got cold feet with the bad publicity of the Colonial Pipeland attack, and set up an exit scam so they don’t have split money owed to their partners in crime. Unfortunately, Callow adds, they’ll likely be back under a different name.
He also notes a new posting from a ransomware gang called Babuk. It says it’s setting up a new platform where crooks who don’t have their own leak websites can post and sell data they have stolen from corporate victims. It’s another sign cybercrime isn’t going away.
More thoughts on the Colonial Pipeline attack: If, as the company says, the operational network overseeing the pipeline is separated from the IT side that was hit by ransomware, why did the company temporarily shut the pipeline? The New York Times quoted an expert saying that if Colonial had confidence the OT and IT networks were separated there was no reason to shut the pipeline. However, an analyst at the SANS Institute has a theory: The billing system of the pipeline company was affected by the attack. If Colonial couldn’t bill for transporting gas, then the pipeline couldn’t run.
There are many lessons to be learned from this attack – and we still don’t know how it started, or how long the attackers were in the Colonial network before the ransomware was launched.
Meanwhile Ireland’s Heath Service Executive continues trying to recover from a ransomware attack last week. It shut down its IT system, affecting among other things medical systems needed for ordering tests. According to the Bleeping Computer news service, the Conti ransomware group is demanding $20 million for the return of 700 gigabytes of stolen data and for the decryption key. The gang alleges it was on the health systems’ network for more than two weeks copying patient and employee information. Ireland says no ransom will be paid.
That’s it for now Remember links to details about podcast stories are in the text version at ITWorldCanada.com. That’s where you’ll also find other stories of mine.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening. I’m Howard Solomon