Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label DarkSide. Show all posts

Florida Circuit Court Targeted in Attack by ALPHV Ransomware Group

 

The ALPHV, also known as BlackCat, ransomware group has asserted responsibility for a recent assault on state courts in Northwest Florida, falling under the jurisdiction of the First Judicial Circuit. 

The attackers claim to have obtained sensitive information such as Social Security numbers and CVs of employees, including judges. It's a common tactic for ransomware groups to threaten the public release of stolen data as leverage for negotiations.

The presence of the Florida First Judicial Circuit's data leak page on ALPHV's website suggests that the court has either not engaged in talks with the ransomware group or has firmly refused to meet their demands. 

The breach occurred last week, prompting the Florida circuit court to announce an ongoing investigation into the cyberattack, which disrupted operations on October 2nd. A statement released by the court stated that this incident would have a significant impact on court operations across the Circuit, affecting courts in Escambia, Okaloosa, Santa Rosa, and Walton counties for an extended period. 

The Circuit is prioritizing essential court proceedings but has decided to cancel and reschedule other proceedings, along with suspending related operations for several days starting from October 2, 2023.

In the midst of the investigation, judges in the affected counties have been in contact with litigants and attorneys regarding their regularly scheduled hearings. 

Additionally, the court authorities confirmed that all facilities are operating without any disruptions. As of now, the court has not independently verified the ransomware attack claims made by the ALPHV gang.

The ALPHV ransomware operation, originally known as DarkSide, emerged in November 2021 and is believed to be a rebranding of DarkSide/BlackMatter. 

This group gained international notoriety after the Colonial Pipeline breach, drawing the attention of law enforcement agencies worldwide. After a rebranding to BlackMatter in July 2021, their activities abruptly halted in November 2021 when authorities seized their servers and security firm Emsisoft developed a decryptor exploiting a ransomware vulnerability. 

This ransomware operation is known for consistently targeting global enterprises and continuously refining their tactics.

In a recent incident, an affiliate known as Scattered Spider claimed responsibility for an attack on MGM Resorts, asserting to have encrypted over 100 ESXi hypervisors after the company declined ransom negotiations following the shutdown of internal infrastructure. 

As reported by BleepingComputer, ALPHV's ransomware attack on MGM Resorts resulted in losses of approximately $100 million, as well as the theft of its customers' personal information. The FBI issued a warning in April, highlighting the group's involvement in successful breaches of over 60 entities worldwide between November 2021 and March 2022.

Constellation Software Cyberattack Claimed by ALPHV

 


According to the ALPHV/BlackCat ransomware group's claims, Constellation Software's network was compromised as a result of a cyberattack, it was also mentioned in the recent posting on the ransomware gang's leak site. Essen Medical Associates, as well as a Canadian software company, were victimized by the ransomware gang. 

A statement by Constellation Software Inc., a Toronto-based company, revealed that on Wednesday, it had been affected by a cyber-security incident that affected only one of its IT infrastructure systems. 

As a result, some limited personal information was affected by this incident. Additionally, Constellation's businesses also impacted a limited number of business partners. Rather than directly contacting these individuals or business partners, Constellation's operating groups and businesses will now contact them.  

Those who had their data compromised and those who have business associates in the affected area have also been contacted for further information. 

A small number of individuals had their private information compromised in the incident. Some data belonged to a small number of business partners of various Constellation businesses that were potentially affected. 

The constellation software company is composed of six divisions dedicated to acquiring, managing, and growing software companies. These divisions are Volaris, Harris, Jonas, Vela Software, Perseus Group, and Topics. 

As a Canadian company that employs over 25,000 people in North America, Europe, Australia, South America, and Africa, and generates $4 billion in revenue every year, Vanguard has a global presence. It has also acquired more than 500 companies in the software industry since 1995 and provides services to more than 125,000 customers in more than 100 countries. 

