Toshiba Corp is the latest company to be hit by a ransomware attack by DarkSide, the hacking group that took down Colonial Pipeline.

Toshiba's European unit, which makes point-of-sale systems and copiers, acknowledged it had been hacked and DarkSide has issued a statement claiming responsibility, Reuters reported on Friday.

The Colonial Pipeline attack forced the 5,500-mile pipeline to shut down for several days and threatened to disrupt domestic fuel supply for a week. The company reportedly paid nearly $5 million to allow it to reopen.

Figure 1: Hold please: Being targeted by hackers in the modern world may feel more like dealing with big business.
(Source: Gerd Altmann from Pixabay)

Alex Stamos, director of the Stanford Internet Observatory and a former Facebook CSO, said most likely DarkSide was targeting the IT back-end rather than the company operations.

Instead it had unintentionally forced the pipeline closure and almost certainly brought themselves to the attention of the US security services. "They're like the dog that caught the car," Stamos commented.

Ransomware-as-a-service

DarkSide issued a statement on its dark website that it had no political ambitions. "Our goal is to make money, and not creating problems for society," they said, according to the Krebs On Security blog.

If it seems odd that a hacker gang is putting out press releases like an ordinary company, it reflects the reality that it's a part of a shadow corporate underworld. It has also published a mission statement in which its members declare they won't attack hospitals, schools or non-profits.

Like any startup they express pride in their work: "We created DarkSide because we didn't find the perfect product for us. Now we have it." DarkSide sits in the center of a rich eco-system of cybercriminals with every kind of capability – from DDoS tools and webinject kits to social media and cryptocurrency expertise.

It's almost certainly Russian-based, and while there's no evidence of any links to the government, there's also no sign the Kremlin is willing to shut it down. Even if it were put out of business there are plenty of other bad actors to take its place.

In this ecosystem, DarkSide is a ransomware-as-a-service platform that some have likened to Uber. On one side it sells to tools that enable cybercriminals to go after target companies; on the other side it carries out negotiations and payments with victims.

It extorts the victim companies in two ways: it demands one payment for a digital key to decrypt data, and another in exchange for a promise to destroy all stolen files.

Leveling up

Online ransom isn't new. What is new is the scale and sophistication.Groups like DarkSide and their collaborators are what are termed big-game hunters (BGH) that are going after deep-pocketed corporations with increasing frequency.

Cybersecurity firm CrowdStrike says the first BGH was identified in 2016. Last year it identified "at least 1,377 unique BGH infections."

Want to know more about satellite? Check out our dedicated security channel here on
Light Reading.

As a result, it said: "A tectonic shift toward big game hunting has been felt across the entire eCrime ecosystem. Ransom payments and data extortion became the most popular avenues for monetization in 2020. The eCrime ecosystem remains vast and interconnected, with many criminal enterprises existing to support big game hunting operations."

The growing successes of these ransomware attacks mean they are only going to escalate until governments and law enforcement figure out a way of tracking and arresting and punishing them.

That should give every CEO something to think about.

Related posts:

— Robert Clark, contributing editor, special to Light Reading