The ransomware threat is just getting started
Toshiba Corp is the latest company to be hit by a ransomware attack by DarkSide, the hacking group that took down Colonial Pipeline.
Toshiba's European unit, which makes point-of-sale systems and copiers, acknowledged it had been hacked and DarkSide has issued a statement claiming responsibility, Reuters reported on Friday.
The Colonial Pipeline attack forced the 5,500-mile pipeline to shut down for several days and threatened to disrupt domestic fuel supply for a week. The company reportedly paid nearly $5 million to allow it to reopen.
Alex Stamos, director of the Stanford Internet Observatory and a former Facebook CSO, said most likely DarkSide was targeting the IT back-end rather than the company operations.
Instead it had unintentionally forced the pipeline closure and almost certainly brought themselves to the attention of the US security services. "They're like the dog that caught the car," Stamos commented.
DarkSide issued a statement on its dark website that it had no political ambitions. "Our goal is to make money, and not creating problems for society," they said, according to the Krebs On Security blog.
If it seems odd that a hacker gang is putting out press releases like an ordinary company, it reflects the reality that it's a part of a shadow corporate underworld. It has also published a mission statement in which its members declare they won't attack hospitals, schools or non-profits.
Like any startup they express pride in their work: "We created DarkSide because we didn't find the perfect product for us. Now we have it." DarkSide sits in the center of a rich eco-system of cybercriminals with every kind of capability – from DDoS tools and webinject kits to social media and cryptocurrency expertise.
It's almost certainly Russian-based, and while there's no evidence of any links to the government, there's also no sign the Kremlin is willing to shut it down. Even if it were put out of business there are plenty of other bad actors to take its place.
In this ecosystem, DarkSide is a ransomware-as-a-service platform that some have likened to Uber. On one side it sells to tools that enable cybercriminals to go after target companies; on the other side it carries out negotiations and payments with victims.
It extorts the victim companies in two ways: it demands one payment for a digital key to decrypt data, and another in exchange for a promise to destroy all stolen files.
Online ransom isn't new. What is new is the scale and sophistication. Groups like DarkSide and their collaborators are what are termed big-game hunters (BGH) that are going after deep-pocketed corporations with increasing frequency.
Cybersecurity firm CrowdStrike says the first BGH was identified in 2016. Last year it identified "at least 1,377 unique BGH infections."
As a result, it said: "A tectonic shift toward big game hunting has been felt across the entire eCrime ecosystem. Ransom payments and data extortion became the most popular avenues for monetization in 2020. The eCrime ecosystem remains vast and interconnected, with many criminal enterprises existing to support big game hunting operations."
The growing successes of these ransomware attacks mean they are only going to escalate until governments and law enforcement figure out a way of tracking and arresting and punishing them.
That should give every CEO something to think about.
- Ubiquiti highlights troubled security path for operators
- Hackers bring Sierra Wireless to a standstill
- Chinese hackers use fake Huawei jobs site to get 5G tech – report
- Microsoft president urges industries, governments to address cyber threats
- Russia-linked cyber group hacks US government agencies
— Robert Clark, contributing editor, special to Light Reading