According to Constellation, the incident involved a small number of systems involved in internal financial reports and data storage related to them. There was a requirement for Constellation's operating groups and businesses to comply with this. There was no impact on the operations and businesses of Constellation's autonomous IT systems that were within its control. In addition, the company's business operations have not been adversely affected by the incident. 

Listed on ALPHV/BlackCat's leak site was the list of attachments the ransomware group had gathered from two data breaches that had been compromised. 

Following the Essen Medical Associates cyberattack, 24 attachments were breached as a result, although 25 attachments were breached following the Constellation Software cyberattack.   

Statement from the company regarding the cyberattack on Constellation Software 

As a result of the ALPHV/BlackCat leak site post released shortly after the announcement of the cyberattack, Constellation Software issued a press release confirming the attack. On April 3, a limited number of the company's IT systems were compromised due to a cyber incident reported by the company. 

It is understood that only a few business and operating groups within the organization utilize the organization's financial reporting and data storage systems. These groups provide internal financial reporting to the organization.   

Constellation's independent IT systems are not impacted by this incident in any shape or form, so it is not an issue with any of its operating groups or businesses. According to the press release issued, Constellation's business operations have not been impacted by the incident.   

ALPHV has already leaked some documents containing business information online to prove they were accessing and exfiltrating files from Constellation's network. This information can be found in the documents they leaked.  

In November 2021, the DarkSide/BlackMatter gang launched a ransomware operation that has been hacked to get the keys to the country. This was believed to be a rebranding of them. First becoming aware of the group as DarkSide, they attacked the Colonial Pipeline in 2012 and immediately found themselves in the crosshairs of international law enforcement. 

As a result of the servers being seized in November, they were forced to shut down operations one month later in July 2021. This was even though they rebranded themselves as BlackMatter one month later. The Emsisoft decryptor exploits a vulnerability in ransomware to exploit a weakness in the encryption algorithm.   

To demonstrate the access that ALPHV gained and the exfiltration of files from Constellation's network, ALPHV has already posted many documents online that contain business information about Constellation. 

A lot of people are currently aware of the ALPHV group as one of the biggest ransomware threats threatening corporations all around the globe. It was also named as the most likely attacker by the FBI in April, after they hacked over 60 companies between November 2021 and March 2022 as part of a ransomware operation. According to the FBI, ALPHV has "extensive networks and extensive experience with ransomware operations."

FIN7 Cybercrime Syndicate: Emerges as a Major Player in Ransomware Ecosystem

 

A thorough investigation of FIN7 has revealed the organisational structure of the cybercrime group as well as its function as an associate for launching ransomware assaults. Additionally, it has revealed deeper connections between the group and the larger threat ecosystem, which includes the now-defunct DarkSide, REvil, and LockBit families of ransomware. 

The extremely active threat group Carbanak is known for using a wide range of instruments and strategies to broaden its "cybercrime horizons," including adding ransomware to its playbook and setting up fictitious security companies to entice researchers into performing ransomware attacks under the pretext of penetration testing. The financially motivated adversary has compromised more than 8,147 victims worldwide, with the majority of the affected businesses being based in the United States. Other notable nations include China, Germany, Canada, Italy, and the U.K.

Over the years, FIN7's invasion techniques have extended beyond conventional social engineering to include infected USB drives, compromised software supply chains, and the exploitation of stolen credentials obtained from dark web markets.

"Nowadays, its initial approach is to carefully pick high-value companies from the pool of already compromised enterprise systems and force them to pay large ransoms to restore their data or seek unique ways to monetize the data and remote access," PRODAFT said in a report shared with The Hacker News.

The Russian-speaking hacking group has also reportedly been seen using a number of Microsoft Exchange security weaknesses, including CVE-2020-0688, CVE-2021-42321, ProxyLogon, and ProxyShell, as weapons to infiltrate target environments. Even in situations where the victim has previously paid a ransom, the organization has launched operations that have installed SSH backdoors on the compromised systems. This is despite the use of double extortion tactics.

