Complex Made Simple

Darkside behind huge Colonial Pipeline and Toshiba ransomware attacks. Irish healthcare also hit

Three brazen ransomware attacks took place in the last few days, two from the same outfit known as DarkSide, while the identity of the third is, as of publishing, unknown

Colonial Pipeline reportedly paid the ransomware group close to $5 million to decrypt locked systems A Toshiba unit has become the latest victim of a DarkSide ransomware attack Ireland has shut down major IT systems running its national healthcare service following a ransomware attack

Three brazen ransomware attacks took place in the last few days, two from the same outfit known as DarkSide, while the identity of the third is, as of publishing, unknown.

The attacks targeted US gas pipelines company Colonial, tech company Toshiba and Irish healthcare system Health Service Executive.

Colonial Pipelines

Colonial Pipeline reportedly paid the ransomware group responsible for a cyberattack on May 7, 2021 close to $5 million to decrypt locked systems that has impacted the fuel giant’s systems for close to a week.

While pipelines are now back in business, it will be days before normal service resumes. 

Bloomberg said the payment was made to DarkSide malware operators in cryptocurrency in order to secure a decryption key and restore systems. 

DarkSide is a ransomware-as-a-service (RaaS) outfit that offers a ransomware variant to affiliates who sign up, and in return, partner groups give the malware’s developers a slice of any profits made through successful ransomware extortion attempts. 

DarkSide affiliates may also use double-extortion tactics, in which corporate files are also stolen during an attack. If a company refuses to pay up to decrypt their systems, they are then threatened with the public leak of stolen data. 

Bloomberg reported the hackers began their attack last Thursday by stealing about 100 gigabytes of data in a double extortion scheme that holds the data hostage and threatens to leak it. 

FireEye researchers say that DarkSide’s developers take a profit cut of 25% for ransom payments under $500,000, and this reduces to 10% for payments made over $5 million. 

According to Reuters, Colonial Pipeline has cyber insurance coverage of at least $15 million.

Darkside is believed to be based in Russia.  

The company shut some of its operations to prevent the malicious software from spreading.

Colonial services seven airports and operates in 14 states. Its system is the biggest in the US, covering more than 5,500 miles and carrying more than 100 million gallons of fuel per day.  

According to The New York Times, the 5,500-mile-long Colonial Pipeline is responsible for carrying 45% of the fuel for the Eastern US, including jet fuel and gas.

City governments around the country, including Baltimore’s and Atlanta’s, have been slammed by ransomware attacks. Hospitals have been shut down. US president Joe Biden’s administration stated priorities as improving American infrastructure, and cybersecurity. The large-scale Russian SolarWinds hack, disclosed in December 2020, was shown to have affected several federal government systems.  

Read: Acer’s $50 million ransomware demand will double to $100 million

Read: Ransomware gangs have eyes on the UAE, with more tricks up their sleeves

DarkSide issues an apology and quits

DarkSide has apologized for the “social consequences,” claiming that its goal is to make money, not cause societal problems.  

The group’s apology was posted to its dark website. It reads:

“We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other our motives. Our goal is to make money and not creating problems for society. From today, we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”

The DarkSide ransomware affiliate program is running for the hills. The crime gang announced it was closing up shop after its servers were seized and someone drained the cryptocurrency from an account the group uses to pay affiliates.

“Servers were seized (country not named), money of advertisers and founders was transferred to an unknown account,” reads a message from a cybercrime forum reposted to the Russian OSINT Telegram channel.

Toshiba

A Toshiba unit has become the latest victim of a DarkSide ransomware attack. 

On May 14, 2021, Toshiba Tec Corp said it was struck by a cyberattack that has impacted some regions in Europe. 

The company manufactures products including barcode scanners, Point-of-Sale (PoS) systems, printers, and other electrical equipment. The unit’s French subsidiary appears to have been targeted.

After discovering the attack, Toshiba Tec shut down networks between Japan, Europe, and its subsidiaries to “prevent the spread of damage”.

The company did acknowledge that “it is possible that some information and data may have been leaked by a criminal gang.”

A leaked record claims that over 740GB of data was stolen from Toshiba. 

Ireland’s healthcare

Ireland has shut down most of the major IT systems running its national healthcare service, leaving doctors unable to access patient records and people unsure of whether they should show up for appointments, following a “very sophisticated” ransomware attack.

Some elements of the Irish health service remain operational, such as clinical systems and its COVID-19 vaccination program, which is powered by separate infrastructure. 

No group has yet claimed responsibility for the attack, but it is believed it involved “Conti, human-operated ransomware,” referring to the type of software used.  

“We are very clear we will not be paying any ransom,” Prime Minister Micheál Martin told reporters.

The HSE’s chief Anne O’Connor described the attack as “very sophisticated.” Officials said the gang exploited a previously unknown vulnerability, known as a ‘zero-day’ attack because the software maker has zero days’ notice to fix the hole.

Q1 ransomware stats

Coveware issued its Q1 2021 Ransomware Report on April 26, 2021, which concludes that “Data exfiltration extortion continues to be prevalent and we have reached an inflection point where the vast majority of ransomware attacks now include the theft of corporate data.”

The Report states that the average ransom payment increased 43% from $154,108 in Q4 2020 to $220,000 in Q1 2021, and the median payment in Q1 2021 increased from $49,450 to $78,398, a 58% increase.  

Some 77% percent of all threats included the threat to leak exfiltrated data, which was an increase of 10% from Q4 2020. Sodinokibi continued to dominate the market share as a ransom type at 14.2%, followed by Conti V2, Lockbit, CloP, Egregor, Avaddon, Ryuk, Darkside, Suncrypt, Netwalker, and Phobos. Of these, Egregor has sunset its operations, and Netwalker was dismantled by law enforcement.