A flurry of cyberattacks in a few countries has once again brought to the fore the need for unabated and concerted global efforts to thwart the ‘ransomware heroes.’
The first incident was a major, week-long cyberattack on Colonial Pipeline in the US that crippled gas delivery systems in Southeastern states.
Colonial restarted operations last Wednesday afternoon but said the delivery schedule would not return to normal for several days. The firm reportedly paid a $5mn ransom.
The attack was perpetrated by the hacker group DarkSide, a relatively new group, but considered dangerous by cybersecurity analysts.
The group claimed on Wednesday to have attacked three more companies, despite the global outcry over its attack on Colonial.
The next victim was Ireland’s health service, which shut down its computer systems on Friday after being hit with a “sophisticated” ransomware attack.
Toshiba Tec, a division of Japanese tech conglomerate Toshiba, said its European business was the victim of such a hack on May 4.
The company also blamed DarkSide.
Ransomware is a type of malicious software that’s designed to block access to a computer system.
Hackers demand a ransom payment – typically cryptocurrency – in return for restoring access.
In 2017, the UK’s National Health Service was one of many organisations hit by a malware known as WannaCry.
According to Boston-based Cybereason, DarkSide is an organised group of hackers set up along the “ransomware as a service” business model, meaning the DarkSide hackers develop and market ransomware hacking tools, and sell them to other criminals who then carry out attacks.
Cybereason found that the group is highly professional, offering a help desk and call in phone number for victims, and has already published confidential data on more than 40 victims.
It maintains a website called “DarkSide Leaks” that’s modelled on WikiLeaks where the hackers post the private data of companies that they have stolen.
They conduct “double extortion,” which means the hackers not only encrypt and lock up the victim’s data, but they also steal data and threaten to make it public on the DarkSide Leaks site if companies don’t pay ransom.
Typical ransom demands range from $200,000 to $20mn, and Cybereason says the hackers gathered detailed intelligence on their victims, learning the size and scope of the company as well as who the key decision-makers are inside the firm.
The anticlimax also came last Friwday when the servers for Darkside were taken down by unknown actors, as reported by US cyber security firm Recorded Future.
Darkside had admitted in a web post that it lost access to certain servers used for its web blog and for payments.
Recorded Future threat intelligence analyst Dmitry Smilyanets said he found a Russian language comment on a ransomware website ostensibly from “Darksupp”, described as the operator of Darkside. A few hours ago, we lost access to the public part of our infrastructure, namely: Blog. Payment server. DOS servers,” Darksupp wrote.
“The Darkside operator also reported that cryptocurrency funds were also withdrawn from the gang’s payment server, which was hosting ransom payments made by victims,” said Recorded Future.
While there was no evidence of who might have forced down Darkside’s website, the twitter account of a US military cyber warfare group, the 780th Military Intelligence Brigade, retweeted the Recorded Future report on Friday.
However, it is too early to think that cyber criminals such as Darkside have learnt a lesson.