As part of its illegal money-making scheme, the plan is to resell access to other ransomware organizations and retarget the victims, underlining its attempts to minimize effort and maximize profits. In addition, it prioritizes businesses based on their annual revenues, dates of founding, and the number of employees. According to the researchers, this "demonstrates a certain form of feasibility study regarded a distinctive habit among cybercrime gangs."

In other words, FIN7's method of operation is to shortlist businesses and organizations with the largest income by using tools like Dun & Bradstreet (DNB), Crunchbase, Owler, and Zoominfo. In order to track visitor traffic to the victims' websites, it also makes use of other website analytics tools like MuStat and Similarweb.

One of the various intrusion vectors is used to gain initial access, after which data is exfiltrated, files are encrypted, and finally the ransom price is calculated based on the company's income.
The remote access trojans Carbanak, Lizar (also known as Tirion), and IceBot are likewise intended to be loaded using these infection sequences. IceBot was initially identified by Recorded Future-owned Gemini Advisory in January 2022.

Other tools created and provided by FIN7 include the Cobalt Strike post-exploitation tool and the Checkmarks module, which automates mass scans for vulnerable Microsoft Exchange servers and other public-facing online applications.

Another example of how criminal organizations behave like legitimate businesses is FIN7, which has a team structure with top-level management, development, pentesting, affiliate, and marketing teams, all of which have specific tasks to do.

While Alex and Rash are the main drivers of the operation, Sergey-Oleg, the third management member, assigns tasks to the other members of the group and supervises their completion. A review of the group's Jabber communication history, however, has shown that operators in administrator roles use coercion and extortion to force team members to put in more effort and issue threats to "harm their family members in case of resigning or escaping from duties."

The information was uncovered more than a month after cybersecurity firm SentinelOne suspected FIN7 may have connections to the Black Basta ransomware operation.

PRODAFT concluded, "FIN7 has established itself as an extraordinarily versatile and well-known APT group that targets enterprise companies. Their signature move is to thoroughly research the companies based on their revenue, employee count, headquarters and website information to pinpoint the most profitable targets."

"Although they have internal issues related to the unequal distribution of obtained monetary resources and somewhat questionable practices towards their members, they have managed to establish a strong presence in the cybercrime sphere."

Hack 'Sabbath': Evasive New Ransomware Discovered

 

Due to its small size and unique approaches, a small yet strong ransomware group has been executing attacks largely undiscovered. 

According to Mandiant, the operation, named UNC2190 or "Sabbath," began in September and started attacks in October. Since then, the gang claims to have infected several firms and has threatened to reveal the stolen data if their ransom demand is not met. 

As per a Mandiant blog post, the Sabbath ransomware group has attacked and extorted at least one school system in the United States. Sabbath, like other ransomware operations, is thought to depend heavily on the ransomware-as-a-service model, in which the operators engage individual "affiliate" hackers to execute the on-the-ground labour of infiltrating networks and installing the ransomware.

One of the risks posed by the Sabbath ransomware operation is that the group has managed to avoid detection owing to a number of variables. To begin, the organisation has altered its tools, including the including the Cobalt Strike Beacon remote control tool, to avoid detection. The scale of the operation in comparison to other ransomware brands also helped keep the operations under the radar. 

Sabbath, according to Mandiant, has its origins in a prior ransomware attack known as Arcane. Both are believed to be managed by the same UNC2190 group. However, unlike larger, more well-known ransomware groups, UNC2190's transition from Arcane to Sabbath was not quickly noticed. 

While it's not uncommon for huge ransomware gangs to rebrand their activities, Tyler McLellan, a principal analyst at Mandiant and co-author of the blog post, told SearchSecurity that a tiny, relatively unknown team like Arcane doesn't generally alter its brand. 

McLellan explained, "We've seen some of the larger groups like DarkSide and Babuk rebrand when public and government pressure was too great. In the case of the smaller groups like Sabbath, it could be rebranded over much more mundane reasons such as a payment dispute between group members and a rebranding is an attempt to start fresh minus the problem group members." 

Sabbath may have some influence over the ransomware scene, even if it is not as large as DarkSide or Babuk. As per McLellan, some of Sabbath's approaches, notably their use of several customised malware payloads, might be exploited by other ransomware crews attempting to avoid detection by security providers and law authorities. 

"As detection of ransomware intrusions improves at the early pre-ransomware stages, we expect the threat actors will continue to adapt to stay ahead of the detection curve and increase the pace to deploy ransomware faster after an initial intrusion," McLellan added.

Russian Organizations Targeted By Outdated Threat Actors

 

Currently, European and American organizations top the list in ransomware from Russian state sponsored hackers, however, organizations from these countries are not ready for managing file encryption and double extortion problems on their own. Threat actors troubling CIS and Russian based companies are generally LockBit, REvil, DarkSide and many more criminal groups that target high profile victims with critical infrastructure cyberattacks. According to Kaspersky's report on first half of 2021, the Commonwealth of Independent States (CIS) was also targeted by threat actors which attack Russian organizations monthly, meanwhile no such attacks are reported. 

These groups, under unnoticed subcategory of ransomware actors are generally less sophisticated, and mostly use leaked malware or outdated strains, and build their own hacking access instead of buying access to the victims. Some of these famous ransomware families that were used earlier this year against the Russian targets are as followed: XMRLocker, Thanos/Hakbit, Limbozar/VoidCrypt, Fonix/XINOF, CryptConsole, Cryakl/CryLock, Phobos/Eking, Crysis/Dharma, /BigBobRoss. The most effective older strains include Phobos and Dharma. 

Phobos first surfaced in 2017 and reached its final stage in 2020. The threat actors had unauthorised RDP access as the main entry point. It consists of a C++/C malware having similar contextual technicalities to Dharma strain, but has no relation. Dharma came out in the open in 2016 by the name of Crysis, even though outdated, it has one of the most effective encryption schemes. Like Phobos, Dharma has similar unauthorised RDP access following brute-force of credentials and manual planting of malware. 

As per Kaspersky, such attacks come and go, however, they can't be left unnoticed. Kaspersky says these strains are still under development, with threat actors constantly making their strains effective, therefore, they are not without firepower. "Russian companies can prevent many of these threats by simply blocking RDP access, using strong passwords for domain accounts that are changed regularly, and accessing corporate networks through VPN," reports Bleeping Computers.

Ransomware Groups Never Perish, They Reincarnate

 

It is no longer a matter of shock that ransomware attacks have surged over the past few years,  the technological advancements have proved to be a boon for them. Ransomware is indeed a malware type that encodes the files of the victim. The offender subsequently asks the victim to make payment in order to regain access to the encrypted information as he explains the directions to make payment and receive the decryption key. 

Several ransomware organizations are now in the phase of their third incarnation. In the cybercrime sphere, reinvention is a key survival technique. The earliest techniques include the fake death or retirement and then subsequently the invention of a new identity. A fundamental objective of such a ruse is to make researchers focus their attention temporarily elsewhere. 

The DarkSide, which collected a $5 million payment from the Colonial Pipeline earlier last year, is only one of the most intriguing and newest reinventions to see much of this crushed by the U.S. Department of Justice. Once someone noticed that their Internet servers had indeed been seized, DarkSide stated that it was collapsing. However, just over a couple of months later, BlackMatter was created, a new affiliate ransomware operation, and specialists immediately found out that BlackMatter was using the same unique form of encryption used by DarkSide. 

The downfall of DarkSide occurred closely with that of REvil, a long-term ransomware gang claiming more than 100 million dollars from victims. Kaseya, a Miami-based corporation, was REvil's last major victim. This exploit allowed REvil to disseminate ransomware to as many as 1500 Kaseya using organizations. REvil called upon all victims of Kaseya's attack to pay a $70 million amount for decryption. 

REvil too is commonly regarded as a boost-up for GandCrab, a prominent ransomware group with over $2 billion in extortion for 12 months before it shut down in June 2019. 

The latest ransomware start-up "Grief" was only the current DoppelPaymer paintwork, which matched most of its code with a previous iteration named BitPaymer in 2016. All three were created by a renowned cybercriminal organization, known as TA505, 'Indrik Spider' and Evil Corp.

Mark Arena, CEO of cyber threat intelligence company Intel 471, stated that whether BlackMatter is a new name for the REvil group, or merely a rebirth of DarkSide, is uncertain. “Likely we will see them again unless they’ve been arrested,” Arena further added. 

Supply Chain Attack Conducted by Darkside Operator

 

Mandiant researchers have identified a supply chain attack against a CCTV provider by a Darkside ransomware gang affiliate that has been distinguished as UNC2465. UNC2465 and other linked gangs identified by FireEye/Mandiant as UNC2628 and UNC2659 are regarded as one of the key affiliates of the DARKSIDE Group. 

The intrusion began on 18 May 2021, a day after the public suspension of the DARKSIDE general program (Mandiant Advantage background). Mandiant believes that although no ransomware has been discovered, membership groups that have performed DARKSIDE attacks could employ several ransomware affiliate programs and switch to each other at any time. 

Mandiant found that the installers were malicious at the commencement of June and informed the CCTV firm of a possible compromise on this website, making it possible for UNC2465 to substitute legitimate and Trojanised files.

Although Mandiant does not anticipate that many individuals have been affected, this strategy is reported to boost awareness. 

Software supply chain attacks can be very complex, from the recent attacks discovered by FireEye to attacks targeting smaller suppliers. A single infiltration of the software supply chain attack gives access to all businesses running the software of a victim company – in this situation, UNC2465 has modified the installer instead of the software itself.

Mandiant noted in mid-May 2021, that numerous threat players quoted a notice that the operators of the service seemed to share with the DARKSIDE RaaS members. That notification indicated that it had lost the access and would be closing its service to its infrastructure, including its blog, payment, and CDN servers. 

Since then, other underground members have claimed that they are unpaid DARKSIDE affiliates, and in certain cases privately gave forum admins with proof indicating their claims are legitimate. 

Mandiant consulting responded to an intrusion in June 2021; The first vector, which Mandiant found was a trojanized security camera PVR installer from a reputable website. As a result of ongoing infrastructure use and equipment use since October 2020, Mandiant has attributed the general intrusion to DARKSIDE affiliate UNC2465. 

On 18 May 2021, a person accessed the Trojanized link in the concerned organization and installed a ZIP. A chain of Downloads and Scripts was run when the software was installed which led to SMOKEDHAM and afterward NGROK on the computer of the victim. 

Further malware use like BEACON is also reported to have taken place. The trojan program was enabled in Mandiant's opinion between 18 May 2021, and 08 June 2021. 

Mandiant indicates that the majority of publicly identified victims of ransomware shaming websites have progressed steadily over the last month. Despite the recent restriction on posts concerning ransomware in underground forums, threat actors may still exploit private chats and links to find ransomware services.

Hacking Group DarkSide Attacks Colonial Pipeline With a Ransomware

Hacking group DarkSide, which was behind the recent ransomware attack on Colonial Pipeline, operates in a much common way than people assume. It works in a franchise manner, in a way that independent hackers would get to use ransomware software, along with the name of DarkSide, as the aim was to steal money from the victims, which are based in the US mostly. 

"Cybereason reports that DarkSide has a perverse desire to appear ethical, even posting its own code of conduct for its customers telling them who and what targets are acceptable to attack. Protected organizations not to be harmed include hospitals, hospices, schools, universities, nonprofit organizations, and government agencies. Also apparently protected are entities based in former Soviet countries," says CNBC. Ransomware is a kind of harmful software that stops access to a computer when planted. In return for providing the access, hackers demand hefty ransom. 

Reports suggest that Colonial paid a sum of $5 million as a ransom to DarkSide. The business model upon which DarkSide operates, allows a hacker to carry out an attack without much computer knowledge, unlike earlier scenarios where it was much needed. It is because the hackers are provided readymade ransomware software from DarkSide. The hacker only has to perform a small task and the software takes care of the rest of it. As per the experts, DarkSide appears to be a new hacking group, but the experts know enough about it to get an idea about how dangerous it is. Experts say DarkSide provides a 'Ransomware as a service' business model. 

In simple terms, DarkSide hackers make ransomware tools and put them up in the market, where cybercriminals buy them and use them for their attacks. You may say it is an evil replica of silicon valley software startup. The FBI earlier this week confirmed that DarkSide was behind the Colonial Pipeline attack. CNBC says "DarkSide also maintains that it will donate a portion of its profits to charities, although some of the charities have turned down the contributions. Hackers continue to expand: Cybereason reports they recently released a new version of their malware: DarkSide 2.0."

Ex-SEC Enforcer: Crypto Investors are Enabling Hackers

 

The founder of the Securities and Exchange Commission's internet enforcement bureau warned Thursday that investors in bitcoin and other digital currencies are helping online hackers. 

“Ransomware is hitting everywhere and they’re all collecting it in bitcoin because there’s no way they’re going to get caught. So you’re also enabling it,” John Reed Stark, now head of his own cybersecurity firm told in an interview to CNBC. 

Stark stated cryptocurrencies have almost no practical use, in contrast trading them to the speculation that previously boosted AMC Entertainment and other meme stocks like GameStop to great heights. Cryptocurrencies also require registration and other procedures that would improve the visibility of U.S. capital markets, he added. 

“At least with GameStop and AMC you’re not necessarily hurting anyone. ... But with crypto, you are really hurting a lot of people, and that sort of risk I don’t think is a good one for society,” Stark said. 

He also called crypto the essence of ransomware, a type of malicious software that can disrupt and even block computer networks. 

Brazil's JBS, the world's largest meatpacker, has resumed most production after a weekend ransomware attack, the latest in a line of hacks. JBS blames hackers to have links with Russia.

In May, Colonial Pipeline, the largest US fuel pipeline, paid ransomware demands last month after its operations were shut down for nearly a week. The FBI estimates the attack on Colonial Pipeline was carried out by DarkSide, which is a Russian-linked group that demanded $5 million to restore service. DarkSide eventually shut down after receiving $90 million cryptocurrency payments and last year, roughly $406 million in crypto payments were made to cyberattackers. 

“The country is kind of falling apart from ransomware all because of crypto, and the main reason people own crypto is because they think someone else will buy it and make the price higher,” said Stark, who spent 18 years at the SEC’s Enforcement Division. “There’s no other reason to invest in it,” he stated.

DarkSide Affiliates Claim Gang's Bitcoin Deposit

 

Multiple associates have protested about not being charged for past services since the DarkSide ransomware operation was shut down a week ago, and have filed a petition for bitcoins in escrow on a hacker forum. Escrow systems are popular in Russian-language cybercriminal cultures to prevent scams between sellers and buyers. The deposit is a direct message from ransomware operations that they mean business. 

DarkSide is a ransomware vulnerability that has been active since at least August 2020, when it was used in a cyberattack against the Colonial Pipeline in Georgia, causing a significant fuel supply disruption along the US East Coast. The malware is distributed as a service to various cybercriminals through an affiliate scheme and, like other well-known ransomware threats, uses double extortion, combining file encryption with data theft, and is installed on compromised networks through manual hacking techniques. 

DarkSide deposited 22 bitcoins on the famous hacker forum XSS to gain the confidence of potential partners and expand the operation. The wallet is administered by the site's administrator, who also serves as a guarantor for the gang and an arbitrator in the event of a dispute. 

Many analysts believe the group used an escape scam to retain the ransom money they received from their network of affiliates. DarkSide operators, on the other hand, claim to have halted operations as a result of US government pressure following the assault on the Colonial Pipeline. 

Last year, the REvil ransomware deposited $1 million in Bitcoin to a separate hacking website in order to recruit new members. This action demonstrated that they trusted the forum administrator with the money and that there was plenty to be made. 

Researchers discovered a series of allegations made by members of a hacking forum who claimed to have played various roles in the DarkSide ransomware gang's operations. Some associates assisted in the pentesting of threats or organizational breaches. According to Elliptic, a blockchain research company, the Darkside ransomware gang has received over $90 million in ransom payments from its victims since October 2020. 

“In total, just over $90 million in Bitcoin ransom payments were made to DarkSide, originating from 47 distinct wallets.” reads the report published by the Elliptic. “According to DarkTracer, 99 organizations have been infected with the DarkSide malware – suggesting that approximately 47% of victims paid a ransom and that the average payment was $1.9 million.”

Toshiba Unit Hacked by DarkSide

 

The DarkSide criminal gang, which was also responsible for the assault on Colonial Pipeline, which triggered widespread gas shortages and panic buying across the Southeast, hacked a Toshiba business unit earlier this month. 

Toshiba Tec said in a statement that the cyberattack affected its European subsidiaries, and the company is investigating the extent of the damage. It stated that “some details and data could have been leaked by the criminal gang,” but it did not confirm that customer information was leaked. 

"There are around 30 groups within DarkSide that are attempting to hack companies all the time, and they succeeded this time with Toshiba," said Takashi Yoshikawa, a senior malware analyst at Mitsui Bussan Secure Directions. During pandemic lockdowns, employees accessing company computer systems from home have made businesses more susceptible to cyber-attacks, he said. 

The assault seems to have been carried out by the Russian criminal group DarkSide, according to a company representative who spoke to Reuters. The attack happened on May 4, according to a spokesperson that confirmed the same to CNBC. According to the outlet, the hackers demanded a ransom, but the company refused to pay. Colonial Pipeline, on the other hand, is said to have paid a ransom of approximately $5 million within hours of the attack last week. 

The assault, which resulted in gas shortages and panic buying at US gas stations across the Southeast, likely drew more attention to DarkSide than it had hoped for, with President Biden promising to go after the group. 

According to screenshots of DarkSide's post given by the cybersecurity company, more than 740 gigabytes of data, including passports and other personal details, was compromised. On Friday, Reuters was unable to reach DarkSide's public-facing website. DarkSide's numerous websites, according to security researchers, have become inaccessible. 

Hackers encrypt data and demand payment in cryptocurrency to decrypt it, increasing the number and size of ransomware attacks. They are gradually releasing or threatening to release stolen data unless they are paid more. 

The attack software was distributed by DarkSide, according to investigators in the US Colonial case, which involves Russian speakers and avoids hacking targets in the former Soviet Union. DarkSide allows "affiliates" to hack into targets in other countries, and then manages the ransom and data release.

FBI – CISA Published a Joint Advisory as Colonial Pipeline Suffers a Catastrophic Ransomware Attack

 

Following a catastrophic ransomware assault on a Colonial Pipeline, the FBI and the US Cybersecurity and Infrastructure Security Agency (CISA) published a joint advisory. The notice, issued on Tuesday 11th May, contains information on DarkSide, malware operators running a Ransomware-as-a-Service (RaaS) network. 

DarkSide is in charge of the latest Colonial Pipeline cyber assault. Past Friday - 7th May, the fuel giant has said that a Cyberattack had obliged the company, which was found to be an intrusion of DarkSide affiliates, to stop pipeline activities and to pull the IT systems offline. 

Cybercriminal gangs use DarkSide for data encryption and to gain entry to a victim's server. These groups attempt to disclose the information if the victim is not paying the ransom. DarkSide leverage groups have recently targeted organizations, including production, legal, insurance, healthcare, and energy, through various sectors of CI. 

Colonial pipeline is yet to be recovered, and the FBI is engaged with them as a key infrastructure supplier – one of which provides 45% of the fuel of the East Coast and typically provides up to 100 million gallons of fuel per day. 

"Cybercriminal groups use DarkSide to gain access to a victim's network to encrypt and exfiltrate data," the alert says. "These groups then threaten to expose data if the victim does not pay the ransom. Groups leveraging DarkSide have recently been targeting organizations across various CI sectors including manufacturing, legal, insurance, healthcare, and energy." 

The ransomware from DarkSide is available to RaaS clients. This cybercriminal template has become prominent because only a core team needs to create malware that can be transmitted to other people. 

RaaS can also be offered on a subscription basis as a ransomware partner, and/or the developers may earn cuts in income when a ransom is paid. In exchange, developers continue to enhance their 'product' malware. 

Furthermore the FBI - CISA advisory also provides tips and best practices to avoid or mitigate ransomware threats. 

The most important defense act against ransomware is prevention. It is crucial to follow good practices to defend against attacks by ransomware, that can be damaging to a person or an organization. 

"CISA and FBI urge CI [critical infrastructure] asset owners and operators to adopt a heightened state of awareness and implement recommendations [...] including implementing robust network segmentation between IT and OT networks; regularly testing manual controls; and ensuring that backups are implemented, regularly tested, and isolated from network connections," the agencies say. "These mitigations will help CI owners and operators improve their entity's functional resilience by reducing their vulnerability to ransomware and the risk of severe business degradation if impacted by ransomware."

Colonial Hackers Stole Data on Thursday Ahead of Shutdown

 

The hackers who caused Colonial Pipeline to shut down the biggest US petrol pipeline last Friday began their blitz against the company a day earlier, stealing a large amount of data before locking computers with ransomware and demanding payment, as per the sources.

According to the two reports, the intruders, who are members of the DarkSide cybercrime group, took nearly 100 gigabytes of data from the Alpharetta, Georgia-based company's network in just two hours on Thursday.

The step was part of a double-extortion scheme that has become a trademark of the group. According to the reports, Colonial was told that the stolen data will be released to the Internet, although information encrypted by the hackers on machines within the network will stay locked until it paid a ransom. The company didn't immediately respond to requests to comment on the investigation. It said earlier that it "proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations, and affected some of our IT systems". 

Colonial's decision on Friday to shut down the main pipeline that supplies the US East Coast with gasoline, diesel, and jet fuel, without specifying when it would reopen, indicates a risky new escalation in the battle against ransomware, which President Joe Biden's administration identified as a priority. 

It's unclear how much the attackers requested or whether Colonial has agreed to pay. In cryptocurrency, ransomware demands can vary from a few hundred dollars to millions of dollars. Many businesses compensate, with the help of their insurers. 

According to the Associated Press, AXA, one of ’s leading insurance firms, announced last week that it will break the trend and stop offering schemes in France that reimburse customers for payments made to ransomware hackers. In recent years, cyberattacks have disrupted the operations of other energy assets in the US. Last year, the Department of Homeland Security announced that an unnamed natural gas compressor facility was shut down for two days due to an attack. 

The theft of Colonial's records, combined with the installation of ransomware on the company's machines, demonstrates the power that hackers frequently hold over their victims in such situations. The investigation is being assisted by FireEye Inc's Mandiant digital forensics division, according to the company. 

Mr. Biden was briefed on the incident on Saturday morning, according to the White House.